According to the World Economic Forum’s (WEF) most recent Annual Cyber report, 90% of business and cyber leaders are concerned about the cyber resilience of third parties. And considering 54% of organizations report experiencing a breach through a third party, these concerns are justified.
Governments globally are equally concerned about supply chain risks. The Solarwinds attack catalyzed government interest in supply chain risk, and the more recent 3CX supply chain attack underscores how serious and how varied risks are.
With the Biden Administration’s recent release of its National Cybersecurity Strategy, multiple sector risk management agencies have already begun promulgating new requirements to measure, report, and manage third-party risk.
In Europe, the evolving Cybersecurity Resilience Act will place new requirements on providers to document vulnerabilities in products. And in France, a new cyberscore law will require Internet-facing platform companies to disclose “report cards” on cyber resiliency based on third-party audits of systems and processes.
For organizations of all sizes and in all industries to gain trust and build cyber resilience, they need a simple way to measure and quantify the cyber risk of any organization in the world, including partners, contractors, third- and fourth-party vendors in their supply chains.
With this insight, organizations can identify cyber risks posed by all suppliers and make informed decisions to help their business partners strengthen their own cyber defenses.
We've featured the best online cybersecurity courses.
Brendan Peter is Vice President of Global Government Affairs at SecurityScorecard.
Determine your third-party risk management program’s maturity
A useful exercise for any organization is to conduct an unbiased view of the maturity of your third-party program. The following baseline quiz is useful for organizations that are just beginning their journey:
1. Does your organization have fully built-out and updated third-party risk management (TPRM) policies and procedures?
2. Does your TPRM program have a dedicated person to manage vendors?
3. Are vendor questionnaires sent out and tracked through a platform, not spreadsheets?
No two organizations' TPRM programs are the same; however, most are at a level where they are moderately managing vendor risk. Whether your TPRM program is non-existent or mature, there’s always more that your organization can do to mitigate third-party risk.
Organizations whose TPRM programs are still evolving should begin the process of building a more robust posture by taking the following steps:
Identify business goals and objectives of managing third-party vendors to create a more formal TPRM program.
Develop or re-evaluate policies and procedures based on best practices.
Choose a process or security assessment platform for sending and receiving responses to questionnaires that helps you assess risk in your vendors and partners.
Understand how and what to report to business leaders to show value and maintain the forward momentum of the TPRM program.
Treat supply chain cybersecurity as an organization-wide priority
Cybersecurity in the supply chain goes beyond being solely an IT concern. It extends its reach across various functions within the entire enterprise, necessitating a collaborative approach to effectively tackle cyber supply chain risks.
It's important to recognize that breaches seldom occur due to technology failures; rather, they primarily stem from human errors. No matter how advanced your IT security systems are, they will only protect you if employees are on-board and follow cybersecurity practices.
A good approach to achieving cyber resilience is to stop differentiating cybersecurity and physical security. In today’s threat landscape, both of these worlds are intertwined. A lapse in physical security can lead to a cyber attack and vice-versa.
Cyber supply chain best practices
Protecting your supply chain is a full-time job. Here are some best practices you can implement now to minimize risk in your business ecosystem:
Include security requirements in every contract. This way, you will have a way out if a vendor or supplier fails to follow basic security protocols.
Conduct security assessments for every vendor. Once a vendor is accepted, work with them to address vulnerabilities and security gaps.
Strict control over service vendor access. Hardware vendors should be limited to interacting with mechanical systems and not granted access to control systems. All vendors should undergo authorization processes and closely escorted during engagements.
Harness tools to boost your supply chain cyber resilience
Supply chain cybersecurity encompasses a vast landscape of numerous potential risks and threats that demand our attention. With dozens, if not hundreds, of third and fourth parties in your supply chain, you can’t expect a small security team to stay on top of all potential threats.
As your organization matures in its approach to managing supply chain risk, leveraging automation and continuous monitoring will become vital to measuring and reporting your risk posture both internally and externally. This will reduce the need for human intervention and minimize the risk of error.
No matter where your organization is in the process of managing vendor risk, you can’t let your guard down.
