Scoping Supply Chain Cyber Risk

Supply chains can be cybersecurity targets because of the proprietary design, pricing and contract intelligence that flow through them. In the March 2014 issue of Inside Supply Management^®, Timothy Hall, president of AZORCA Cyber Security, LLC in Millersville, Maryland, examined the cybersecurity risks that could be lurking in your own supply chain. He also offers tips on how supply management practitioners can assess supply chain risk.

The following are critical data points Hall says you should consider when scoping supply chain cyber risk:

●Know what you're trying to protect. What are the critical assets? Where are they? Who has access to them?

●Have a current definition of the threat. You can only gauge the threats and what information cyberattackers may be after based on your perception of your organization and how it fits in your market or supply chain. The threat base may be broader and more sophisticated than you perceive. Cybersecurity attackers could be using you as a conduit or participant in a broader cyberattack.

●Understand possible threats. You need a good understanding of the objective, perspective and likely attack methodology given the likely targets and the attackers.  Such an understanding will help your organization evaluate the effectiveness of the security controls in place. The supply chain organization and the entire company needs a candid assessment of current security controls and mitigation plans.

●Know the byproducts. Make sure you assess all of the byproducts of a cyberattack and the true cost to remediate the exploit. The cost is not limited to the successful attack (distributed denial of service, stolen credit cards, personal identity information) ― there also are the broader forensics and remediation costs.