Is Your Supply Chain a Cyber Risk To Your Business?

When you think about cybersecurity, payment processes and customer data may come to mind, but it is also important to think about your supply chain.

Unfortunately, cyber threats and attacks are real. The Identity Theft Resource Center reported 1,802 data compromises in 2022 and there are likely many more that were unreported, unnoticed, or never made public.

You have probably taken steps to protect your company. You may have developed a cyber policy for your business, trained your employees, added firewalls and security software, and established a guest network for visitors. You might be scanning flash drives and memory sticks before inserting them into your system and adding lengthy passwords that need to be changed frequently. You may have implemented two-factor authorization for all financial transactions regardless of size. That is a great a start, but what about your third-party vendors and customers?

Customers may require you to connect directly into their networks to allow communication and better visibility of order status. Or you might require suppliers to connect with your business for similar reasons. These third-party connections could expose your business to additional cyber threats. Protection needs to be a coordinated effort among all who are connecting.   

Before you consider letting others join your network, here are a few basic things to think about:

• Shift your thinking from what you'll do if a breach occurs to what you'll do when a breach occurs. 
• Develop a strategy that addresses both breach prevention and response.
• Not all breaches are technical, so they cannot be prevented by technology alone. Many are caused by humans or processes. Everyone within the supply chain needs to ensure sound cybersecurity measures and practices are in place.
• Both physical security and cybersecurity should be addressed. Hackers will exploit either to access a system.

When others need to join your network, some key questions to ask are: 

• What are your cybersecurity processes and policies?
• Is your process documented and repeatable?
• Do you have a plan to mitigate potential or known cyber risks and liabilities?
• What level of testing do you perform on your systems?
• How do you vet suppliers that join your network?
• What do you have in place to mitigate a breach?
• How do you notify your network partners of data issues, a breach, or other potential problems within your network?
• What is your process of screening:
  • New hardware and software?
  • New systems and processes?
  • New partners to your network?
• What access controls do you have in place:
  • For internal and external users?
  • For third-party system managers?
• How and what is encrypted?
• How long is data retained, backed up, and or/destroyed?
• What happens to data after the business venture is dissolved?
• What kind of background checks are performed on employees with access to sensitive data?
• How are you protecting intellectual property?

This list is by no means complete, but it can help start the discussion and aid in identifying problems and concerns before system access is allowed.

To help protect yourself and your partners, you could become certified in ISO/IEC 27032:2012. You can also contract with a cybersecurity firm or solution provider or connect with NIST (National Institute of Standards and Technology), which has been working with leading private and governmental institutions to develop standards for cyber protection. They are a great resource for cyber risk assessments.

Digitally connecting your firm to others is becoming necessary as we continue to advance our processes and business relationships. However, this does not mean you must connect to everyone. Educate yourself and ask your partners serious questions about how they are protecting themselves and their partners. Before connecting, make sure you understand what is expected of you and what you can expect of your business partners. This it totally acceptable in today’s cyber world.