Securing your supply chain – five steps forward

An image of a factory at night.
(Image credit: Pixabay)

As supply chains become increasingly interconnected, so too does the data that runs through them, and in turn, the potential for increased risk exposure. Supply chains may have five, six, or more parties involved, making them attractive for cyber-attackers looking for a ‘way in’ to your business. If cyber attackers can infiltrate just one supplier in your ecosystem, they can also gain easy access to yours and other organizations' information.

About the author

Martin Tyley, Head of UK Cyber, KPMG.

It might seem obvious that cyber security measures are needed, but it is not always simple. As supply chains reach further, get more complex, and increasingly data heavy, it can be harder to know if adequate controls to protect data are in place at every step. As enterprises continue to give precedence to digital transformation, the sharing of data will only become more entrenched and multifaceted. Though regulatory standards and jointly agreed-upon security frameworks can help decrease the impact of third-party cyber threats, there are circumstances where these complex ecosystem structures may not have clear guidelines for founding adequate controls to protect data, leaving the entire network vulnerable to cyberattacks.

Vetting processes to check the security levels of suppliers are often inconsistently applied, and can be manual and cumbersome. It can be easy to make the assumption that if another company in your industry already uses a particular supplier, their security must be ‘up to standard’, when in fact no due diligence may have been done.

The good news is that organizations are starting to prioritize their supply chain cyber security and recognize their role in uplifting security in their ecosystem. KPMG’s 2021 UK CEO Outlook Survey found that 81 per cent of leaders said that protecting their partner ecosystem and supply chain is just as important as building their own organization's cyber defenses. 

If you are looking to transform your organization's supply chain security, here are five key steps to take:

1. Use existing risk and control frameworks

Regulations around cyber security are increasing, with examples such as Europe’s NIS Directive showing how organizations are being expected to look both internally and externally at their cyber security policies. This approach is particularly essential for high-risk industries, such as energy, healthcare and financial services, and it needs to have input from every level of the business from the boardroom to the front-line to ensure it is fit for purpose. Being familiar with regulations, and working to meet them, is a good way to instill best practice cyber security in-house, while also helping you to benchmark the efforts of your suppliers.

2. Think of the industry ecosystem

When increasing supply chain security, it helps to think not just about your own organization, but to look at cyber security at an ecosystem level. Within industries, there will be a commonality of suppliers. Therefore, by lifting your own standards and encouraging those in your network to meet regulatory criteria, it is in the collective interest of your industry’s future. Resilient suppliers help to support a resilient industry.

3. Embrace AI and machine learning

Automation and Artificial Intelligence (AI) capabilities can support cyber security efforts in your own organization and across your supply chain. The levels of information captured are substantial and so anything that takes the manual work out of your third-party risk management, as well as to detect any shadow-IT issues and offer improved oversight of third-party SaaS products will be a substantial benefit to understanding how well you are protected.

4. Take advantage of continuous controls monitoring (CCM)

CCM moves security assessments away from point-in-time activities to instead provide automated and regular checkpoints over time. These assessments could be daily, weekly or monthly according to the risk level and value of what is being monitored. This regular assessment approach can show when changes occur, and can help to compare data and trends over time. This helps to shift security from a compliance-focused approach to an operational, ‘business-as-usual’ focus. It requires less human input, and enables corrective measures to be made closer to real-time.

5. Active building of ecosystem security

If you are a larger and more resourceful organization, there is potential to take a ‘capacity-building’ approach to supply chain security. This means applying security measures to protect your broader ecosystem in addition to your own environment. This can be especially important if you engage with SMEs which may not have the budget for a truly robust approach to cyber security. There is also the potential to collaborate with other organizations on threat monitoring and defense strategies to make the supply chain even harder for cyber attackers to break.

In summary

We’ve observed over the last year that supply chain security is regularly not giving the answers senior stakeholders in organizations require, and it’s time for CISOs to look beyond the boundaries of their organization to solve it.

Supply chain security will only need to increase as cyber-attackers get savvier. Therefore, focusing on regulation as the baseline, taking an internal and external view of risk, embracing technology tools, and being open to collaboration with other organizations on security issues all make the goals of cyber-attackers much more difficult to meet.

We list the best endpoint protection software.

Martin Tyley, Head of UK Cyber, KPMG.