Supply chain risk – fuelled by digital ecosystems
If your third-party suppliers don't have the same resilience in their security systems as you, they can be used by attackers to enter your business.
As the world becomes more digital-centric and savvy, businesses are faced with yet another paradox: the growth of their digital ecosystem. When adding parties to your supply chain, you always run the risk of expanding your risk exposure. While this is unavoidable, it is essential to identify where in a greatly extended digital enterprise inherent risk may be lurking.
According to a recent survey by Deloitte, where the consulting giant analysed an organisation’s reliance on third parties, it found that 70% of businesses today have a moderate to high dependency on external parties. Further, nearly half of the respondents (47%) to the survey said their organisations had fallen victim to some form of risk incident when using an external entity over the last three years.
There is no doubt that digital centricity is a benefit to any business, as is outsourcing non-core services to a third-party supplier. But by adding connections to other parties in your system’s ecosystem, you do start creating weaknesses in your environment that could ultimately lead to a breach. According to a study conducted by Opus and Ponemon, 59% of companies said they had experienced a data breach caused by one of their vendors or third parties.
Unfortunately, third-party risk is often overlooked. However, it could result in an exceptionally costly exercise for your business, not just in recovery from the damage caused, but also in reputational damage. Why is it overlooked? It is a considerable task to look at all of the systems and security practices of all the third-party suppliers that you add to your supply chain. Analysing the security posture of a partner, and then having to decide if it meets with your security policies, compliance frameworks and even risk appetite, can also be costly.
Your security teams generally know what the strength of your security systems is. But this can change overnight if your third-party suppliers don't have the same resilience in their security systems and can be used as a back door for attackers to enter your business.
So, how can you fix it? Companies need a robust, dynamic and continuous third-party risk management (TPRM) programme in place that will enable them to make faster, more strategic decisions about the risk or change in a security posture of their third-party suppliers. A third-party risk programme will also ensure you stay one step ahead of bad actors by offering system visibility, as well as prepare your business for the unexpected. At Blue Turtle, we believe that every company needs third-party risk management to ensure the effective monitoring and control of external supplies that link to its supply chain.
Working with some of SA's largest corporate businesses, we are starting to identify that third-party risk management has moved up the food chain and is fast becoming a priority for most companies today. With the proliferation of cyber attacks as the result of a third-party heavy supply chain, and regulations governing engagement with outside suppliers growing, the time has come for us to create a sub-category for this type of cybersecurity in business.
Fortunately, the tools and continuous monitoring software to execute on this already exist. All business needs to do is apply a proactive approach to regulations and adopt a strategy that pushes TPRM into all aspects of the organisation.
At Blue Turtle, we are working with an organisation called BitSight, which has a platform that provides continuous visibility across a complete supply chain, supporting a robust TPRM programme in a business. A BitSight rating is a combination of underlying risk vectors, weighted to produce an accurate rating that is highly correlated to a breach as a result of a third party. This weighting algorithm is continually updated based on new risk vectors and on new industry-centric breach data.
Because BitSight ensures that all of the data it measures against has been correlated with breaches as well as research into the security risks a third-party supply chain with security kinks can create, it indicates how various risk vectors correspond to breaches, ultimately giving a business actionable insights from the data. The knock-on effect? A simplified view of potential security risks and threats, as well as a tangible means by which to plug the security holes in a digital-centric supply chain with third-party suppliers.