The Expert View: Mitigating the cyber-risks in your digital supply chain

While third-party risk is a common term in regulated sectors, it might make more sense to talk of overall supply chain risk, said Dov Goldman, VP Risk Strategy at Panorays. Introducing a TEISS Breakfast Briefing at the Goring Hotel in London, Goldman said the term was particularly useful because it highlighted the fact that in today’s interconnected digital landscape, risk can come from fourth parties and others further down the supply chain.

 

Attendees at the briefing, all senior executives from a range of sectors, agreed that fourth-party risk can often be a challenge. Companies typically don’t have the right to audit fourth parties directly, which can make the situation even more difficult. Attendees agreed that if your company is big enough, or spending enough money, then you can compel third parties to audit their suppliers but often there is nothing you can do.

 

Strong contracts

 

One attendee said his company simply put in its contracts that third parties had to audit their suppliers. But, again, not every organisation will agree to this and some organisations that refuse might be essential suppliers.

 

Even so, those at the briefing suggested that strong contracts are more effective than questionnaires in ensuring that suppliers take cyber-security seriously. Furthermore, one attendee said his company tried to design its data architecture so that risk did not extend beyond third parties, reducing the risk from fourth parties and beyond.

 

Artificial intelligence (AI) introduces unique challenges as a third-party component in the supply chain. Its complexity and the mystique surrounding it can lead to risks, especially when employees deploy AI tools in a “shadow IT” environment without adequate training. Additionally, many third-party tools add AI features automatically, making it essential to monitor and assess risks from changes.

 

Burst into tiers

 

The need to prioritise was noted by several attendees. One suggested focusing on areas with the most likely attack vectors, or on where breaches could have the most significant impact. A defence-in-depth strategy can then be deployed to make the most efficient use of resources.

 

Another tip from an attendee was to analyse supplier reports carefully to find the things that companies are not committing to. Often, omissions in these reports can be an important warning of gaps or weaknesses in the service. Spotting what isn’t there can be difficult for humans reading a contract, so this is one place where AI might be useful.

 

Those at the briefing also discussed the need to classify suppliers based their importance to your operations. Tier 1 suppliers, those who could potentially cripple your business if breached, should receive the most rigorous monitoring and assessment. Tier 2 and Tier 3 suppliers can receive less intensive scrutiny, depending on their risk profiles.

 

However, having too many Tier 1 suppliers can render the system ineffective, as monitoring them all can become overwhelming. Companies should consider reducing the number of suppliers they work with if the list is extensive. Managing numerous suppliers can become unmanageable, increasing the risk of oversights.

 

Asset management

 

Understanding and managing your digital assets is fundamental to supply chain cyber-security, attendees agreed. Gain a clear understanding of your digital assets, their locations and associated risks. Instead of examining every single supplier, focus on the assets themselves. This approach simplifies asset management and risk assessment.

 

While cloud platforms offer robust security, be mindful of the potential risks introduced by managed service providers that connect to these platforms. As these providers require access to your data, any vulnerabilities in their security can expose your organisation to cyber-threats.

 

Given the vast amount of data to track, automation tools can assist in monitoring and assessing suppliers’ cyber-security practices – and several attendees said they used them. These tools can proactively identify and address potential risks, particularly issues that might be missed through manual review.

 

As well as technology, attendees also emphasised the need to build strong relationships and effective communication channels. Strong relationships with suppliers can facilitate the flow of critical information when issues arise. Quarterly reviews are a good time to build these relationships. It’s also important to maintain a supplier list that includes up-to-date contact information and the date of the last audit.

 

Safeguarding your supply chain from cyber-security threats is paramount in today’s digital age. By taking a proactive approach to risk assessment and management, emphasising asset management, and nurturing strong relationships with suppliers, attendees agreed, the business can enhance the security of its digital supply chain.

---

For more information, please visit panorays.com.