The marketplace is becoming increasingly complex. Digitalisation, internationalisation and competitive pressure mean that companies are more and more dependent on third parties. In many ways, cooperation makes sense, but this can be at the expense of cyber security – the keyword here is supply chain risks (or third-party risks). In this blog article, we explain you what these risks are and what effective supply chain risk management is all about.
Your cyber and IT security can be as good as you like, but if your suppliers, distributors and service providers are inadequately protected, this will also pose a risk to your company. Increased networking that includes the sharing of sensitive data is one of the main problems. However, common IT interfaces and phishing e-mails sent by the supposedly reliable third parties are also part of the supply chain risks. It can be even more sophisticated, with the cyberattack not even targeting the third party at all, but with the third party merely serving as a «middleman» for an attack on your company.
Supply chain risks are bigger than most people think
Third-party cyber risks are more multifaceted than most people think. First, as explained earlier, hackers may see third parties as just a means to an end to get into your systems. In the worst case, the hackers will paralyse them, which can lead to business disruption or a complete shutdown. Secondly, data, which are your crown jewels, can also be stolen, for example when customers put them at risk as well. Thirdly, there may be consequences for you because your third parties fail to comply and collaborate. And fourthly, in the event of a successful attack, there are, of course, significant risks to your reputation. As a result, customers and other third parties will think twice before they (continue to) work with you.
Data protection alone is inadequate
The General Data Protection Regulation (GDPR) 2019 put data protection at the top of the agenda for many companies, which is definitely a step in the right direction. Even people who do not fall under these provisions will have to act this year, because the revised Swiss Data Protection Act (DPA) is on its way. That said, it should not be assumed that the risks will disappear as a result. On the one hand, companies still have a great deal of autonomy, including with respect to control; on the other, hackers are always one step ahead, so they usually find a loophole for an attack. Finally, the GDPR and the DPA are not perfect and there is a long road to revision and implementation – too long to be able to keep up with the attackers.
Where third parties are problematic
For many companies, the problem is a lack of transparency, visibility and control. For one thing, companies often cannot see how third parties themselves are handling sensitive data and their systems. Also, you rarely know what cyber security measures they are taking, so don't just take their word for it. Your third parties are also dealing with other outside parties, and this complicates matters. Even seemingly innocuous things can be problematic and lead to a loss of control, for example, if a partner has access to your network via a partner portal or another interface. This makes supply chain risk management indispensable.
Protect yourself against supply chain risks
- Create a risk management policy for third parties with the required security elements that need to be met for collaboration to take place. Enforce these requirements via formal agreements, for instance with contracts.
- Make an inventory: Which third parties have access to what? Are they really necessary? Restrict access as much as possible and review it periodically.
- Keep a close eye on your third parties, or in fact, on compliance and cyber security measures. Don't just ask them, but also check their implementation, compliance and control.
- Use tools to assess supply chain risks and identify potential security gaps. Here our experts recommend SecurityScorecard. This tool gives you a comprehensive, user-friendly overview. As well as IT security challenges, it also checks interface issues like data protection, legal and compliance and audit findings.
- Rely on an experienced partner to help you define policy and manage critical information systems and data.
- Take precautions. Don't just react when alerts are triggered at your end. Also respond immediately when a third party is attacked. You can also rely on an experienced partner to check your systems and act professionally in the event of an emergency. Our Incident Response Retainer, for instance, ensures you stay on the safe side.
As you can see, there are cyber risks lurking everywhere, even if they are often not apparent. You should never leave supply chain risk management to chance. Our experts can help you, either in the area of risk management and compliance or in active protection, as well as detecting and rapidly responding to cyber risks.
Want to learn more about supply chain risk management? Below we have linked various previous blog posts on this topic. Or even better: Subscribe to our weekly blog updates right now so you don't miss another blog post!