Every area of business is under attack from cyber criminals, whether that involves so-called “ransomware” threats, stolen customer data and more.
But the supply chain is an expressly attractive target for such digital crime, for several reasons.
A recent research note on the topic by Boston Consulting Group (BCG) identified several reasons a company’s supply chain is being viewed as such an attractive target.
The main reason involves the scale and complexity of a company’s supply chains and digital networks, which are often several tiers deep and frequently involve electronic connections to hundreds or thousands of suppliers, customer, carriers, logistics providers and more.
Those suppliers, in turn, are connected to still other vendors, creating a large number of potential entry points for cyber attackers to exploit.
“When a company operates a supply chain network with multiple tiers, third parties’ cybersecurity risks are also the company’s risks,” BCG notes.
The rapid move to cloud-based supply chain software applications of all kinds also adds new risks. More specifically, this shift is increasing a company’s reliance on cloud providers’ own security controls and reducing visibility into risks.
The mobile world and growth of IoT devices are also adding to risk, with BCG noting that “The surge is creating numerous digital endpoints that can be entryways into a network. Since companies are relying more and more on electronic tools and devices, this risk is not likely to abate.”
Reports of supply chain software attacks seem to be growing, even as many companies choose to keep news of such attacks quiet if it can.
Companies that take a proactive approach to managing supply chain cybersecurity can lower their risks and costs, BCG says.
What are supply chain cyber security staff to do? BCG offers a number of tips, starting with several well-known and proven actions:
• Forming a collaborative senior leadership team that can secure buy-in across security, IT, procurement, legal, engineering, and other relevant functions, as well as make decisions collectively
• Establishing a formal, transparent, risk management program for the supply chain that has policies, processes, accountabilities, and a sufficient budget and staff
• Identifying and categorizing the company’s critical suppliers
• Determining which systems are critical to ensure accurate reporting of material weaknesses and significant deficiencies associated with third-party risk.
(See More Below)
|
CATEGORY SPONSOR: SOFTEON |
|
|
| |
| |
|
|
Beyond these basics, BCG says companies to also take the following steps:
 Get a risk management program in place: Many times, the hardest part is simply getting started. Look for quick-win opportunities.
Develop the program as part of a broader risk management strategy: One way for a company to understand its degree of exposure is to develop scenarios for different types of cyber attacks on various types of suppliers.
Leverage the capabilities of existing tools: There may be existing, untapped capabilities within a company’s enterprise resource planning software and other systems that it can use to develop a risk management program.
Take a phased approach: In a large organization, the sheer number of third parties can be one of the largest roadblocks to implementing a risk management program. Rather than planning a rollout to all third parties simultaneously, a company could phase in a program by prioritizing regions, business units, or product lines.
Work across functions: Supply chain security cannot be improved by the technology or risk functions alone. Cross-functional teaming is critical to developing and implementing a risk management program for a supply chain.
Let the data drive the decisions: Companies should determine a way to evaluate the program and make adjustments accordingly.
“Cybersecurity risk is one the most important challenges facing organizations today,” BCG concludes, adding “Thousands of companies suffer costly attacks related to third-party breaches each year. Supply chains and digital networks that have many tiers hinder companies’ visibility into their risks.”
Any reaction to these tips from BCG? Let us know your thoughts at the Feedback section below.
|
