A disruption in a company’s supply chain can be catastrophic to its ability to serve its customers. Most enterprises have spent years building supply chains with the goal of making them cost effective, speedy, high quality, diversified, and resilient to typical disruptions like material shortages, natural disasters, and unplanned business closures. Now companies must also include cybersecurity risks to this list of supply chain risks. These are oftentimes called third-party risks. A cybersecurity attack can not only cripple your supplier or supplier’s supplier, it can also infiltrate your network if it’s not appropriately protected. In either situation, your company could be significantly impacted.
Supply chain cybersecurity is not only the responsibility of the Chief Information Security Officer (CISO) and the cybersecurity program, but also the joint responsibility of the Chief Supply Chain/Procurement Officer and the business entities that rely on the supply chain. This triad of roles must work closely together and ensure they have a full picture of the cybersecurity threats, risks, and mitigation plans for their supply chain. It is not a matter of if, but when, they will need to execute them in this world of increased cybersecurity attacks.
Considerations for Your Supply Chain Cybersecurity Response Plan
- Governance and planning. Establish connections and working relationships between the CISO, supply chain and internal customers. Have standard meetings to discuss the readiness of the organization and how to handle a cybersecurity response. This could be part of the company’s incident response plan or a unique plan if the company itself is not the primary target of the attack. Plans should be in place to have cybersecurity support in the follow-on meetings with the supplier to determine the extent of the attack and translate what is happening.
- Inventory. Document all supplier connections into your network whether they be through a protected direct network connection, an Electronic Data Interchange (EDI) or just via e-mails. Document who the owners are on both sides of the connection and the business impact if that connection must be broken for any amount of time during a cybersecurity attack.
- Due diligence. Make sure you have incorporated cybersecurity-specific requirements and terms into your solicitations and contracts. Ensure you are implementing the appropriate continuous monitoring against these requirements throughout the contract lifecycle as well.
- Risks. Many companies have very strong supply chain risk management programs with sophisticated analytics and tracking of goods and services critical to their company’s success. Make sure you have added cybersecurity risks to that program and updated those plans to account for the speed at which a supply chain cybersecurity risk can become a significant issue.
- Communications. Know where your company is in the call tree with your key suppliers if they have been the victim of an attack. Once the attack becomes public, customers will be expecting information and may look for it from all parties involved. Be aware that your customers may call you to get an update on how this will impact your ability to serve them. Be ready with a plan for explaining the situation, the business impact and who should handle internal and external communications.
In the end, supply chains are critical to the success of your business. You must be prepared for the inevitable supply chain cybersecurity risk. The more you are prepared, the less your business will be impacted. If you do not feel you are ready, ISG is here to help you assess and plan so you are ready. Contact us to find out how we can help.
About the author
Doug Glair is a Principal Consultant in ISG’s cybersecurity practice. Doug is a cybersecurity and supply chain leader with remarkable background leading, designing, and operating large enterprise-wide cybersecurity and supply chain programs. Exceptional relationship builder and collaborator with proven ability to deliver improvements in cybersecurity risk posture using established standards, industry leading practices and ROI-driven controls.