Managing Your Weakest Link: Supply Chain Risk Management

In today’s interconnected digital economy, every business engages with other organizations for goods and services. Our ecosystems are more global and more diverse than at any previous point in history. And while these relationships often come with great benefits, they can also come with great risk if not properly managed.

A Ponemon Institute study found that 59% of companies were affected by a cyberattack through third-parties and only 16% are confident that they effectively mitigate third-party risks.

It’s sobering to think about those numbers and the amount of risk businesses are accepting from their supply chain. Furthermore, if you consider that each of those suppliers is also likely accepting a certain amount of risk from their own supply chain – it quickly becomes quite concerning.

So, where do you start? How do you make sure your supply chain doesn’t become the weakest link in your risk management strategy?

  1. Know your vendors & their access

As with any risk, if you don’t know where your risks are, you can’t address them. Keep an up-to-date record of all vendors and their relation to your business. For example, do they have access to critical systems or sensitive information? If so, what measures are in place to ensure that data is not misused or accessible to unauthorized individuals?

  1. Thoroughly evaluate your vendors’ cyber posture

Due diligence and transparency are critical. In addition to knowing who your vendors are, it is important to know about their security strategies too. Establish expectations, review disaster recovery plans and implement service level agreements (SLAs) focused on security.  Do this at the beginning of the relationship to ensure protection. It is worth noting, that it is not always your biggest vendors that pose the biggest risk, it may be the smaller ones that don’t have the resources to address risks effectively; therefore it is important to vet all vendors according to the risk that they represent to you.

  1. Remediate gaps and weaknesses in a timely manner

Weaknesses may arise from incidents, audit findings, vulnerability scanning or penetration testing. As you would with your own security assessments, if any gaps are identified, it is important for them to be remediated. Organizations must insist that these gaps are addressed quickly and efficiently to an acceptable level – in some cases, this can even put strategic partnerships on hold. Although this may seem extreme, there is certainly value in doing this. According to a Ponemon report, evaluating your suppliers’ security enables you to reduce the likelihood of a data breach from 66% to 46%.

  1. Continuously monitor your collective cyber posture

No organization is 100% secure so your vendors need to be committed to improving their security status’. As we know, risks can change at any time, so it is important to continuously review third-party risk. Though this is a difficult job (with many organizations having hundreds or even thousands of vendors), there are ways in which this can be automated. It is also worth noting that, organizations should also review their relationships with suppliers upon termination to ensure that nothing has been left to chance.

Whether a data breach occurred because of your own security weaknesses or that of a supplier, the repercussions will be substantial. Unfortunately, focusing on your own security architecture is not enough as you are only as strong as the weakest link of the chain. As such, cybersecurity has to be embedded into the entire process for end-to-end supply chain protection. Though this process of vetting takes time, there are clear benefits including better assurance, increased resilience, fewer disruptions and stronger strategic relationships.

To learn more about you how you strengthen the health and understanding of your supply chain, please join our webinar on November 11th: “A Risk-based Approach to Vendor and Supply Chain Management”.

Onsite or web training needed?

Please contact us to discuss your requirements.