Cybersecurity:
Are Your Suppliers Putting You at Risk?

1. What is cybersecurity?
2. Why cybersecurity is important
3. How cybersecurity works
4. What is a cybersecurity risk assessment?
5. What are the top three cybersecurity threats?
6. Why is cybersecurity awareness training necessary?
7. Five steps for managing cyber threats

Discovering how cybersecurity started helps explain why it is important. Because not only internet use has exploded in the past 30 years, cyber risk has kept pace, and cyberattacks continue to evolve. So, when you understand cyber risks and cyber risk management, you can better protect your business and your supply chain.

Increasingly, your cyber risk strategy, or more specifically, cyber risk management strategy, must involve suppliers, vendors and any other third-parties in your supply network. Why? In our whitepaper Managing Cyber Risk in Your Supply Network we discuss what drives cyber risk, why it matters, and what you can do to protect your business. Here are a few highlights:

• Supply chain cyber risk is growing. Digitalization, mobile devices, Internet of Things, and the rise in home-office working expand the playing field
• 50% of all cyberattacks use island-hopping - moving laterally in a network - to access and infiltrate supply chain partners
• On average, data breaches go undetected for 280 days
• 66% of small businesses were victim of cyberattack in 2019

In short, cybercriminals seek out the weakest link in your supply chain to gain access to your digital systems, so your cyber risk and security may depend largely on how effectively you monitor your supply base. Greater visibility into your sub-tiers improves your cybersecurity risk management. Properly vetting suppliers’ cybersecurity, cyber risk management and data protection measures can save you money and save your reputation.

Using The riskmethods Solution™ you can continuously monitor cyber risk in your supply network – and demonstrate proactive risk management.

To be effective, cybersecurity combines technology with human behavior. The most advanced firewalls or antivirus software are not secure if staff are not aware of or do not follow data protection policies.

Even if your enterprise has advanced cybersecurity policies and technology in place, you might have sub-tier suppliers unable to protect their networks, for reasons including technology failure (incorrectly configured software), lack of resources (not enough staff, outdated patches), lack of awareness (insufficient knowledge or low priority). The broad attack field means that cybersecurity risks for businesses are much more multilayered than in Morris’ student days.

Yet cyber supply chain risk management is not all doom and gloom. In today’s increasingly digitalized procurement environment, it offers solid business benefits as well:

• Raise awareness with stakeholders and executive leadership
• Improve communication on cybersecurity expectations with business partners, suppliers, and other third parties
• Align internal guidelines with industry standards, legislation
• Learn and show industry best practice

With a cybersecurity risk assessment, you take a close look at your – or your suppliers’– level of risk preparedness. To identify and rate cyber threats and vulnerabilities, independent auditors or cyber risk management companies review the relevant IT-infrastructures. Many cybersecurity specialists rely on the international standard ISO/IEC 27001 2013, which details specifications for managing risk in an information security management system.

As with any risk assessment, when assessing cyber risk, several aspects are essential:

1. Determine which data is most critical. Here you might apply the information-security triad of Confidentiality, Integrity and Availability. Ask yourself these questions:

• Confidentiality: What if the data becomes public?
• Integrity: What if the data becomes altered of falsified?
• Availability: What if the data can no longer be accessed?

2. Understand risk and consequences. You might want to group critical data by topic, its contribution to essential business operations or risk in cost, image, quality and performance.
3. Assess systems. What measures do I have in place to protect my data and IT-systems?
4. Evaluate probability. How likely is data breach in my system? The human aspect cannot be neglected here.
5. Calculate a risk scorecard. This gives you an easy-to-understand snapshot of the risk status on an established numerical scale.
6. Create a criticality assessment. Once you’ve identified risks and established your critical assets, you can develop plans to mitigate any cybersecurity risk.

For greater details, you can download cybersecurity risk assessment pdf offered by government agencies or cybersecurity companies. And, because cyberattacks on supply chains are increasing, a cybersecurity assessment is critical. This is also why cyber risk assessment needs to be anchored in your supplier evaluation and third-party risk management. If your suppliers are hit, you too are likely to suffer the consequences.

Cyberattacks are powered by increasingly advanced software and bots, but threat actors often bypass security technology by manipulating users. In fact, most data breaches can be traced to human error. Employees are fooled by phishing (fake sites or emails), they use insecure passwords, of fall victim to social engineering, when hackers speak or write to users to get access to IT-systems. Just one person’s mistake can infiltrate your entire network and put sensitive data at risk.

Awareness is the first step to managing cyber threats. To reduce cyber risk, staff must be trained on the need for cybersecurity. And training must be ongoing, to keep pace with rapidly evolving technologies and tricks.

But that’s not all. Mistakes when handling data may have legal consequences, including fines. And when your customer data is handled by a supplier, they might unknowingly breach the General Data Protection Regulation (GDPR), for example, which mandates the controlling and processing of personally identifiable information, as well as reporting cyberattacks and notification of breach.

By the way, Morris was the first person sentenced under the then-new US cybersecurity bill called the Computer Fraud and Abuse Act (CFAA), which prohibits accessing protected computer systems without authorization.

Cybersecurity management for your supply chain management cybersecurity is one focus of U.S. National Institute of Standards and Technology (NIST). Their cybersecurity specialists have developed a five-point framework of voluntary guidelines for reducing cyber threats and vulnerabilities in critical infrastructure – including supply chains.

1. Identify. Develop understanding of cybersecurity risk to systems, people, assets, data, and capabilities
2. Protect. Install appropriate safeguards to ensure delivery of critical infrastructure services
3. Detect. Implement activities, such as continuous monitoring and detection, to identify the occurrence of a cybersecurity event
4. Respond. Create action plans for response when a cybersecurity incident is detected
5. Recover. Maintain plans to ensure resilience and to restore any capabilities that were impaired in an attack. Organizations commonly develop an IT-disaster recovery plan to get critical systems up and running

You’ve probably noticed that the NIST framework contains many aspects of sound supply chain risk management. And indeed, integrating cybersecurity into your supply chain risk management is critical for protecting your business resilience.

And speaking of resilience, did Morris bounce back? The early bird of cybersecurity now belongs to the faculty of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology (MIT). With luck, he’ll be the first to catch today’s runaway worms.