Are businesses taking enough safeguards against cyber risks from vendors?
Almost every aspect of global supply chains is managed, funded, or transported through digital channels. The effectiveness of these chains rests upon the sharing of data between suppliers and vendors. And the more organizations in the chain, the greater the opportunity for exploitation by malicious actors.
With the explosion of the digital economy, those attacks are more likely than ever before – a reality not lost on policymakers in the region.
Governments across the Gulf are collaborating to build robust regional defenses. Recent examples include the November 2021 signing of a Memorandum of Understanding between Bahrain and the UAE to cooperate on combating cybercrime. In April 2021, the UAE shared intelligence with Israel over a cyberespionage campaign discovered in January 2021. This is in contrast to Africa where only 19 African countries out of 54 are signatories to multilateral cybersecurity agreements whilst 10 have entered into bilateral cybersecurity agreements.
Commenting on cyber risk within the digital economy, the UAE Government’s Head of Cyber Security, Dr. Mohamed Al Kuwaiti, has talked about how the UAE is working hard to build a safe digital economy, explaining that the UAE, “Like other nations, is going through digital transformations, which increase the dependency on technologies, of which there are more and more, which opens a larger threat landscape.”
It is an increasingly complex and interconnected landscape that includes targeting vendor software platforms, industrial control systems and third-party software tools. Software vendors are especially vulnerable - they depend on their vast supply chains of companies, component suppliers, infrastructure services, and other so-called fourth parties.
The resulting digital ecosystems are typically non-linear, highly interdependent, fluid, and relatively opaque. It is, therefore, more important than ever to define what is meant by a ‘digital supply chain’ and what types of cyber risks manifest from the company’s third-party vendors and digital supply chain.
Defining a digital supply chain
A digital supply chain can be defined in two main ways. The first is the digital aspect of a physical or traditional supply chain. The second is a chain of technology companies involved in delivering digital products.
These two definitions overlap because almost all supply chains can be considered digital. And third-party technology vendors may supply the technology used in the digital supply chain. Therefore, it is important for companies to understand their vendor ecosystem and how they support and integrate with their own unique digital supply chain.
Key questions that any board should ask are: Do we know who provides the digital products and services our company relies on? Do we know who provides critical products and services to our company? Have we verified they have the proper controls?
The harsh reality is that by simply engaging with an external vendor - of any kind - we create a new digital connection. Those vendors can be split into two main categories – third-party and fourth-party. Third-party vendors include any entities that provide products or services to an organization to maintain daily operations or provide products or services on behalf of the organization – like tech vendors and critical component/product suppliers.
These third-parties can pose a risk to all organizations, especially those with technology connectivity or access to data.
Fourth-party vendors are the suppliers of suppliers. Every company outsources parts of its operations to multiple vendors and suppliers. Those suppliers, in turn, outsource aspects of their operations to other suppliers. This is where it becomes even more difficult to stay in control – the web of interconnectivity is vast and increasingly complex.
Developing protocols
To gain maximum visibility, companies can develop a range of tools. A third-party vendor risk management framework will help managers understand their exposure through those they do business with. To get there, procurement and legal departments should work together to build protocols to enforce minimum standards of cyber preparedness for third-parties. Evidence of cyber security must be a prerequisite for engagement as a supplier.
Insurance policies can also be designed to address losses caused by vendors and digital supply chains. This is an important step in being able to monitor vendor risk. Through specialist support, companies can also seek quantification of digital supply chain cyber risk and develop incident response and business continuity planning frameworks to support incidents caused by vendors.
Additionally, cyber incident management services, including claims support and proof of loss for digital supply chain cyber incidents, can help futureproof a business when its supply chains come under attack.
These steps provide assurance that, while supply chain cyberattacks can’t all be prevented, they can be identified and managed to reduce impact. Supply chain resilience can be achieved by identifying and understanding the risks and their potential impact, planning for an attack, and finding the right balance between risk mitigation and risk transfer.