Taken from the full Supply Chain Cyber: Expert Perspectives report, Peter Cooper, CISO at 10x Banking, argues that careful supplier evaluation and a willingness to invest are critical to making your supply chain secure against cyberattacks.
Supply-chain cybersecurity was once a glaring weakness in the business world. Until about five years ago, it didn’t receive the attention it deserved. Many software supply chains lacked built-in security measures and visibility into the intricacies of these chains was hard to come by. While contracts often included some level of due diligence, it was typically focused more on financial aspects than security concerns.
Fortunately, the situation is beginning to change, though the work is far from over. Many of today’s business ecosystems still lack security at their core. A single project might have as many as 60,000 separate inputs, very few of which undergo any form of security assessment. No one truly works in a silo anymore. The sheer scale of these supply chains presents a daunting challenge for businesses and for regulators.
Evaluating suppliers for effective Supply Chain Cyber
The growth of regulation has had a positive effect on supply-chain cybersecurity, though the most prescriptive regulation applies only to sectors such as finance. Many suppliers in these industries inherit the regulatory responsibilities of their clients. However, it is nearly impossible for a single regulator to cover every supplier involved in a particular sector, so they naturally focus on larger suppliers and give less attention to smaller ones.
An effective cybersecurity strategy depends on both financial resources and the will to invest. Technical assurance activities, such as validating a supplier’s inbuilt security, can be costly and difficult to implement. Consequently, we tend to reserve these measures for the most vital components. For instance, while we wouldn’t spend money on penetration testing for our printers, securing sensitive client transaction data is essential, so we must budget for that.
When it comes to promises about security, don’t expect vendors to highlight or address all the risks. For example, many vendors claim their solutions can decrease the risk of security compromise, but many risks stem from mistakes rather than targeted attacks, so the solution will have its limits. Vendors are therefore naturally hesitant to provide a confidence level in their security measures, so it’s important to assess them before you buy and be sure they meet your needs.
Cost is critical when prioritising Supply Chain cybersecurity
To address these challenges, businesses must establish a clear process for evaluating suppliers and ensuring that their services align with the company’s risk appetite. While assurance can never be perfect, a well-defined process goes a long way in mitigating risk.
Having proper security measures in place is the right thing for the business and its customers. However, it is more feasible in sectors with larger budgets. Cost remains a concern. Low-margin and under-resourced sectors like healthcare struggle to afford the tools and techniques that could improve their cybersecurity.
We live in a deeply interconnected world. As cyber risks evolve, it will be ever more important to prioritise supply-chain cybersecurity across all sectors. As the saying goes, a chain is only as strong as its weakest link.
If you and your organisation are looking to embark on a Supply Chain Cyber project, Crossword Cybersecurity has a dedicated consulting practice to assist you with strategy and implementation, you can found out more here.