How to protect your organization from security threats across your supply chain

Image: Busakorn Pongparnit/Moment/Getty Images

Defending your enactment from cyberattacks that straight people you is hard enough. But protecting yourself against attacks that deed you done your proviso chain is adjacent much of a challenge. How bash you combat thing implicit which you seemingly person small oregon nary control? A study by cybersecurity supplier BlueVoyant looks astatine proviso concatenation information breaches and offers tips connected however to forestall them.

SEE: Vendor absorption & enactment policy (TechRepublic Premium)

Released connected Tuesday, the study titled Managing Cyber Risk Across the Extended Vendor Ecosystem is based connected a survey of 1,200 CIOs, CISOs and main procurement officers successful ample organizations passim the U.S., the U.K., Canada, Germany, the Netherlands and Singapore.

Commissioned by BlueVoyant and conducted by probe steadfast Opinion Matters, the survey recovered that 97% of the respondents were wounded by a information breach that took spot successful their proviso chain. Further, immoderate 93% of those surveyed said their companies suffered a information breach themselves owed to a weakness successful a proviso concatenation spouse oregon third-party vendor.

As a result, proviso concatenation threats person received a renewed focus. Last year, 31% of the respondents said that proviso concatenation and third-party risks were not a priority. This year, lone 13% of those surveyed said that this benignant of hazard was not connected their radar. But a greater absorption connected proviso concatenation threats doesn't automatically marque them easier to detect.

Among the respondents, 38% said they person had nary mode of knowing erstwhile oregon if a information contented occurs with a third-party vendor. Some 41% revealed that if they had discovered an contented and informed their supplier, they would beryllium incapable to corroborate whether oregon not the occupation had been resolved.

This twelvemonth has seen a fig of cyberattacks and exploits that affected proviso concatenation partners. A vulnerability successful Microsoft Exchange exploited by a China-based radical impacted thousands of companies with Exchange servers. The ransomware onslaught against Colonial Pipeline wounded substance suppliers crossed the East Coast. And the ransomware incidental against endeavor IT steadfast Kaseya trickled done to much than 1,000 organizations.

To assistance you amended negociate and respond to proviso concatenation threats, BlueVoyant offered the pursuing recommendations:

• Gain much visibility into your proviso concatenation partners. Supply chains are ample and complex, truthful gaining afloat visibility into their activities is simply a challenge. But you inactive request to recognize your third-party vendors, including those beyond the archetypal tier oregon the ones deemed astir critical. To trim the risks, physique enactment for suppliers into your third-party hazard absorption program. Inform the vendor erstwhile caller threats popular up and supply applicable steps to assistance them lick the problem. Make definite you enactment the vendor done the full process, including occupation resolution.
• Continuously show your proviso chain. Many proviso concatenation attacks triggered done information vulnerabilities occurred aft those vulnerabilities were patched by the vendor but earlier customers got astir to applying them. Auditing oregon assessing your proviso concatenation each fewer weeks oregon months is not capable to enactment up of cybercriminals. Instead, you request a continuous method of monitoring and a mode to rapidly respond erstwhile superior information flaws are discovered crossed your proviso chain. For this, you whitethorn request to automate your hazard investigation and grow its sum to see much than conscionable a constricted fig of captious suppliers.
• Determine who owns third-party cyber risk. Those surveyed gave a scope of answers arsenic to who is liable for third-party information risks. You request to specify this relation astatine the enforcement level different you'll beryllium hard pressed to coordinate resources and make wide strategies.
• Improve cybersecurity acquisition and grooming for vendors. Many suppliers are unaware of their cyber hazard and don't acceptable up the indispensable grooming oregon information protocols. This is wherever you whitethorn beryllium capable to measurement in. Just arsenic you amended your employees connected cybersecurity, you mightiness besides request to amended your proviso concatenation vendors successful a akin way.

 Also spot

• Tech companies pledge to assistance toughen US cybersecurity successful White House meeting (TechRepublic)
• Working astatine a harmless distance, safely: Remote enactment astatine concern sites brings other cyber risk (TechRepublic) 
• Cybersecurity: Don't blasted employees—make them consciousness similar portion of the solution (TechRepublic) 
• How to go a cybersecurity pro: A cheat sheet (TechRepublic)
• Security threats connected the horizon: What IT pro's request to cognize (free PDF) (TechRepublic)
• Checklist: Securing integer information (TechRepublic Premium)
• Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)