Achieving an appropriate balance between people, processes and technology can help to detangle the complexities of the supply chain and create better security practices
Information Security Forum
Published: 22 Jun 2022
Supply chains are now a fundamental element to the operations of many organisations, as they are not only responsible for the flow of goods and services, but the flow of information too. The ever-increasing reliance on supply chains, combined with the limited control and visibility over the security practices of suppliers, makes the supply chain an ideal target for cyber criminals who want to disrupt and profit from their attacks.
The interdependencies of the supply chain means that attackers can impact up to 10 times as many organisations compared with previous siloed attempts. Targeting key suppliers with connections into many different organisations means that attackers can compromise information at high scale, with relatively low effort.
Organisations need to get on the front foot to counteract the surge in supply chain attacks. Looking at increased automation and improving transparency with their supply chains will help to advance their understanding of supply chain security, allowing them to work with the suppliers to enhance secure practices.
The ever-increasing complexity and scale of supply chains will soon result in some level of automation becoming a necessity. As more and more information is shared across the supply chain, it is nearly impossible to process and keep track of data without the help of technology. The automated functionalities of a supplier assessment tool can help to increase the accuracy, efficiency and transparency of the supply chain, all of which will help to strengthen security.
Automation helps to increase efficiency within supply chain management by reducing the time spent on repetitive and time-consuming tasks. For example, sending out assessment requests or reminders individually to suppliers is a necessary, but at times tedious task. The use of a supplier assessment tool can be utilised to simplify and automate this task by grouping together suppliers based on risk and sending out assessments designed for their risk level at the appropriate frequency.
To achieve the most accurate and reliable profile of a supplier’s security posture, continuous monitoring is required, which is only realistically achievable when automation is incorporated. There are a number of different methods available for continuous monitoring, which include but are not limited to: security ratings, supplier self-assessments and security certifications.
The greatest value from continuous monitoring is extracted from the outputs produced. Most assessment tools will present the findings in a dashboard that provides a visual representation of the security of suppliers, helping to increase the visibility of the status of the supply chain by providing the results in an easy-to-comprehend format.
Lack of visibility into the supply chain was regarded as the biggest barrier to effective supplier cyber risk management, according to a survey conducted by the UK government. Incorporating supplier assessment tools into the supply chain management process can help to achieve greater levels of visibility. This is because the technology can store, process and analyse a large quantity of data much more quickly.
The use of technology during the evaluation stage of the process has the potential to identify trends or anomalies that may previously have gone unnoticed. Increasing the level of visibility enables organisations to be better prepared and ready to respond to supply chain threats.
As well as improving internal visibility of operations, it is also important to be transparent with external suppliers. Being honest with suppliers about security needs and expectations during the initial stages of procurement, and encouraging them to do the same, will help to build stronger relationships and strengthen security. Establishing a security baseline and incorporating security requirements into the contract will help to establish a precedent for the entirety of the supply chain lifecycle.
Although it may seem counter-intuitive to be transparent with the wider public when a security breach occurs in the supply chain, it can be used as an opportunity to showcase good security practice and set an industry precedent. It is no longer a case of if, but when a supply chain attack will occur, so it is better to be prepared and proactive with a response plan for when it inevitably happens.
Being honest when an attack occurs and using it as an opportunity to share what you have done to mitigate it can have a positive effect on public perception and may even help to stop the attack rippling through other organisations.
While technology will play a crucial role in improving security within supply chains, it is important not to forget about the continued human involvement in the future of supply chain management. It is the workforce behind the technology that can extract, make use of, and communicate what the technology provides. Getting the right balance between people, processes and technology can help to detangle the complexities of the supply chain and create better security practices.