Many people use the phrase “Digital Supply Chain Risk”, but it is often unclear how it is defined. Is it software risk? Is it vendor risk? Is it all the above and more? While it may be confusing to determine, the overall risk it represents can be severe and should be addressed. To that point, when even the definition of the problem is murky, where should you start? First, you must apply the appropriate lens to the challenge. Your organization will determine the lens, but there are three primary lenses that most organizations will find applicable.
The first lens is traditional third-party cyber risk. Who are we sharing data (or access) with, and are they as secure as we need them to be? These potential third parties include your outside counsel, health insurance broker, landscaper, equipment reseller, and anyone else who might have data or access. This lens is understandable to many organizations, and there is guidance from regulators on its importance. The Target breach is an example of a failure with third-party management.
The second lens is digital software. Nearly every organization is leveraging software to run their business, most of which is developed by outside companies. This software is often connected to other programs and may contain sensitive and protected data. Yet, much of modern-day software is an amalgam of sub-programs and stacks, and sometimes relies on open-source programs and libraries to run. While there is nothing wrong with this approach, it creates a need to employ an appropriate secure software development process, which not every software provider uses. Recent breaches, such as Solar Winds, highlight the trust organizations give to software and the disaster that can happen when that software is exploited.
Finally, the third lens is the digital connectivity of supply chain, which creates new and unique challenges. Understanding third party resilience from a cyber-attack has become as important as understanding fraud risk or natural disaster risk. Toyota recently shut down production when a key supplier experienced an incident, a nightmare scenario for many manufacturers. Furthermore, there is the risk of the digital connectedness of suppliers, where the breach of one leads to the breach of many other companies. The NotPetya ransomware incident of 2017 spread across the globe partially through suppliers of services based in eastern Europe, the intended targets connected to many companies worldwide.
Now, what should you do after identifying the appropriate lens for your organization? First, ask questions! Any application, partner, or supplier should have documentation on their cyber security approach. Do they regularly penetration test? Do they follow secure coding practices? Can they share a "Bill of Materials" for what you are buying? Any information is better than no information. Once you have asked and hopefully received some information, it is crucial to review through the lens of your security requirements and validate with evidence. If they do not share any information, while that isn’t a positive sign, you can still use security rating tools like BitSight, RiskRecon, and SecurityScorecard to acquire objective information on the third party.
What questions to ask and what tools to use depends on your industry, your relationship with partners, and the lens you apply to this risk. The approach taken by a small manufacturing firm will be different than a large defense contractor, and also different than a mid-size law firm. The goal for all three (and every organization) should be the ability to answer the following questions:
- I know who my third parties (suppliers, software, etc.) are
- I determined my risk tolerance and identified key objectives for sharing data with third parties
- I reviewed that decision regularly with my own organization’s current goals and requirements in mind
It sounds simple enough, but for many organizations, even answering the first question is a tall order. Here at K logix, our teams are well versed in helping organizations of all sizes and industries answer these critical questions, and our experienced team has the expertise to help determine your approach. Feel free to contact us to learn more about applying the appropriate lens your specific and unique challenge in addressing digital supply chain risk.