Securing the Supply Chain: Avoiding Unnecessary Information Security Risks
Supply chains are a vital component of every organization’s global business operations. A range of valuable and sensitive information is often shared with suppliers, and when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.
One of the most common themes I hear in my dealings with cybersecurity chiefs is that the supply chain is rampant with risk. But, nearly everything about running a business is a risk in the sense that some facets of the marketplace will always be outside of your control. Your supply chain is no different. As one of the most collaborative environments within your organization, it consistently poses greater risk to corporate information security.
Things Don't Always Go According to Plan
While there are a number of ways to reduce your exposure to risk, an important aspect of any effective supply chain risk management program is the understanding that things won’t always go according to plan and managing information security risk is just another part of building a more resilient business. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans, or negotiations. And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants—all of whom share access oftentimes to your most valuable data assets.
Do you know if your most sensitive and valuable information is being protected by your suppliers as you would protect it yourself? Frankly, you can’t outsource this risk—it’s yours to manage. By considering the nature of your supply chains, determining what information is shared, and assessing the probability and impact of potential compromises, you can balance information risk management efforts across your entire supplier base.
Three Key Challenges to Securing Your Supply Chain
Security is only as strong as the weakest link. Despite organizations’ efforts to secure intellectual property and other sensitive information, limited progress has been made in effectively managing information risk in the supply chain. This increases the potential for weak links and the risk of sensitive information being compromised.
There are three key challenges that organizations may face from sharing information in their supply chain:
- Lack of awareness of the sensitive information being shared in contracts.
- Too many contracts to assess individually.
- Lack of visibility and controls as information is shared in the supply chain.
Some organizations are focusing on the first challenge, assessing the information risk for each contract. This approach does not address the second as it is not scalable for organizations with thousands of contracts. The third challenge, which is the most interesting and immediate to businesses, is even more complex to address because organizations typically have no relationship with their suppliers’ suppliers, so the risk increases as visibility and influence rapidly decrease.
Enter Supply Chain Collaboration
A major part of the battle today is identifying the main sources of your supply chain risk. Accelerating trends of supply chain globalization and outsourced manufacturing and distribution have combined to increase the pace of change, complexity and risk for brand owners. These trends have created a fundamental shift in the way companies of all sizes plan, source, make and deliver their goods and services.
Enabling integration with supply chain partners, and then facilitating real-time visibility and collaboration capabilities, should be the first objectives of your solution. The ability to see, collaborate and resolve disruptions as they occur in your network is what defines a risk-resistant supply chain. When one part of the supply chain is disrupted, the effects can lead to issues throughout your entire supply chain network.
While many risks are unavoidable, they can be managed with the help of the right technologies and information systems that provide businesses with visibility into, and control over, their supply chains utilizing real-time information, integrated business processes and advanced analytics. Technology solutions are available that enable brand owners and their suppliers to work together to improve supply chain performance and sales and operations planning (S&OP).
Information is Supply Chain’s “Yellow Brick Road”
In order to be better prepared, organizations should consider all aspects of supply chain information risk and “follow the information.” The key to managing information risk in the supply chain is an information-led, risk-based approach to determine what information is being shared and assess the probability and impact of a compromise. By considering the nature of their supply chains, determining what information is shared, and assessing the probability and impact of potential compromises, organizations can balance information risk management efforts across each risk aspect.
Organizations should also adopt a robust, scalable and repeatable process to address information risk in the supply chain—obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations.
Supply Chain Information Risk Assurance Process (SCIRAP)
To help organizations manage their supply chain information risk, and protect their brand’s reputation, the Information Security Forum (ISF) has created the Supply Chain Information Risk Assurance Process (SCIRAP), an approach for larger organizations to manage this risk across their supplier base. SCIRAP focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk. It also provides a scalable way to manage contracts so that efforts are proportionate to the risk.
Most organizations have contracts with suppliers that number from the hundreds to the hundreds of thousands and do not have the resources to assess all those contracts, the associated suppliers or the information security arrangements. SCIRAP provides a practical method to sort existing contracts into groups for prioritization of effort based on information risk and the gap between the information security arrangements required by the organization and those in place. The individual contracts in a group can then be assessed using approaches such as audit.
SCIRAP specifically considers whether information is shared with upstream suppliers. When examining existing contracts, or entering into a new contract, SCIRAP suggests that the organization makes use of supply chain maps which can help with identifying where information is shared, and thus where information is concentrated. An upstream information-sharing assessment is used in SCIRAP to understand whether the organization’s information is being shared with the suppliers’ suppliers and beyond.
The results of the upstream assessment, when combined with the supply chain map, may draw attention to a significant concentration of information risk in upstream suppliers. This may trigger the need to identify controls or requirements the organization may need to place on its suppliers to protect its information when those suppliers share organization information upstream.
SCIRAP integrates with existing procurement and vendor management processes, providing a mechanism to make supply chain information risk management a part of normal business operations. As a result, organizations of all sizes will be able to better understand their supply chain information risk, identify the assurance or actions required, and work with procurement or vendor management to manage information risk.
Don't Let Your Reputation Take an Unnecessary Hit
Supply chains are difficult to secure—they create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your organization, and its reputation, as one from within the organization.
There’s a great necessity to track everything that is happening in the supply chain, as even the smallest supplier or the slightest hiccup can have a dangerous impact on your business. Brand management and brand reputation are subject to the supply chain and therefore are constantly at stake.
Don’t wait for demand to spike, or the next disaster to strike, before taking action to reduce your supply chain risks. Being proactive now means you’ll be better able to react quickly and intelligently when something does happen.
Steve Durbin is global vice president of the Information Security Forum (ISF), an independent, not-for-profit organization dedicated to investigating, clarifying and resolving key issues in information security and risk management by developing best practice methodologies, processes and solutions. His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.