After four years, the effects of the COVID-19 pandemic can still be felt globally. With lockdowns, mask mandates, and 6 feet in between, the economy would ultimately be impacted due to the shifting demand of in-person services toward tangible goods. While such disruptions cause the likes of inflation and can impair the flow of operations, they also draw attention to the importance of resiliency as it pertains to Supply Chain Risk Management (SCRM).
In this blog, we’ll explore other instances of supply chain interference and ways you can protect your organization from faltering.
Change Healthcare
On February 21st, UnitedHealth Group announced the discovery of a breach in its subsidiary, Change Healthcare, a platform that is intended to “help payers, providers, and consumers improve clinical and financial outcomes so that everyone in the healthcare system can thrive” (Change Healthcare). Given the platform’s scale, the ransomware attack sent shock waves running through the nation’s healthcare system. In fact, according to a survey published by the American Hospital Association (AHA), “94% of hospitals have experienced financial disruptions from the attack” (CNBC).
As UnitedHealth Group enacts their Incident Response processes and isolates effected systems, users of Change Healthcare struggle to do the same, ill equipped to suffer the financial losses and outages. Response and recovery plans typically outline proceedings from detection through triaging and closure. However, many organizations fail to create scenario-based plans or conduct tabletop exercises to ensure vigilance, making it difficult to respond quickly and thoroughly to a considerable incident.
Francis Scott Key Bridge Collapse
With today’s enterprise architectures heavily rooted in SaaS, (software-as-a-service) cybersecurity can be mistakenly viewed through a siloed lens. Security teams often focus their attention on potential software outages, similarly to what we’ve seen with Change Healthcare. As was proven with the pandemic, however, instances of worldwide disease, natural disaster, or even freak accidents can significantly hinder organizations and their up or down-stream partners.
The city of Baltimore was crippled by the takedown of the Francis Scott Key Bridge which collapsed the morning of March 26th after container ship, “Dali,” lost power and collided with one of the bridge’s main support pillars. The bridge collapse not only hinders vehicular transportation, but that of vessels like Dali that visit the Port of Baltimore moving imports and exports. As city, state, and federal officials work to determine methods of remedy, “many ships stuck in the port were destined to make stops at other U.S. ports to load and unload goods…[creating] a complicated logistical dance now scrambled by the bridge collapse” (Washington Post).
So, What Should I Do?
Though varied in nature, each of the occurrences described above emphasize the importance of supply chain attentiveness. The question, then, stands to be: how do I bolster my SCRM practices?
Assessments
Conducting cadenced, external assessments not only satisfies compliance requirements, but allows organizations to explore the facets of their security programs, determining both areas of strength and weakness. In turn, this allows security teams to reinforce identified areas of improvement, continuously maturing cybersecurity practices.
Frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) have updated their guidance reduce emphasis on critical infrastructure specifications, clarify language, and place emphasis on SCRM. NIST’s Special Publication (SP) 800-161 centers around Cybersecurity Supply Chain Risk Management (C-SCRM) practices, helping manage “exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures” (NIST). As organizations seek opportunities to better comprehend their supply chain practices, such frameworks offer ease of understanding, and benchmarks for success.
Third Party Risk Management
Balance of the supply chain is dependent upon continuous production, emphasizing the importance of each link – or partner – along the way. Standing up a Third Party Risk Management (TPRM) program allows organizations to understand the security practices of potential partners. As with any relationship, ensuring a potential partner aligns with your values is of the utmost importance. Vendors should be properly vetted, their security programs understood, and multi-party approval obtained before contracts are drafted.
Further, by conducting due diligence on a third party’s network, information is amassed regarding their third parties, otherwise known as your fourth parties. Should a fourth party, especially that of your critical partners, become compromised or experience substantial outages, it is likely your business will get caught in the tide. By assessing vendors and their partners, organizations are better equipped to protect themselves from the downstream effects of fourth party compromise.
Finally, developing a TPRM program will allow you to tier your vendors, assisting with identification of your most critical third parties. “Critical vendors are the backbone of a company’s daily operations, providing goods or services that are integral to its core functions. These vendors have a direct impact on the organization’s ability to meet its objectives and maintain operational efficiency” (Scrut). These vendors should be scrutinized on a periodic basis to ensure they are maintaining comprehensive security standards.
Resiliency
Documenting Business Continuity (BC) and Disaster Recovery (DR) plans is critical for ensuring your organization can revive itself from the likes of a major event or disaster. Confirming said plans are in place and ready to be actioned upon is also one of the most significant aspects of conducting critical vendor reviews. The aim of these plans is to minimize operational downtime due to major events or disasters. For example, if one of your critical vendors is impacted by a breach, your organization must respond swiftly, utilizing continuity and recovery plans to ensure services can continue with minimal impact to operations and customers. BC/DR plans must be tested on a periodic basis with the personnel responsible for enacting them through activities such as tabletop exercises which mimic real-world scenarios for acuity.
Next Steps
Supply chain disruptions are complex and often unpredictable, making it more crucial than ever to enhance awareness and preparedness. Assessing third parties, understanding potential risks, and readying your organization to combat realized threat are all defining aspects of a strong SCRM program. Whether a global pandemic, rogue ship, or partner breach, doing so will equip your organization with the tools necessary to protect the success of your business.
To find out how K logix can help you enhance your supply chain risk management practices, please contact info@klogixsecurity.com.
Subscribe
Stay up to date with cyber security trends and more