Securing Your Supply Chain
- Written by: Trevor Meers
A data breach anywhere in a business’ supply chain can quickly cascade through other organizations, shutting down operations and creating significant costs. That means businesses must take an active interest not only in their own information security posture but in the security of companies they rely on throughout the supply chain. Most companies now face outside data security concerns from three directions:
- Confirming that your partners handle shared data properly. (Think of scenarios where you share engineering drawings, customer profiles, logistics information, records of billable hours, etc.)
- Verifying that your suppliers are secure enough to reliably service your company.
- Proving to your customers that they can trust your security and reliability.
Contracts Increasingly Include Supply Chain Security
Because of all this interdependency, companies increasingly demand that suppliers and partners provide actual proof that they maintain an acceptable security posture. The days of simply declaring that you have things under control are quickly fading. Today, responsible companies require at least completion of a very detailed questionnaire specific to their concerns. And frequently, proving your security position means earning an independent, standardized certification such as SOC 2®.
Pushing back against the verification requirements of major companies and government entities may cost you the contract. “You may be providing toilet paper, and someone’s asking you to fill out a cybersecurity questionnaire,” says CEO Dave Nelson. “If you don’t, I guarantee there’s someone out there who will do it and take that contract.”
Rather than fighting it, we recommend leaning into the requirements and turning them into a business advantage. Many clients have leaped ahead of their competitors by staking a position as early adopters of key security standards. One marketing company attributes 33% of their current customer portfolio to an advanced security mindset that helps them get more RFPs and win more deals.
New Supply Chain Standards You Should Know About
Much of the discussion in this area has focused recently on the Department of Defense's plan to ramp up security requirements for vendors in its supply chain. More than 300,000 companies will need to self-attest to their security controls or get a third-party assessment at the higher levels of CMMC, depending on the information they access in the course of executing their contract. (This blog provides the latest update on the ever-evolving CMMC situation.)
Evolving breach notification laws also drive much of the urgency around securing supply chains. Under these laws (which vary greatly by state), companies face potentially costly legal requirements to notify customers if hackers access sensitive information held by the company. Some organizations are pushing their suppliers to shore up their security as protection against inadvertent leaks of sensitive information when it travels to other companies.
Risks of an Unsecured Supply Chain
As you consider how to secure your supply chain, consider these potential risks:
- Upstream and downstream liability – If your security failure creates a problem for someone elsewhere in the supply chain, you may have a legal responsibility to pay for the remediation/damages.
- Cascading failures – In heavily interconnected ecosystems, one failure may quickly ripple out into other areas. If your ordering system corrupts data, you may lose track of how much raw material you need. If your inventory system fails, your ability to fill orders could fall apart. Mismanaged data and system downtime carry real costs.
- “Weakest Link” targeting – If you do business with a larger company, hackers may target you as a potential way to get to the bigger target.
How to Identify Your Critical Vendors
A first step in securing your supply chain is identifying your critical vendors (and recognizing when you ARE one for your customers). A critical vendor typically:
- Has access to data or systems within the company environment – Because you control this environment, you can set requirements for access and training for partners such as onsite contractors or partners using an integrated Enterprise Resource Planning (ERP) system.
- Uses your data outside your company environment – You need to understand the security of the environment where your engineering docs, customer lists, personally identifiable information, etc. are being used. You need to consider how your data travels through e-mail attachments, cloud storage and other situations.
- Creates data, systems or components imbedded into products – This relates to partners who handle tasks such as developing software for you or building chipsets.
Planning Your Vendor Management Program
As you begin planning your vendor management approach, consider the following steps:
- Get familiar with best practices –Review NIST 800-171 standards and read up on NIST’s Cybersecurity Framework.
- Develop your company’s framework – Design a program for identifying critical vendors and bringing them into compliance with your security standards.
- Decide how you will verify compliance – To ensure that vendors are meeting your minimum security controls, choose one of the following approaches:
– Require vendors to fill out a cybersecurity questionnaire and management attestation of their security posture.
– Require third-party attestation audits such as ISO 27001, SOC2 or CMMC.
– Require external audits by your team or a selected third-party auditor.
- Engage an experienced consultant – A cybersecurity firm like HBS can help review your needs and establish a supply chain policy that fits your situation. Contact us today to talk with one of our advisors.