Minimizing attack surfaces and the impact of potential cyberincidents on business by mapping risks diligently and implementing a cybersecurity program is a crucial first step – but it isn’t enough.
In a global economy, no business runs in a vacuum, and the supply chain is now a significant vector for cyberthreats. The smallest security breach detected in a supplier becomes a vulnerability for client businesses.
The cyberresilience of a business also depends on the security level of the weakest link in its supply chain. As a result, organizations should go beyond securing their own systems and make sure to secure their ecosystem, particularly the network of suppliers and subcontractors with whom they do business.
Vendors have become prime targets and victims of a wide variety of cyberthreats, if not outright cyberincidents. Many market analysts predict that those numbers are going to continue to rise.
PwC has revealed that 54% of Canadian respondents to its annual Digital Trust 2022(1) survey expect to see an increase in reportable incidents in 2022 due to attacks on the software supply chain, as well as higher risks related to third parties and the supply chain.
Among the various motives for attacks cited by the European Union Agency for Cybersecurity (ENISA)(2), seeking to exploit the trust between businesses and their suppliers is behind 62% of attacks, which is quite telling.
It would be rash to base a cybersecurity risk assessment solely on the trust between customer and vendor. In fact, adopting a structured approach and requiring minimum cybersecurity levels from suppliers appears vital.
Just as they have analyzed and assessed their own information and operational systems, businesses will have to determine the level of risk for every vendor involved in their production process.
In the transportation industry, many systems that are generally outsourced to third parties can be targeted, including HVAC, door systems, and passenger counters. Publishers of the software businesses use will also have to be taken into account, just as the manufacturers that supply the electronic parts that go into building electric circuits.
Pinpointing the highest risks in the supply chain involves examining every component closely. To do so, businesses can choose to implement self-assessment questionnaires, for example, to identify subcontractors at greatest risk. Using the data they collect, businesses can then assess maturity levels and better understand what organizational and operational assets and what sensitive information vendors can access.
Depending on the nature of the conclusions drawn when data is collected and questionnaire results are analyzed, businesses can review and improve their supplier selection process to strengthen minimum cybersecurity requirements. In time, certain organizations will choose to consolidate their supply chain to make it easier to enforce subcontractor requirements.
Whether they are long-time suppliers of the organization or new, it is important to integrate them fully into the assessment process and communicate clearly with them to ensure the entire supply chain is secured.
Setting clear minimum cybersecurity requirements is always easier when entering into new contracts than it is when dealing with long-standing partners. It is nonetheless vital to address cybersecurity issues and requirements with the latter, with the support of procurement department representatives (purchasers) and legal teams. They will be the catalyst for awareness and the necessary review of internal processes and contractual procurement clauses. These professionals will have to be appropriately trained on minimum cybersecurity requirements that could feature in negotiations with subcontractors.
As cybersecurity-enhancing regulations and certifications are adopted and applied across the industry, integrating specific cybersecurity measures will have to be considered as part of contractual supply operations.
The ISO 21434 standard calls for close collaboration between a system’s integrator or designer and its various suppliers, thus requiring that the roles and responsibilities of both parties be clearly identified, documented, and mutually accepted. The integrator will then have to ensure that set cybersecurity processes are followed, both in their own organization and by subcontractors.
According to Statistics Canada, 47% of cyberattacks in Canada in 2019 targeted small and medium enterprises(3). The more than 1.14 million such businesses across Canada(4) are an essential part of the national economic fabric.
Believing themselves too small to present an attractive target, they often underestimate the cyberthreats they could fall victim to. SMEs often have less robust security systems that present more easily accessible back doors to penetrate the information systems of larger businesses.
Customers could limit such vulnerabilities by being proactive in encouraging a collaborative approach with all partners to strengthen the supply chain from end to end. They could also prompt SMEs they deal with to develop their cyberresilience by leveraging dedicated cybersecurity resources.
While international standards are still being developed or adopted, many solutions already exist to support SMEs in securing their information systems, including the federal government’s CyberSecure Canada program(5) that gives SMEs access to resources to better understand the risks they face. Barring the implementation of specific security checks, they can opt for certification to reflect their best cybersecurity practices.
Subcontractors that integrate cybersecurity policies to the very design of their products and/or systems emerge as winners in the process, benefitting all customers by reducing cybersecurity risks. This collaborative approach is mutually beneficial to everyone involved, and the supply chain is all the more secure as collaboration between parties is enhanced.
Maintaining high cybersecurity levels among all supply chain members becomes a prerequisite to its proper operation, but it requires long-term investments and efforts, the benefits of which are difficult to assess. Sharing information and best practices between customers and suppliers will enable organizations to take part in a broader-scale drive to increase their mutual cyberresilience. By investing time and effort in analyzing and strengthening the cybersecurity of their supply chain, businesses will help build value for their entire ecosystem.
(1) https://www.pwc.com/ca/en/services/consulting/cybersecurity-privacy/digital-trust-insights
(2) https://www.enisa.europa.eu/understanding-the-increase-in-supply-chain-security-attacks
(3) https://www150.statcan.gc.ca/n1/daily-quotidien/201020/dq201020a-eng.htm
(4) https://cyber.gc.ca/publications
(5) https://cybersecure-canada/en/get-started
