Meeting the challenges of digital supply chain security

5 minute read

Each year, businesses conduct more of their operations virtually. An always-increasing number of digital products and services, combined with more online monitoring and analysis of physical assets, are making digital supply chains more complex and interconnected.

But for all their potential benefits, digital supply chains also expand companies’ vulnerable surfaces and present serious cybersecurity challenges. The number of vendors is increasing in many industry sectors, and most third-party vendors have their own vendors (or “fourth parties”) that depend on shared access to networks and data. Simultaneously, billions of interconnected devices, software solutions and applications are stretching integrated supply chains into new sectors and functionality.

Cyber criminals, who are always ready to exploit emerging security weaknesses, are targeting supply chains to launch malware and ransomware and to steal valuable data.

To stay competitive and secure, companies of all sizes need to better understand the expanding supply chain digital ecosystem and develop a strategy for monitoring it. Many businesses must manage that risk on small budgets and with limited oversight of third and fourth parties.

While no method guarantees safety, every business can implement a strategy that will protect the most essential links in its supply chains. That strategy begins with effectively mapping connections and prioritizing oversight of the most critical suppliers and functions.

Digitization has fueled a massive increase in the number of suppliers for the average business.

These vendors often have access to company networks or supply it with software solutions or applications. A weakness in the vendor’s network or software — or even in the network of a fourth-party vendor — can open the door for cyber criminals. This means a cyber event can originate several steps away from a company’s primary supply chain and still result in severe consequences. 

Businesses can manage third- and fourth-party risk by focusing on the most critical relationships and building quality controls and compliance standards into their vendor contracts. They also should keep an eye on updates and patches to mission-critical software, as well as controls to protect shared data, to make sure their key partners' security processes are reviewed and adapted regularly. 

For instance, companies should draft contracts with their suppliers that put cybersecurity best practices at the forefront and set acceptable standards for risk, breach notification protocols, insurance and security systems maintenance. If a company creates a security protocol after contracting with a vendor, it should ask for an audit of the existing protocols and negotiate changes to any security measures that are insufficient or too general to manage risk. Contracts should also be amended to cover fourth parties.

Companies may also decide to regularly review their cybersecurity protocols and request that their vendors adopt a similar approach to assessment. If security measures are lacking throughout the supply chain, the first step should be to set a higher standard that vendors are then expected to meet.

Digital supply chains also touch many businesses’ internal processes, including the deployment of connected devices, management software, data storage methods and public resources. These all present potential risks that should factor into a business’s cybersecurity strategy.

Internet-connected, or internet of things (IoT), devices are proliferating in manufacturing, delivery of services and customer experience. Software assets, including packages designed specifically for supply chain management, data storage facilities and even websites frequented by business employees are all potential breach points that should be categorized and assessed from a security standpoint.

Each endpoint, software program and network component that enables the supply chain represents a potential cybersecurity threat. Although creating a plan for every possible breach scenario for every endpoint is impractical for many businesses, it is essential to define the general landscape of the company’s digital supply chain and ensure adherence to core cybersecurity principles.

When a breach does occur, detection and remediation of weaknesses in the supply chain is critically important, as cyber criminals can — and do — return to breached networks, particularly when they use ransomware. A company that does not make a thorough forensic study of their networks could easily be subject to a second ransomware encryption and demand for payment. Stolen information can also be sold or deployed in another type of security breach, such as business email compromise (BEC) or wire transfer fraud.

While every business has unique requirements, here are some useful guidelines for managing this aspect of business cybersecurity:

Think about when a breach will happen, not if. No matter how robust a company’s cybersecurity may be, the interconnected nature of modern supply chains makes breaches more likely. Companies that prepare with strong response plans and command structures often contain damage more effectively.

Map out the core elements of your digital and physical supply chain. Creating a landscape that accounts for the most critical systems, devices and vendor contacts can enhance the effectiveness of response planning.

Identify the most important vendors. While every vendor is a potential risk, businesses should determine which vendors are supplying essential services, directly or through a fourth-party supplier. Contracts with these essential vendors should cover fourth-party connections.

Make sure cyber insurance covers supply chain disruptions. Insurance can also extend to breaches associated with key suppliers and customers.

Establish security standards for the most critical vendor relationships. Businesses should increase their oversight of key vendors by writing security standards into contracts and arranging for monitoring of the vendors’ own security apparatuses.

Continually educate employees to the key aspects of supply chain cyber risk. Whether or not they monitor third-party relationships or supply chain logistics, all employees in a business should be aware of the cybersecurity threat landscape and understand their roles in cyber preparation, monitoring and response.

"Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided "as is," with no guarantee of completeness, accuracy, timeliness or the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, qualities and fitness for a particular purpose. This material should be regarded as general information on security and IT consideration and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT systems or information security concerns, please contact your IT or information security advisor."