top of page

Five steps to setting up a resilient supply chain cyber framework

Third-party incidents account for approximately 60% of all data breaches, and were the most costly enterprise data breaches in 2021.

Almost every business in the world relies on third-parties (suppliers, service providers, contractors, partners, marketing, payroll etc) to keep their organisation up and running. Security breaches within any third party can halt productivity and have financial, reputational, and sometimes even legal ramifications - not only directly, but also across the supply chain

Despite this, only about 52% of companies have supply chain cyber programmes in place.

The complexities of third-party supply chain cyber assurance can be hard to navigate but developing a framework to mitigate third-party risk is the first step to ensure that your business is able to operate effectively and without interruption.

While this is an essential part of business continuity, it doesn’t have to be arduous or complicated. Whether you’re just starting your third-party risk assurance programme or already well established, there are five key things to think about and access to tools to streamline the process:

1. Identify all third-party vendors

Risk can come from any vendor/partner/supplier regardless of their size. To create a comprehensive vendor repository, you should involve every department in the business involved to identify every vendor who provide a service (including support services) and products. Think about the service being provided and the potential impact it would have if the service was disrupted through a cyber breach.

2. Calculate and assign risk

Once you have your list, you can begin classifying them by assigning risk based on the type of service they provide and access to the business they have. To help with this classification look at questions such as: what is the service they provide, is it a core business service, what data do they have access to, how much data do they have access to and how much access is required to deliver their service. So for example: a service provider who supports with payroll or any contracts would be high risk vendor, whereas the company that supplies stationery would most likely be considered a lower risk.

3. Conduct risk assessment

Whatever the risk classification, every vendor can pose a risk to your organisation, so conducting a third party risk assessment (TPRM) will help with identifying where those risks lie and where remedial action needs to be taken. The risk assessment process should be part of your organisation's operational management and should cover supply chain resilience and other third-party risk assessments.

Previously TRPM required individual spreadsheets for each vendor needing to be reviewed manually. This is not only resource and time intensive but also increases the margin of error. Another risk is that many suppliers often don’t have the expertise or bandwidth to respond to complicated assessments and questionnaires so response levels can be low.

Fortunately, there are solutions available to automate and streamline this process by giving a 360 degree view of all the risks across your supply chain. Crossword’s platform, Rizikon Assurance, is one of these: it simplifies the entire process, reduces the costs of risk assurance, and saves as much as 50% of time. This leaves your team has more capacity to focus on things like strategy, growth and how and where to remediate the identified risks.

4. Mitigate risk/risk reporting

Following your third-party risk assessment, you should have an overview of where the risks lie and what remediation needs to be done. All risks, regardless of the designation, need to be thoroughly documented for management review and an official record of risk and sensible proportionate risk treatment needs to be decided on.

If using a platform like Rizikon, users will receive a scorecard, report, a dashboard showing a collective view of risk by category and classification, and also provide the ability to create cyber action plans to mitigate identified areas for concern.

6. Ongoing monitoring

The fallout from a company not keeping a constant grip on its regulatory and other risks is just too great: lost contracts, legal battles, loss of reputation, or even the loss of the right to trade in a heavily regulated sector.

Ongoing monitoring of third-party risks is critical, particularly as breaches, legislation, and threats evolve and unfold. Generally, a high risk supplier should be reviewed annually at least.

Rizikon also includes access to a cyber-risk rating report with Darkbeam API, which allows real-time risk monitoring and is integrated into the platform.

About Rizikon What will you get? Your own branded platform can be used to send online assessments to suppliers/third parties to assess their security posture both pre or post-contract award. Additionally, the platform can be used for ongoing assessment of supplier risk utilising pre-built cyber assessments that generate automated reporting when a completed assessment is received.


bottom of page