Concern from cybersecurity and third party risk professionals over the risk cyberattacks pose to supply chains is increasing. The Shared Assessments Community reports an uptick in the following types of cyberattacks:
In response to growing anxiety, Nasser Fatah, Senior Advisor, Shared Assessments, and Mike Jackson, Cybersecurity Advisor, Cybersecurity and Infrastructure Security Agency (CISA), presented a webinar that:
In reviewing notable supply chain attacks, the webinar mentioned the 2013 attack on Target’s database resulting in theft of data for over 40 million customers via an HVAC vendor. Another notorious attack was the 2017 exploit of a known vulnerability in software code running on Equifax web servers, resulting in theft of Personal Identifiable Information (PII)of 147 million Americans.
The webinar touched on two quotes that show just why vendor risk management is the antidote to supply chain attacks:
External dependency risks are risks that arise in relying on external entities to support an organization’s critical services.
Examples of external dependencies include cloud services involving third party processing of information, infrastructure dependencies such as electricity and transportation, and governmental dependencies including emergency response to support data centers.
Additionally, technology providers, vendors, suppliers are all external dependencies.
Identifying critical services helps to focus external dependencies management. Critical services fall under four categories: people, information, technology, and facilities.
To manage the risks introduced by dependencies on external entities, external dependencies management is key. Steps to this approach include:
1. Identify services based on criticality to the organization.
2. Identify and map external dependencies (map the dependency to the services they support).
3. Protect and sustain operations by evaluating external dependencies, risk, resilience requirements, service level agreements, control objectives.
4. Establish continuity requirements for operations that rely on external dependencies
5. Conduct Cyber exercises to gauge the strength of your External Dependencies Management Strategy
In recent years, these supply chain regulations are of note:
Additionally, an External Dependencies Management Assessment can further the efficacy of managing risks in the supply chain.