Managing Supply chain cyber risks

| 0 Comments

VenishaNayagar_100.jpgWhen companies think about security, it is usually about securing their networks, software and digital assets against cyber-attacks and/or data breaches. But, in supply chain - whether it is a vendor used for facilities management or for cloud hosting - almost every organisation depends on a growing supply chain of services, creating an eco-system of dependency. As this eco-system grows to include fourth- and fifth-parties, it becomes more vulnerable to security risks. Recent major cyber-attacks were as a result of third-parties being compromised.

In this month's SmartProcurement, Venisha Nayagar, Director at Crypt IT Information Risk Management, takes a look at supply chain data risks.

Practically every company has a place in the supply chain, and supply chains are evolving to be as much about the flow of information as they are about the flow of goods and services. It thus comes as no surprise that supply chain security is a complex, evolving function, one that business executives are giving more attention to. The risks surrounding information throughout a supply chain are becoming increasingly obvious and the risk profile of any organisation expands with a growing number of suppliers.

Key supply chain cyber risks
Some of the concerns include risks from:

• Third-party service providers/vendors: from facilities services to software engineering, with physical or virtual access to information systems, software code or intellectual property (IP).
• Software security vulnerabilities in supply chain management/supplier systems.
• Counterfeit hardware or hardware embedded with malware.
• Poor information security practices by lower-tier suppliers.
• Compromised software or hardware purchased from suppliers.
• Third-party data storage or data aggregators.

There are some steps that companies can take to secure their supply chains against cyber-attacks and third-party risk:

• Define a reasonable level of security and associated controls, and require sub-contractors, vendors and critical supply chain partners to meet or exceed those controls. This must be stipulated as terms and conditions in established business agreements.
• Enhance third-party risk management to include information security considerations.
• Classify suppliers according to risk profiles and exposure probability so that adequate controls can be applied and measured, including recording residual and emerging supply chain risks.
• Define regulatory compliance requirements. Are there regulatory requirements that need to be met and maintained by both parties? Companies should ensure that regulatory compliance requirements are met by suppliers and understand the risks introduced if there are exposures.
• Conduct vendor risk assessments. To mitigate a company's vendor-related risks, organisations should conduct a thorough, annual vendor risk assessment and perform the necessary due diligence on third-party relationships from the onset of onboarding. Due diligence can identify what a vendor might require in terms of controls and monitoring, and provides a view of acceptable risk appetite.
• Define data ownership/stewardship requirements. Who maintains ownership of data being shared and what is deemed acceptable use of that data?
• If there is a large dependency between outsourced vendors, it is critical to maintain incident response plans. Both parties need to have a plan to notify the other as soon as possible if their network, systems or data have been compromised or a compromise is suspected.
• Enhance contracts to have the client 'right to audit' and continued assurance. Requiring SSAE 16 SOC reports, ISO 27001 certifications, or any other form of security assurance, should be provided on a regular basis.
• Monitor vendor access to networks and data. Add clauses to that effect to policies and contracts.
• Monitor and log vendor access, and review these logs on a regular basis.
• Train employees on the cyber risks specific to your supply chain environment. Request third-parties to provide employee information-security training-assurance to clients.

Supply chain security is every company's responsibility. The supply chain as a whole is only truly secure when all entities throughout the supply chain perform effective, co-ordinated security measures to ensure the integrity of supply chain data, the safety of goods and the security of the global economy.

You can email Venisha Nayagar at venisha@cryptit.co.za.

Leave a comment


 

 

Career opportunites

Category Implementation Manager

  • >500 000 Gauteng Permanent Projects / Category Management Supply Chain
As an Executive Search and Career Consultant specializing

Head of Procurement

  • >500 000 Gauteng Permanent Procurement Management Strategic Sourcing
As an Executive Search and Career Consultant specializing

Regional Sourcing Manager

  • >500 000 Gauteng Permanent Procurement Management Strategic Sourcing
As an Executive Search and Career Consultant specializing

Procurement Director

  • >500 000 KwaZulu Natal Permanent Procurement Management Strategic Sourcing
As an Executive Search and Career Consultant specializing

Procurement Specialist

  • >500 000 Buyer Gauteng Permanent Procurement Officer / Specialist
As an Executive Search and Career Consultant specializing

Senior Sourcing Manager

  • >500 000 Gauteng Permanent Procurement Management Strategic Sourcing Supply Chain
As an Executive Search and Career Consultant specializing

Indirect Sourcing Programme Manager

  • >500 000 Contract Projects / Category Management Strategic Sourcing Western Cape
As an Executive Search and Career Consultant specializing

Deputy Chief Commercial Officer

  • >500 000 Contract Gauteng Procurement Management Supplier / Business Development
As an Executive Search and Career Consultant specializing

GROUP PROCUREMENT MANAGER

  • Gauteng Permanent Procurement Management Supplier / Business Development
Operating out of Johannesburg, this is a key

Tutor and Coordinator

  • Gauteng Operations, Planning & Inventory Permanent Procurement Management Supplier / Business Development
Purpose of the job: To plan, coach, advise

Commodity Manager

  • <500 000 Commodities Gauteng Procurement Management
Are you a Commodity Manager looking for the

Supply Chain Professional

  • <500 000 Gauteng Procurement Management Supply Chain
I specialize in placing professionals in the Supply

Supply Planning

  • <500 000 Gauteng Operations, Planning & Inventory Supply Chain
Seeking dynamic candidates to take to the market

Industrial Engineer

  • <500 000 Gauteng Industrial Engineer Procurement Consultant
Are you an Industrial Engineer looking to make

Logistics Manager

  • >500 000 Gauteng Logistics & Warehousing Supply Chain
Seeking vibrant industry specific individuals seeking new opportunities

Operations Manager

  • <500 000 Gauteng Operations, Planning & Inventory Procurement Management
Looking for an Operations Manager to take into

Supply Chain Systems Administrator

  • >500 000 Gauteng Procurement Management Strategic Sourcing Supply Chain
One of South Africa's leading, mining companies is

Logistics Manager

  • <500 000 Gauteng Logistics & Warehousing Procurement Management
Are you an experienced Logistics Manager looking for

Continuous Improvement Manager

  • >500 000 Gauteng Procurement Management Supply Chain
I specialize in placing professionals in the Supply

Warehouse Assistant

  • <500 000 Gauteng Logistics & Warehousing Operations, Planning & Inventory
I am currently looking for ambitious Demand Planner,