Boxes in a warehouse
Image: Zapp2Photo/Shutterstock

With cybercrime on the rise, many companies fall victim to viruses and malware that are passed to them by vendors and business partners.

Until now, there hasn’t been a clearcut strategy that addresses this. But, now there are new third party risk assessment strategies, services and tools that can help identify security “weak points” in your company’s supply chain.

Is now the time to invest in them?

Why supply chain vendors pose security risks

In 2021, BlueVoyant, a cybersecurity provider, reported that 98% of organizations it had surveyed said they had been impacted by a supply chain security breach. And in 2022, in a global study of 1,000 chief information officers, 82% of respondents said their organizations were vulnerable to cyberattacks that targeted their supply chains.

SEE: Microsoft wants to help you avoid supply chain problems (TechRepublic)

There are many reasons for these statistics and concerns. The most prominent are:

  • The sheer size of company supply chains, which can contain as many as hundreds of thousands of suppliers for a single company
  • Differing cybersecurity requirements from country to country
  • Lack of supplier readiness, awareness and resources for sound cybersecurity practices
  • Lack of awareness of supplier security in departments like purchasing, which often issue supplier requests for proposals that fail to stipulate the security requirements for doing business with the company.

What risk management steps can you proactively take to minimize supplier security breaches?

Step up your policies for increased supply chain security

To safely secure your supply chain, you should start with a supplier audit. Who are your riskiest suppliers? Do they provide mission critical components that your company would be hard-pressed to replace if their businesses failed or were disrupted?

Place security in supplier RFPs

Corporate departments, like purchasing, that issue RFPs to suppliers focus on types, quality and delivery timeframes of the components they order. Security might not get written into RFPs at all — and it’s time to change that thinking.

Companies should insist on including security as a condition of doing business with their suppliers. If there is a unique, mission-critical supplier that doesn’t have the resources to meet security requirements, a plan should be developed where the company can assist this supplier in becoming security-compliant. These companies also annually audit suppliers for security to assure improvements are being made.

Elevate supply chain risk management awareness in your organization

IT is continually involved with security, so there can be a tendency to think other C-level executives, including the CEO, also share that same security consciousness. That isn’t always the case.

The CIO should make it a point to visit with other members of executive management as well as the board. The goal is to ensure everyone is fully on board with a robust security implementation and the necessary financial investment needed to support and maintain it.

On an annual basis, a “State of the State” presentation about corporate security and risk management should be delivered to the board and C-level management.

Implement supply chain security tools

In addition to providing education to providers, departments, and leaders, IT can also use software to improve the security of the supply chain.

Software frameworks for vendor assessment

Commercial software is available that provides security questionnaire templates you can customize as you formulate your own security questionnaires for suppliers. Input from these questionnaires enables you to identify your most at-risk security suppliers.

Digital twin supply chain simulations

Supply chain digital twin software enables you to digitally model your entire supply chain, so you can simulate different supply chain risk scenarios.

Artificial intelligence (AI)

Companies use AI to plan supply chain routes and to predict adverse weather, natural disaster and even political issues, so they can develop contingencies for these potential disruptors. The good news is that there are a number of commercial supply chain risk management systems that do this, so you don’t have to develop supply chain risk AI from scratch.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday