Supply Chain Resilience: 4 Ways to Get Ahead of Third-Party Cyber Risk
Recent events, including the 2020 COVID-19 pandemic, shifts in demand, and labor shortages have shone a spotlight on supply chain resilience – or lack thereof. In response, business leaders recognize that becoming more resilient is a necessity and are looking at strategies for doing so.
As a best practice, Gartner recommends that companies diversify their manufacturing networks, utilize regional or local supply chains, add buffer capacity, and more.
But a missing link in these strategies is supply chain cyber resilience.
Why supply chain cyber resilience matters
As supply chains grow more interconnected, attackers see opportunity and they’re taking it. Today, 62% of network intrusions originate with a third-party—often someone in your software supply chain.
In addition, upcoming cyber regulations such as DORA and NIS 2 in the EU put a spotlight on supply chain resilience, with strict requirements around risk management, incident reporting, and coordination among organizations and regulatory authorities.
Indeed, recent incidents – like the SolarWinds and Kaseya hacks – illustrate how an attack against just one organization in today’s interconnected supply chains can be crippling and costly:
- Combined, these hacks compromised the data, networks, and systems of nearly 20,000 government entities, Fortune 500 companies, and others.
- The SolarWinds attack cost U.S. companies 14% of their annual revenue.
Consider the following best practices to improve supply chain resiliency, ensure compliance with regulations, and combat third-party risk.
- Validate your vendors’ security postures
- Continuously monitor for supply chain risk
- Fourth party monitoring
- Report on cyber resilience in business terms
4 effective supply chain resilience practices
1. Use data to validate your vendors’ security postures – before onboarding
Before you onboard new vendors, you need to understand the security risks they pose to your organization. Typically this is achieved using security questionnaires. Although useful, these assessments are manually intensive and only provide a point-in-time snapshot of a vendor’s cyber health. They are also subjective and require you to take your vendors at their word.
Rather than relying on due diligence practices of old, it’s essential that you assess your suppliers’ risk postures using data-driven insights and analytics.
For instance, with Bitsight for Third-Party Risk Management you can gain deep, real-time insights into a vendor’s security posture via a single pane of glass. Bitsight monitors your third parties for vulnerabilities, indications of a lack of security controls, and both current and historical security performance issues.
In addition to validating vendor risk, Bitsight brings efficiencies to the time-consuming and highly manual due diligence process. Using Bitsight TPRM, you can:
Set vendor risk tolerance thresholds: Bitsight’s data insights make it easy to establish an acceptable risk threshold a supplier must achieve to be considered a potential partner – and then measure them against it.
Tier your vendors: To further define a risk threshold, our tier recommender service can aid in grouping your vendors based on their risk and criticality to your business. For example, a cloud provider with access to sensitive data would be classified as a top-tier vendor and held to a higher standard of security performance. However, a cleaning company would belong in a lower tier with a less stringent risk threshold.
Continuously monitor for supply chain risk
To build greater cyber resilience into your business and supply chain, you need to keep a pulse on your suppliers’ changing risk profiles – for the life of the relationship.
By utilizing Bitsight TPRM – and now, through our acquisition of ThirdPartyTrust – you can continuously and automatically monitor the cyber health of your vendors. You’ll get dashboard views into the risk posture of every supplier in your vendor portfolio and automatic alerts the moment a new risk is identified, such as an insecure access port, unpatched system, or the presence of malware.
You can also share Bitsight’s findings with your vendors for rapid and collaborative triage and remediation.
3. Don’t forget fourth parties
Achieving supply chain resilience must extend beyond your third parties. They have partners, too. When a third-party is compromised by a fourth-party it puts your organization at risk.
But with Bitsight for Fourth-Party Risk Management, you can gain an unprecedented view into risk across your entire vendor ecosystem.
- Receive alerts when security incidents are discovered in your extended vendor supply chain.
- Validate security controls across the network.
- Gain a clear understanding of your dependence on service providers or products and the effect of a service interruption or security incident. Take advantage of this insight to make informed decisions about diversifying your suppliers.
4. Report on cyber resilience in business terms
Successful supply chain resilience can only be achieved if everyone’s on the same page about how well prepared your organization is to defend itself against a supply chain attack. This includes your board of directors.
But board members aren't always familiar with the technical metrics or language that CISOs frequently use in their presentations and reports. They need easy-to-digest metrics that shift the emphasis from cybersecurity and resiliency to business risk.
To make sure you’re delivering the information to the board in a way that resonates with them, download this free guide. It outlines which cyber resilience metrics matter, what presentation style to use, and more.
A proven way to improve supply chain resilience
As third-party cyber threats increase, achieving supply chain resilience comes down to visibility and accountability. You need to monitor every link in the supply chain – continuously, efficiently, and at scale. And then use those data-driven insights to help your vendors proactively manage their own cyber risks.
Bitsight can help – with solutions for continuously monitoring vendor security performance, measuring security controls, mitigating supply chain risk, and quantifying cyber risk for business leaders.