Third-Party Supplier Security: Managing the Supply Chain Challenge

Are your suppliers protecting your company’s sensitive data as diligently as you would protect it?

Steve Durbin
Steve Durbin

When I look for key areas where information security may be lacking, one place I always come back to is the supply chain. Supply chains are a vital component of every organization’s business operations and the backbone of today’s global economy. However, security chiefs around the globe are concerned about how open their organizations are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers, and when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.

Businesses must focus on the most vulnerable spots in their supply chains now. The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand. Being proactive now also means that you—and your suppliers—will be better able to react quickly and intelligently when something does happen. In extreme, but entirely possible scenarios, this readiness and resiliency may dictate competitiveness, financial health, share price or even business survival.

As supply chains become increasingly complex and efficiency savings motivate companies to outsource business processes, service providers continue to be a primary vector for information security risks. In part, this is due to a lack of usable, consistent standards for suppliers. Many suppliers are small and do not have the resources to adequately implement widely accepted information security standards, leading to data breaches, such as what we saw with Target in December 2013.

Three Key Challenges to Securing Your Supply Chain

Organizations go to great lengths to secure their intellectual property and other sensitive information internally, yet when that information is shared across the supply chain, security is only as strong as the weakest link. Information compromised in the supply chain can be just as damaging as that compromised from within the organization. Despite organizations’ best efforts to secure this information, limited progress is being made in effectively managing information risk in the supply chain.

There are three key challenges that most organizations face from sharing sensitive information across their supply chain:

  1. A lack of awareness of the sensitive information being shared in contracts.
  2. Too many contracts to assess individually.
  3. A lack of visibility and control as information is shared in the supply chain.

Some organizations focus on the first challenge, assessing the information risk for each contract. This approach does not address the second as it is not scalable for organizations with thousands, or tens of thousands, of contracts. The third challenge, which is immediate to businesses, is even more complex to address. That’s because organizations typically have no relationship with their suppliers’ suppliers, so the risk increases as visibility and influence rapidly decrease.

Supply Chain Weaknesses Are Widespread and Persistent

In my discussions with information technology (IT) security chiefs at organizations around the world, supply chain security remains a constant topic of conversation, always leading to a common thread, that weaknesses are both widespread and persistent. The supply chain is one of the most collaborative environments in your organization. Therefore, it inherently poses greater risks to the confidentiality, integrity and availability of corporate information.

When discussing supply chain security, there is one simple question that I always ask organizations: Do you know if your suppliers are protecting your company’s sensitive data as diligently as you would protect it yourself?

This is one obligation you can’t outsource because, in the end, it’s your liability. By looking at the structure of your supply chains, determining what information is shared, and assessing the probability and impact of potential breaches, you can balance information risk management efforts across your organization.

Businesses need to think about the consequences of a supplier providing accidental, but harmful, access to their most sensitive corporate data. Information shared in the supply chain can include intellectual property, customer or employee data, commercial plans or negotiations, and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace professional services suppliers, all of who share access, often to your most valuable assets.

Brand Management and Reputation Are at Stake

Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your business, your bottom line and your reputation, as one from within the organization.

So what can organizations do to better prepare themselves? A few examples include:

  • Collaboration and sharing in the supply chain, along with collaborating through relevant industry groups and forums.
  • Clarity about what good cyber-security in their supply chain needs to look like.
  • More advice and guidance by government for smaller organizations that often form a critical link in the supply chain to point out what is available in terms of support and help.
  • Businesses making use of one-stop shops for security policies and guidelines that provide practical insight and guidance about what to do and how to do it when it comes to securing information across the supply chain.

There’s a great necessity to track everything that is happening in the supply chain as even the smallest supplier or the slightest hiccup can have a dangerous impact on your business. Brand management and brand reputation are subject to the supply chain, and therefore, are constantly at stake.

Instituting a Supply Chain Information Risk Assurance Process

By focusing on identifying information shared in the supply chain and the contracts that create the highest risk, organizations can develop a scalable way to manage contracts so that efforts are proportionate to the risk. A supply chain information risk assurance process should focus on information shared with upstream suppliers by making use of supply chain maps to follow the information. Such an upstream information-sharing assessment tracks what is being shared with the suppliers’ suppliers and beyond. The results draw attention to significant concentrations of information, triggering the implementation of additional controls on suppliers.

To help organizations manage their supply chain information risk and protect their brand’s reputation, the Information Security Forum (ISF) created the Supply Chain Information Risk Assurance Process (SCIRAP), an approach for larger organizations to manage this risk across their supplier base. SCIRAP focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk.

SCIRAP integrates with existing procurement and vendor management processes, providing a mechanism to make supply chain information risk management a part of normal business operations. As a result, organizations of all sizes are able to better understand their supply chain information risk, identify the assurance or actions required, and work with procurement or vendor management to manage information risk.

IRAM2: A New Methodology to Meet Today’s Challenges

Digital information sits at the heart of today’s global organizations, and its effective use and management is directly linked to the continued success of modern businesses. However, with that increased reliance comes the need to understand and address the risks that surround the confidentiality, integrity and availability of that information. IRAM2, our new methodology for performing effective information risk assessments, does exactly that.

IRAM2 is a simple, yet rigorous approach to information risk assessment, which uses concepts that risk managers and practitioners within other disciplines recognize and understand. It is set out in six, logical phases that include:

  • Scoping.
  • Business impact assessment.
  • Threat profiling.
  • Vulnerability assessment.
  • Risk evaluation.
  • Risk treatment.

These six phases help organizations evaluate risks by considering business impact, threats and vulnerabilities—but also extends beyond the scope of most other methodologies by allowing a risk practitioner to: 

  • Set the scope for an assessment—for any environment from an information system to a business function.
  • Plan and implement risk treatment for the assessed environment.
  • Integrate the agreed outcomes within enterprise activities.

The Time to Make Supply Chain Security Enhancements Is Now

I have said this before, but it bears repeating: Even the smallest supplier, or the slightest supply chain disruption, can have serious impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain, thus both are constantly at stake. A well-structured supply chain information risk assessment approach can provide a detailed, step-by-step approach to portion an otherwise daunting project into manageable components.

The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand. But being proactive now also means you, and your suppliers, will be better able to react rapidly and intelligently when something does happen. In extreme, but entirely possible scenarios, this readiness and resiliency may dictate competitiveness, financial health, share price or even the survival of your business.