How Individual Organizations Can Help Protect the Supply Chain
A supply chain is only as strong as its weakest link. Many of us were reminded of that fact during the pandemic, when everyday items that had always been readily available, like toilet paper, started to disappear from stores.
Even with those days now largely behind us, scattered supply chain disruptions have persisted, most recently this past winter, when the price of eggs increased suddenly in response to a temporary shortage.
While supply chains are inherently fragile, and it’s impossible to fully control every variable that might affect them, there is one glaring area of weakness that has seen a troubling rise in recent years: the rise of supply chain cyberattacks.
According to a study published by NCC Group, supply chain cyberattacks jumped 51 percent in 2021. One particular incident from that year demonstrated the widespread havoc that a single attack has the potential to create. Kaseya, an IT solutions developer, became the victim of a ransomware attack, which consequently also put the thousands of clients using its MSP (managed service providers) at risk and caused a wave of disruption rippling out across those companies.
As formerly manual tasks have been gradually automated, partners and vendors are sharing data like never before, exponentially increasing the risk of sensitive information being compromised. Addressing this growing problem requires a shift in mindset by organizations. Rather than looking for ways to transfer risk and reduce a company’s financial exposure in the event of an attack, it’s crucial for leaders to start looking at what they can do independently to bolster their cyber resiliency. Here are three steps they can take:
1. Understand it’s not a question of if, but when.
It’s easy to shrug off the risk of a cyberattack until it happens to you. Every organization should start with the assumption that their probability of eventually being the victim of cybercrime is 100 percent. If you’re a leader, think about the potential impact of that event on your business. Is this acceptable to you, your employees and the people who are recipients of your service? Probably not. Now you have a starting point.
2. Assess your level of risk.
Once you’ve adopted the mindset that a cyber attack is inevitable, the next step is to take an honest appraisal of your organization’s vulnerability to the types of threats it will face. Every system has them, and you can be assured that cyber criminals will find out what yours are if you don’t get there first. Leaders, either with the help of a third party or by using a publicly available guide from places like the Cybersecurity and Infrastructure Security Agency (CISA), should make a comprehensive checklist of questions to ask, including where your information is stored, who has access to it, how secure your controls are and — crucially — how well you’re able to monitor user activity and suspicious behavior.
Then, take it a step further. It’s not possible to completely eliminate risk, but you can rank your critical assets, seek to understand all the elements that are required for them to function and start digging. Where you see vulnerabilities upstream, start tackling them one by one. Remember that supply chain risk is programmatic and resiliency needs to be your goal. You may decide to lower the criticality of a particular component provider by having other options, making different decisions about where things happen, or simply putting in better monitoring so you can flex rather than break.
In assessing where to start, examine how each of these areas would impact your organization if they were to be exploited. Could a breach prevent employees from accessing your system and doing their work? What effect would that have on your ability to serve clients? What do they depend on you for, and how would that affect their own business continuity?
3. Open a dialogue with your vendors.
In many ways, our system is built on implicit trust. While each organization wants to believe that its vendors and other business partners have a comparable level of cyber readiness, it never hurts to verify. In fact, it's incumbent on all responsible companies to do so. Using a guide such as this one from CISA, start a conversation with your vendors to understand where their gaps in security might be and how those can be addressed.
In recent years, data loss considerations have often been managed through the purchase of cyber insurance, which can protect a business financially in the event of a cyberattack. However, this strategy doesn’t help other businesses down the supply chain, or consumers who might have an urgent need for a product that's unavailable either temporarily or for a longer duration.
It’s important to remember that we’re all in this together — government regulators, cybersecurity vendors, organizations that provide functions, and the general populace. We need to foster a collective defense mindset across our supply chains by looking at best practices and making them the standard. If broadly adopted, any ensuing cost will be baked into competitive pricing, so any increase in cost that end users experience would be moderate. By taking responsibility for their own piece of the supply chain, organizations can increase its resiliency and security for us all.
Jeffrey Engle is the chairman and president of Conquest Cyber, a cybersecurity company.
Related story: 3 Cybersecurity Trends Shaping Retail in 2023