points within that specific ecosystem. For example, we
are now seeing cases where malware is being upload-ed and installed at original equipment manufacturers
(OEMs) at multiple points in their production processes.
These threats usually are discovered long after the product has left the facility and has entered another firm’s
supply and value chain. In this way a seemingly siloed
manufacturer may open its operation and consequentially other organizations to security risks.
It follows logically, then, that the greater the complexity and value of a firm’s supply chain, the more extensive
and proactive its risk management efforts should be.
These efforts should include various layers of security,
including, but not limited to: redundant backup systems,
multiple-stage access thresholds
for credentials, and ongoing threat
monitoring to fend off the expanding list of malware and attacks that
can cause service disruption and
brand erosion.
After all of its supply chain partners have been identified, a company should audit and vet all of
its existing vendors’ cybersecurity
abilities. This can be achieved by
surveying vendors’ security practices across a supply chain network
and applying security research,
developing the IT capabilities
needed to better examine and predict potential threats.
Another important tool is threat intelligence, which
involves the utilization of security data to more actively
assess and detect potential risks to a company’s information infrastructure.
One of the most important and effective steps you can
take is to include cybersecurity protocols, conditions,
and capabilities in the procurement function’s approval
criteria for all potential new vendors.
In many ways, this sort of vendor assessment is a
strategic sourcing exercise that allows management to
base its selection of vendors on a combination of factors
that include not just price and quality but also security
metrics. These measurements may include the vendor’s
ability to integrate its tactical security measures into a
larger company’s infrastructure; how well the vendor
protects its own data; and the overall importance of that
vendor in the supply chain.
While this may seem like common sense, this kind
of assessment is not widely practiced. According
to a 2014 cybercrime survey by the consulting firm
PricewaterhouseCoopers, only 44 percent of firms have
a process for evaluating third-party vendors, down from
54 percent in 2013. Just 41 percent of companies have
a process for assessing the cybersecurity of third-party
providers with which they share data or networks before
launching business operations, and just 27 percent
conduct incident-response planning with supply chain
partners. 6
Once a company has assessed its vendors’ cybersecurity measures, it must also ensure that there is a standard
level of security across the supply chain. It is rare to find
much consistency. Consider this common situation: An
organization uses multiple partners to manage and perform its inbound and outbound
logistics activities. These vendors
are connected through the logistics
function, with access to information that is sensitive to both as well
as to the overall value system. Yet
in many cases they will have substantively different security protocols, and neither may have a
stringent set of standards, thereby
exposing all members of the system to cyberattacks.
Executive management must set
security protocols that are standardized across the supply chain
network and require their vendors to comply. For example, credentials should be uniform for logins, passwords,
and badges. The breaches that we have seen unfold have
often evolved from credentialing that either was not
standardized across vendors or had not been sufficiently
updated from a technology perspective. Additionally, a
company should have a security framework (for example, ISO 27001), along with an individual such as a chief
security officer, chief technology officer, or data steward
who is responsible for data security management, strategy, and responsive action.
Once these protocols have been set, companies must
proactively monitor and audit every vendor in their
network. In many cases, annual audits or self-reporting
incidents will not fully shield a firm’s infrastructure from
ongoing threats, as these methods often are incomplete,
inefficient, quickly outdated, or a combination of those
elements. A company can often benefit from having a
neutral third party conduct a one-time evaluation of its
supply chain’s security, and then monitor its vendors
