teissTalk: Can AI mitigate your supply chain cyber-risks?

On 15 February, teissTalk host Tom Langford was joined by Edd Hardy, Director Cyber and Risk, AlixPartners
Jean Carlos, VP of Information Security, AutogenAI.

Views on news

Bank of America has warned customers of a leak of their sensitive data that occurred due to a ransomware attack that breached the environment at technology partner Infosys McCamish Systems (IMS) last autumn. At least 57,028 customers were affected in the breach, which occurred "when an unauthorized third party accessed IMS systems. Sadly, there is nothing unusual about this news, it has all the staples – a bank, ransomware and a third party. The cyber security industry has been flagging up third party risk for about a decade now. In these cases, however, it’s usually not the third party that suffers the reputational damage but the big company. Here, the advice that “if you get the basics right nothing major can happen,” doesn’t hold true. In sprawling supply chains (a frozen lasagna manufacturer alone has 100plus suppliers), breaches like this do happen, it’s just the question of whether the company in the middle of the supply chain notices them or whether it decides to remediate it. 

Third parties usually get screened at onboarding but not beyond that.  The emerging alternative-supplier  model further increases cyber risk, as the attack surface increases  with more companies getting integrated into the ecosystem. It’s also crucial what the business’s next step is once it has learnt where the vulnerabilities in its supply chain lie.

Can AI address the complexity issue of supply chains?

By adding AI solutions to your system, businesses run additional risks. AI can do an excellent job at mapping out networks and making supply chains transparent, but that’s just a preliminary step. Another problem is that cyber security teams can’t communicate cyber risk properly and compellingly to boards. Sometimes existing risks are played down to show to the board that the cyber security team is in control. 

In the pre-AI era, companies shared their concerns about a supplier with its other clients informally, and AI takes this kind of information sharing and flagging up dangers to the next level. The ongoing monitoring of critical suppliers is a must these days, not just a nice to have. One way of monitoring suppliers is asking for their security logs and another is requesting their SBOM (Software Bill of Materials) - a key building block now in software security and software supply chain risk management, which typically only large organisations can afford. Sometimes approving the use of new AI technology can take several months or even half a year, which can slow things down and lead to competitive disadvantage on a fast-moving market. The opaque provenance of AI models is also a factor that may put businesses off working with them. A concern with GenAI models is that a business’s sensitive data may get out after the model has been tweaked on it. Without transparency, it’s hard to tell why exactly a model is suggesting that a supplier should be replaced with another one. While smaller organisations can’t help but trust their suppliers for lack of resources, big organisations are more at the too-cautious end of the spectrum.

The panel’s advice

You need  processes and strategy to manage third-party risk.

AI will help you reduce your supply chain risks but won’t solve all your problems. 

• CEOs and other members of the C-suite and the board need to get upskilled about cyber risk. 
• The best supply chains are the ones where the company has a good – rather than a punitive –  relationship with its suppliers. 
• The use of AI should be subject to zero trust analysis.