How to Conduct a Supply Chain Risk Assessment at Scale

How to Conduct a Supply Chain Risk Assessment at Scale
Written by Kaitlyn Graham

Vendors and third party partners are essential to helping your business grow and stay competitive. But outsourcing to third parties also dramatically increases your attack surface. A recent independent study by Opinion Matters found that 92% of U.S. organizations have experienced a breach that originated with a vendor.

In response to these issues, budgets for third-party cyber risk management programs realistically need to rise this year to meet the needs of the vendor management team. When those dollars are used wisely it results in properly vetting any vendor before they become a partner and for the life of the relationship.

But when you’re dealing with a large number of third parties – some who handle sensitive data – the supply chain risk assessment process can quickly become overwhelming, even with larger budgets allocated.

Here are five ways you can scale your program and ensure any gaps in your vendors’ security programs are identified and remediated as quickly as they are identified. 

1. Start with awareness

Before conducting any assessment, you need to quickly and easily discover each service provider within your extended supply chain. It may sound easy, but as the digital ecosystem expands to include more cloud technology, and shadow IT becomes more prevalent (think of all those SaaS subscriptions that employees can procure with a credit card), security leaders may be unaware of the complex web of interconnected business relationships that exist.

Awareness and full visibility is important because it allows you to track where your sensitive data flows, who has access to what, and the relative importance of certain vendor relationships. Using this insight, you can tier vendors based on perceived inherent risk and allocate assessment resources where the greatest risk to the business lies.

2. Assess the risk posture of your supply chain

It’s likely you already have a formal process in place for assessing your vendors that involves questionnaires, penetration testing, annual security audits, and on-site visits. These are all important tools, but they don’t offer a complete picture of cybersecurity risk.

Consider security questionnaires. While they provide insight into a vendors’ security policies, they only reflect risk within a single point in time. They also don’t include risks about which the vendor is unaware or may not be entirely honest about (just one third of respondents to the Opinion Matters survey said they believe the responses vendors provide). These questionnaires are also time-consuming to complete and analyze. 

The same is true of penetration tests. They may uncover hidden risk, but they are costly, disruptive, and hard to implement at scale across your entire supply chain.

Continuous monitoring solutions like security ratings can help fill the gaps by providing an immediate, near real-time snapshot of each third-party’s overall security posture. A higher rating indicates better security, while a lower rating signifies that improvement is needed. Depending on how they score, you can prioritize which vendors may need a more rigorous supply chain risk assessment that dives deeper into their security processes and policies.

Once onboarded, you can use these same tools and methods to continuously monitor your third parties over time. If a vendor’s security rating drops, automated alerts let you know so you can work with your vendor to mitigate the issue.

3. Establish pre-procurement standards

While technology can help reveal hidden risk, one of the surest ways to reduce that risk is to establish strong cybersecurity due diligence practices before your vendors are onboarded. For example, you might use security ratings to introduce a standard cybersecurity metric or acceptable risk threshold and develop contract language to ensure your entire third-party network meets those thresholds as the onboarding process moves forward.

4. Check your code

Many third-party technology providers, especially those that provide functionality to an organization’s websites, apps, or software platforms, infuse sections of proprietary code into their clients’ systems. Unfortunately, this can expose your software to malware.

Because of this, every third-party whose code, hardware, or environments have a part to play in the development of your software and applications should be considered part of your digital supply chain. You must take steps to regularly analyze their code for security risks to protect that chain. Read more about mitigating the risks affecting your software projects.

5. Solve the fourth-party problem 

Supply chain risk assessments shouldn’t begin and end with third parties. To fully protect against cyber risk, you need to address fourth-party risk. Think of these as your vendors’ subcontractors, and those subcontractors’ subcontractors, and so on. Once a third-party is compromised by a fourth-party, your organization is at risk too.

Traditionally, this has been an extremely challenging area to report on, if at all. However, with modern tooling you can continuously monitor fourth-party risk and gain unprecedented visibility into your entire vendor ecosystem. With these insights you can be alerted to newly uncovered relationships, validate your supply chain risk assessment questionnaires, and quickly triage risk in collaboration with your vendors –  it’s a win/win for all.. No more waiting for a breach to hit the headlines to realize your organization may be at risk.

When it comes to your vendors, trust, but verify

While security questionnaires remain an important part of any supply chain risk assessment program, if your company is looking to achieve better risk outcomes you need to trust, but verify.

Use data-driven insights to understand who’s who in your interconnected supply chain, assess potential vendors against established cybersecurity policies, and continuously monitor their security performance for changes over time. In doing so you’ll reduce the time and cost it takes to assess supply chain risk and move forward knowing that every vendor in your digital ecosystem – even if they number in the hundreds of thousands – presents acceptable levels of risk.

scalable vendor risk management ebook

Learn how to create a scalable & sustainable vendor risk management program to see what it takes to create a VRM program that’s ready and able to stand up to our interconnected economy