It is known that your organization’s digital resilience is as strong as the weakest link. In times of digital transformation and digital supply chain processes being the norm, that weak spot may very well be outside of the organization. To ensure business continuity and compliance with updated rules and regulations, mitigating these vulnerabilities at an early stage is essential. Create an overview of the supply chain and integrate security into the supply chain’s management.
To what extent can you influence vendors’ information security in the supply chain? What do you know about the degree of protection these vendors provide for your and their own sensitive data in third parties’ systems? Who are your suppliers’ suppliers? These questions will probably have come up at your own company when news of the data breaches at big names such as Railway operator NS, VodafoneZiggo and CZ came out. They all work with the same marketing research agency, whose software developer cyber attackers managed to gain access to. Involved parties rushed to announce that no passwords or other credentials had been stolen. In this case, it is mostly names, email addresses and phone numbers. While criminals cannot directly capitalize on that, this data can however be used to launch phishing attacks. Companies affected by the breach are rightfully so warning their clients for this. Above all, what this big data breach shows us, is how vulnerable you are as an organization when something goes wrong at a partner’s partner. That is how far you must go to realize and monitor security and integrity in the supply chain.
Strict requirements for supply chain responsibility
Now, business operations are not directly at risk in the example above. Trains can still be operated, and clients can still make mobile calls. But as an organization you do have the duty of handling customer data carefully, whether these are processed by third parties or not. The importance of organizing cybersecurity well in the supply is, among others, highlighted by the update of the Network and Information Security directive that the EU released late 2022. This NIS 2 follows the NIS from 2016. In the Netherlands, NIS 2 is being embedded in legislation through an update of the Security of Network and Information Systems Act (Wbni) from 2018 and will take effect in October 2024. NIS 2 imposes strict demands when it comes to supply chain responsibility regarding cybersecurity. As an organization, you are still responsible for assessing the state of supply chain partners’ security measures and are held accountable for doing so. In reality, this means having to see to the quality of the security products and services is in order and up to date per your standards and your expectations of the vendor.
Vulnerable in the supply chain
This is of course a logical development and an answer for the fact that organizations now are fully or to a high degree, organized digitally. Currently it is unfortunately far too often that once cyber attackers have gained access, they can find their way through the landscape of digitally tied-together information systems unbridled. Clients, suppliers and (logistic) service providers closely work together using integrated platforms. This blurs the lines between different parties, and a vulnerability at one of the partners can be just as dangerous for the others in that supply chain. Examples such as Kaseya, SolarWinds and the Municipality of Buren are still fresh in our memories. Wherever the biggest impact lies, depends on the object of value struck by an attack or data breach. Such an object of value can be information, but also reputation. Despite supply chain integration providing massive efficiency advantages, you do need to check up on supply chain partners’ security. Another possibility is to, together with chain partners, explore the possibilities for arranging good access security for SaaS applications.
Trust
Good collaboration in the supply chain is for the most part based on mutual trust. Organization A trusts organization B to perform its tasks the way it agreed, and organization B trust organization A to pay for the services provided. That means that, besides trust, there also are clear agreements.
Trust in a digital chain is based on the reliability of systems for secure exchange of information. To optimize its reliability, mapping and monitoring the parties and risks in your current businesses’ environment is step one.
Next, it is important to have a conversation with parties with which there is a big mutual dependency – often the supply chain partners. A conversation about expectations with respect to the desired level of reliability in the chain and the risks. Your own information security policy leads the way for you. For other parties, setting security requirements when selecting and purchasing a product or service can be sufficient. Identify the vulnerabilities in the supply chain together with your supply chain partners and help each other with strengthening the weak spots. For real visibility though, it is important to monitor the other parties in the supply chain.
But do not forget that you as an organization, as laid down in NIS 2 and the Security of Network and Information Systems Act (Wbni), need to be able to elaborate and prove that your suppliers have followed the agreements (and security requirements).
Integrate supply chain security with policy and processes
Mapping and monitoring supply chain partners really should be a one-time thing, but must be translated to policy, which also needs to be widely supported within the organization. One way of achieving this is to also implement these activities in existing processes. In doing so, taking a third party’s entire lifecycle into account is important. This starts at thinking in terms of cybersecurity when selecting and purchasing a product or service in e.g., tendering processes.
Besides price and quality, the implemented security measures and risks associated with the product or service must be considered. This also means that the purchasing department must work closely together with security experts within the organization. Joint insight will have to be gained into where sensitive and valuable data and processes are located in the supply chain, how these are secured, and what safeguards have been put in place. Next, determine how you will monitor the extent to which supply chain partners comply with contracts and agreements. How are they performing security-wise? The ultimate remedy means saying goodbye to parties that for whatever reason cannot meet your standards.
Do realize that this concerns specific expertise. Your security experts might be well-equipped to manage your own -already relatively complex- process and IT landscapes daily, but overseeing all IT activities in the supply chain is challenging. Get in touch with your security partner or an industry association which could take control with the upcoming NIS 2 legislation. In this way, security in the supply chain can, in the case of a good implementation, be turned into a competitive advantage.
Increasingly outsourcing your IT environment to partners, e.g., cloud solutions, also requires different internal expertise. Instead of the technical and functional management of systems, there must be “control”. That is to say; keeping an overview of how all outsourced environments communicate with each other (in a secure manner), translating your organization’s wishes to services, and communicating with these vendors.
Conclusion
All parties in the supply chain, from raw materials vendor to consumer, benefit from cooperation on security being smooth, efficient and safe. Therefore, work together and do so on a continuous basis. Get help from experts where and if needed, but make sure that you know what is important for your organization and need to be protected yourself. You are and will remain responsible for your data. Ensure that the way you organize the protection, can be found in (information security) policy and operational processes. By thinking about cybersecurity and solving vulnerabilities in the supply chain, you also contribute to the improvement of interoperability within the chain and leads to better results. Therefore, think of security in the supply chain as an opportunity and not as a necessary evil.
