How to protect your organization from security threats across your supply chain

A full 97% of people surveyed by BlueVoyant said they’ve been impacted by a security breach that occurred in their supply chain.

Supply chain concept

Image: Busakorn Pongparnit/Moment/Getty Images

Defending your organization from cyberattacks that directly target you is difficult enough. But protecting yourself against attacks that hit you through your supply chain is even more of a challenge. How do you combat something over which you seemingly have little or no control? A report by cybersecurity provider BlueVoyant looks at supply chain security breaches and offers tips on how to prevent them.

SEE: Vendor management & selection policy (TechRepublic Premium)

More about cybersecurity

Released on Tuesday, the report titled Managing Cyber Risk Across the Extended Vendor Ecosystem is based on a survey of 1,200 CIOs, CISOs and chief procurement officers in large organizations throughout the U.S., the U.K., Canada, Germany, the Netherlands and Singapore.

Commissioned by BlueVoyant and conducted by research firm Opinion Matters, the survey found that 97% of the respondents were hurt by a security breach that took place in their supply chain. Further, some 93% of those surveyed said their companies suffered a security breach themselves due to a weakness in a supply chain partner or third-party vendor.

As a result, supply chain threats have received a renewed focus. Last year, 31% of the respondents said that supply chain and third-party risks were not a priority. This year, only 13% of those surveyed said that this type of risk was not on their radar. But a greater focus on supply chain threats doesn’t automatically make them easier to detect.

Among the respondents, 38% said they have had no way of knowing when or if a security issue occurs with a third-party vendor. Some 41% revealed that if they had discovered an issue and informed their supplier, they would be unable to confirm whether or not the problem had been resolved.

This year has seen a number of cyberattacks and exploits that affected supply chain partners. A vulnerability in Microsoft Exchange exploited by a China-based group impacted thousands of companies with Exchange servers. The ransomware attack against Colonial Pipeline hurt fuel suppliers across the East Coast. And the ransomware incident against enterprise IT firm Kaseya trickled through to more than 1,000 organizations.

To help you better manage and respond to supply chain threats, BlueVoyant offered the following recommendations:

  • Gain more visibility into your supply chain partners. Supply chains are large and complex, so gaining full visibility into their activities is a challenge. But you still need to understand your third-party vendors, including those beyond the first tier or the ones deemed most critical. To reduce the risks, build support for suppliers into your third-party risk management program. Inform the vendor when new threats pop up and provide practical steps to help them solve the problem. Make sure you support the vendor through the entire process, including problem resolution.
  • Continuously monitor your supply chain. Many supply chain attacks triggered through security vulnerabilities occurred after those vulnerabilities were patched by the vendor but before customers got around to applying them. Auditing or assessing your supply chain every few weeks or months is not enough to stay ahead of cybercriminals. Instead, you need a continuous method of monitoring and a way to quickly react when serious security flaws are discovered across your supply chain. For this, you may need to automate your risk analysis and expand its coverage to include more than just a limited number of critical suppliers.
  • Determine who owns third-party cyber risk. Those surveyed gave a range of answers as to who is responsible for third-party security risks. You need to define this role at the executive level otherwise you’ll be hard pressed to coordinate resources and develop clear strategies.
  • Improve cybersecurity education and training for vendors. Many suppliers are unaware of their cyber risk and don’t set up the necessary training or security protocols. This is where you may be able to step in. Just as you educate your employees on cybersecurity, you might also need to educate your supply chain vendors in a similar way.

 Also see