Mitigating Cybersecurity Risk Is a Company-Wide Concern
Cybersecurity isn’t just an information technology (IT), procurement or compliance issue, says Brian Alster, general manager of third-party risk and compliance solutions at Dun & Bradstreet, a Short Hills, New Jersey-based business data and analytics provider. It spans virtually every department.
However, as the first line of defense when evaluating and onboarding new suppliers and third parties, he says, procurement’s role in cyber-risk mitigation has been elevated. “Procurement teams need to stay vigilant to identify any risks during this first stage of interaction in order to prevent and manage cyber risk to help avoid severe supply chain disruption down the road,” he says.
Given the increasing frequency of attacks, potential severity of disruption and high costs, including fines, of cyber and data breaches, companies must consider the domino effect that even one supplier’s breach can have to the entire organization and global supply chain, he says. (For more, see “A Viral Threat to Utilities” in the September/October issue of Inside Supply Management®.)
Points of Vulnerability
Every point of an organization — from individual employees to entire departments — is vulnerable because all have access to data and communication, Alster says. “As we say, ‘Always look around the corner.’ In this case, it means looking beyond the virtual ‘four walls’ of your organization,” he says.
As a company’s network of suppliers, partners, providers and customers grows, so does the potential for cyberattacks, Alster says. Companies interact daily with other organizations through email, mobile devices, social media networks and online video and messaging platforms, among other platforms — each platform, without proper security, can open-up a company to potential cyber threats and attacks, he says.
“The COVID-19 pandemic has created an ideal environment for cyber maleficence,” Alster adds. “As the pandemic spread throughout the world in a matter of weeks, companies of all sizes had to forgo traditional security and onboarding procedures — of new employees, new vendors and suppliers — in favor of rapidly responding to the conditions in front of them.”
Those conditions were the need to quickly (1) transition employees to a work-from-home environment that relied on less secure internet networks and (2) onboard new providers and alternative suppliers to help fill gaps on essential material deliveries, including personal protective equipment (PPE), he says.
“The rush to onboard suppliers has created opportunities for cybercriminals to take advantage of companies, even those regarded as well prepared with advanced security, communications and controls,” Alster says. “Hackers are becoming increasingly savvy, finding new ways to identify and exploit vulnerabilities within a company in order to gain access to business accounts, consumers’ personal information, and even intellectual property.”
He says information is financial “gold” for hackers, who will take any actions necessary to complete maleficent acts to gain a big payout, including exposing personal data to tapping into financial accounts.
There is research that illustrates the growing cybersecurity problem. A 2019 webinar, “The Cost of Third-Party Cybersecurity Risk Management,” sponsored by third-party cyber-risk management provider Cyber GRX, found that more than half (53 percent) of companies have experienced one or more data breaches caused by a third party, spending an average of US$7.5 million in remediation costs. The 2019 Thales Data Threat Report: The Changing Face of Data Security survey, which incorporated data from a web-based survey of 1,200 executives by international marketing firm IDC, found that six in 10 global respondents — and nearly two-thirds (65 percent) in the U.S. — had experienced a breach at some point. In the past year, 30 percent of respondents (including 36 percent in the U.S.) were breached.
Cybersecurity issues are not expected to let up. The 2019 Official Annual Cybercrime Report by Cybersecurity Ventures found that 86 percent of respondents feel they are vulnerable to data-security threats, while 34 percent globally (42 percent in the U.S.) call themselves “very” or “extremely” vulnerable. The report predicts that cybercrime will cost more than $6 trillion annually by 2021, double the 2015 amount.
A Risk-Reduction Game Plan
To stay ahead of the heightened cyber risk and reduce the incidence of third-party breaches, supply chain managers need to understand how they can potentially be impacted and adopt a set of best practices for third-party cyber risk detection and mitigation, Alster says.
“Success in preventing cyberattacks isn’t reliant on a single person,” he notes. “Instead, organizations must collaborate cross-functionally across governance, information-technology (IT) security, procurement and strategic sourcing.”
Four measures to consider, he says, are:
Define acceptable risk thresholds. Before you begin evaluating the cybersecurity preparedness of potential suppliers and providers, Alster recommends grouping or “tiering” them by criticality. “Determine an acceptable risk threshold for each group, based on such criteria as how much of your company’s data they hold or how much access they have to your company’s network,” he says.
Consider individual risk factors that serve as key indicators of your suppliers’ and/or providers’ performance. For example, Alster says, consider whether your suppliers or providers have the necessary controls to prevent cyberattacks. Questions to ask include: Do they have proper email server configuration? Are there corporate policies to guide a provider’s employees when communicating with external parties and using corporate networks, software and social networks?
Conduct frequent reviews of third-party management policies and programs. Organizations should implement processes to regularly evaluate security and privacy practices of third parties, including their providers and partners, Alster says. Also, recommend that third parties provide information and transparency into their second- and third-tier suppliers and provider relationships prior to sharing sensitive data.