By Steve Durbin, Chief Executive of the ISF
You need to establish continuous monitoring across the supply chain, to ensure a real-time view of emerging threats and potential disruptions.
The challenge of securing increasingly complex, flexible, and responsive supply chains has grown enormously over the past year. Pandemic pressure has stretched and strained supply chains, forcing businesses to rapidly identify and build new routes, form fresh partnerships, and ensure a steady flow of product in the face of major fluctuations in demand. While some markets have dwindled with the decline of brick-and-mortar stores, others have flourished with the increased demand for deliveries.
While the heart of the challenge remains the same, it has become harder to maintain security standards. The need to keep production lines running in difficult circumstances has led many organizations to sideline information security as a priority. There’s a tangible danger that must be addressed to avoid catastrophic data breaches in the year ahead. Businesses must keep information security firmly in the picture as their supply chains evolve. Here are three steps that they should be taking toward that end.
Identify where the risk lies. With a high proportion of security incidents originating with third-party vendors and suppliers, companies must take the time to properly assess their supply chains through the lens of information security. A focus on production and distribution is understandable in the current climate, but no company can afford to ignore security. Delays in planning caused by remote working and pandemic disruption are exacerbating the situation, creating new opportunities for bad actors to worm their way in.
An in-depth evaluation of supply chain partners is crucial. What information is being shared, and with whom? Build a clear and comprehensive picture of your data, and cross-reference it with business goals to establish where unnecessary risks lie. In some instances, it may be possible to reduce or even eliminate data exposure. Areas of disproportionate risk where information sharing isn’t critical to the business should be reconsidered.
With a fully categorized list of suppliers, laying out business criticality balanced with information security risk, you can make informed decisions. Supplier vulnerabilities must be mitigated, or they could become your own. Deeper integration of supply chains is desirable, prompted by the promise of real-time visibility and more effective collaboration, but risk management must be baked into technologies that provide oversight.
Build security requirements into supplier contracts. Contract negotiation can be complex and protracted, but rapid changes in the landscape this year have increased the pressure to get deals done quickly. Security is often an afterthought, and frequently perceived as a barrier to an agreement. Retroactively applying security standards is extremely challenging. Building a secure and compliant framework isn’t a task that should be performed under severe time pressure; that’s a recipe for disaster.
Include security professionals in the process before contracts go to tender. When requirements are clearly defined from the beginning, it can help to streamline the negotiations and enable agreements to be reached swiftly. Clarity is key with contracts, so providing guidance for different eventualities, and enumerating recommended steps, is beneficial for both the company and the supplier.
Develop a framework that addresses company needs for secure partnerships, and keep it up to date. Lay out precisely what information you need from suppliers, and what processes they’ll be expected to adhere to. If you make information security part of the process from the beginning, there’s no reason it should hamper negotiations. Clarity will help you resolve any incidents or disputes that arise much more effectively.
Establish real-time visibility into risk. Business aims change, new technologies emerge with their own vulnerabilities, and risk assessments age and begin to deteriorate. A snapshot of supply-chain risk isn’t enough to build a secure framework on. You need to establish continuous monitoring across the supply chain, to ensure a real-time view of emerging threats and potential disruptions.
While it may not be viable to perform in-depth audits repeatedly, there are automated tools that can be employed to flag developing security threats, giving you the chance to address them before they develop into issues. Consider what information is required to rate your supplier’s security standards, and try to establish a reporting framework that can furnish you with the latest data.
A supply chain is never set in stone. It should be continually assessed and improved to deliver maximum business benefit securely. The temptation to downgrade the importance of security under the pressure that organizations are facing right now must be resisted, because it puts the long-term health and viability of the business at risk.
These three steps have always formed an essential trinity for supply-chain security, but they’re more important now than ever before. The sharp increase in cyberattacks targeting supply chains is worrying. Uncertainty is driving demand for flexibility, prompting a shift toward ever more complex digital supply chains that lack maturity in terms of security. These trends are sure to continue. Acting decisively to manage supply-chain risk and build resilience will pay dividends in the months to come.