Part 2: Rethinking Supply Chain Risk: Solutions for Today’s Challenges

supply chain risk management
Written by Noah Stone
Senior Manager, Thought Leadership

Traditional supply chain risk management strategies are becoming increasingly unsound amid the rise of unorthodox threats.

In a previous blog, we outlined some of these unorthodox threats forcing organizations to rethink supply chain risk. Internet of things (IoT) devices are assuming increasingly important roles in organizations, making them prime targets for attackers seeking to disrupt business as usual. Making these threats all too real, Bitsight recently announced it had discovered critical vulnerabilities in a popular vehicle GPS tracker (MiCODUS MV720) potentially allowing hackers to remotely disable entire fleets of corporate supply vehicles, thereby inducing supply chain disruptions. The risks don’t stop at IoT devices – enterprise software continues to be found vulnerable, presenting threats of data breach, ransomware deployment, and more.

These evolving supply chain risks require organizations to not only rethink supply chain risk but to act accordingly. Every organization should form a cyber supply chain risk management strategy for the modern era.

What is a supply chain risk management strategy?

A supply chain risk management strategy is a framework your organization uses to mitigate supply chain risk by securely onboarding and managing vendors. Every vendor you onboard adds risk to your organization – the vendor could be an easy target for hackers; or they could themselves rely on a vendor using vulnerable technologies. You need a strategy to ensure you only onboard the most secure vendors, and to identify and remediate any weaknesses within your existing supply chain.

Organizations are onboarding vendors at record rates, further complicating the task of managing the risk presented by the addition of each new vendor. With vendor security performance subject to change each day, continuously monitoring your supply chain for threats is an essential business practice.

A Bitsight advisor can answer any questions you may have in these respects. For now, let’s cover some of the key considerations feeding into a modern supply chain strategy.

Supply chain strategies for the modern attack surface

The modern attack surface is becoming more complex and unorthodox, opening up organizations to previously unimaginable supply chain threats. Organizations must act now by forming new strategies, or reassessing old ones, to account for all the idiosyncrasies in the wild.

Organizations should consider the following when forming a strategy:

Get visibility into your supply chain

  • The first step in forming any useful supply chain strategy is to gain visibility into your supply chain. Organizations first need a clear understanding of who their business partners are, and how critical each partner is to the organization’s overall functioning. Another element of visibility is to understand your third party’s vendors, or your fourth parties. A supply chain disruption need not originate with your third party, rather it could originate with an nth party and affect your organization via a chain reaction. It’s critical to first map out your third, fourth, and nth party footprint.

Leverage data to make decisions

  • After gaining visibility into your supply chain it is critical to leverage quality data to then make decisions, especially when onboarding and reassessing vendors. A good starting point is to impose a strict and consistent expectation of each vendor’s cybersecurity program. From there, you can leverage security ratings – recommended by NIST – to track and analyze the security performance of your supply chain partners. Much like a credit score but for a vendor’s cybersecurity posture, a security rating allows you to quickly identify weaknesses in your supply chain, and to avoid onboarding insecure vendors in the first place.

Mitigate risk with continuous monitoring

  • Ensuring each of your vendors maintains a high degree of cybersecurity performance can be a daunting task, especially at scale. Leveraging technology to continuously monitor your supply chain partner’s networks for vulnerabilities can help you avoid a major supply chain disruption. Unlike traditional vendor assessments performed at limiting frequencies, continuous monitoring allows you to continuously and automatically discover hidden risks across your supply chain, alerting you when a vendor or partner’s security posture drops below a certain threshold.

Use trusted manufacturers and developers

  • Supply chain visibility, data-driven decisions, and continuous monitoring of your supply chain’s security performance all converge to one goal – identifying and building lasting relationships with trusted vendors.
     
  • Supplementing continuous monitoring with questionnaires, certifications, and attestations can augment your ability to identify trusted and untrusted organizations. ThirdPartyTrust leverages these factors to help third parties better communicate the performance of their security programs. This analytical angle combined with continuous monitoring and security ratings provides organizations with a powerful way to identify the most trusted organizations.

Supply chain risk management is an evolving and complex area of focus for organizations. With an expanding attack surface presenting new and unorthodox threats to your supply chain, it is critical to arm yourself with the highest quality data and technologies to help with vendor onboarding, reassessment, and overall supply chain risk management.

2023 Gartner RC Image Square

“By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” How can a human-centric design strengthen your cybersecurity program? Get your report to learn from key predictions, market implications, and recommendations.