Cyber vulnerabilities: is supply chain your weakest link?
The global economy is beginning its recovery from the COVID-19 pandemic, but many of the trends that were set in motion by the ‘great reset’ of 2020 will not be going away: the ‘new normal’ is here to stay. Remote working has become commonplace, many services that went online during the pandemic will remain there, and the digital transformation of companies and even entire industries will continue to accelerate.
An unwelcome – though inevitable – consequence of these trends has been a corresponding rise in cybercrime. Some commentators have even talked about a fuelled by rises in ransomware, data breaches and cloud-based security issues as criminals take advantage of the fast-moving situation.
According to , not only is this digital transformation increasing cyber risk, but it is also increasing reliance on third parties in order to compete in the digital economy. This means relying on third-party cloud and IoT providers, plus sharing data with suppliers providing such things as point-of-sale systems, HR systems and payrolls.
Taken together - the increased reliance on third parties, the increased sharing of data and network access, and new vulnerabilities created by remote working – has created a perfect ‘risk storm’ for opportunistic cyber criminals.
And it means that even the most robust security programmes can be undermined by less secure third-party vendors and supply chain partners.
The at US software firm SolarWinds is an example of how damaging this risk exposure can be. One single piece of malware successfully planted inside SolarWinds's Orion network management software was able to infect as many as 18,000 organisations and government agencies. that about 30 per cent of the companies affected didn’t even have a direct relationship with SolarWinds – they were just connected to a company that was.
The breach exploited a vulnerability that was leveraged to gather intelligence, mine data, and to sow animosity and resentment between organisations. The interconnectedness of the digital supply chains involved meant it became – - "the largest and most sophisticated attack the world has ever seen."
"even the most robust security programmes can be undermined by less secure third-party vendors and supply chain partners"
Fred Kneip, CEO, CyberGRX
How big is the security threat from a supply chain vendor?
Our study found that more than half of all data breaches are linked to a third-party supplier further down the supply chain.
Moreover, based on our customers have loaded into the CyberGRX Exchange, 20 per cent of an enterprise’s third-party portfolio on average exhibits a high inherent risk profile. ‘Inherent risk’ is the risk that exists absent of any security controls – and determining it is critical to helping organisations understand where to focus their risk assessment efforts.
Considering that the typical enterprise has an average of 5,800 third parties, that 20 per cent figure represents a huge amount of risk that requires – at a minimum – some level of due diligence.
The first step therefore in developing an effective third-party risk management programme is to identify who the third parties are and understanding their inherent risk. Once it is understood who poses the most inherent risk, a company is able to move forward with due diligence and assessing to determine if the third-party has the proper security controls in place to mitigate that risk.
Of course, in an ideal world, a company should understand that risk before onboarding a third-party. Better risk assessments will make it easier to write and mark up contracts with vendors and partners – and increase confidence in the supply chain.
However, the tools and processes that many organisations rely on to manage third-party cyber risk today is inefficient and error prone. The next 10 years will therefore bring about a sea change in how companies across the economy address this critical category of risk. New approaches like cyber risk exchanges and advanced analytics will allow organisations to closely monitor and manage the cyber risk of even thousands of individual providers.
And these new solutions are coming at an important time: as senior executives and boardmembers demand to be kept abreast of third-party cyber risk management efforts, the organisation’s risk posture and the impact of third-party cyber risk on strategic planning.
Biden establishes Supply Chain Disruptions Task Force
The US government is to establish a new body with the express purpose of addressing imbalances and other supply chain concerns highlighted in a review of the sector, ordered by President Joe Biden shortly after his inauguration.
The Supply Chain Disruptions Task Force will “focus on areas where a mismatch between supply and demand has been evident,” the White House said. The division will be headed up by the Secretaries of Commerce, Transportation, and Agriculture, and will focus on housing construction, transportation, agriculture and food, and semiconductors - a drastic shortage of which has hit some of the US economy’s biggest industries in consumer technology and vehicle manufacturing.
“The Task Force will bring the full capacity of the federal government to address near-term supply/demand mismatches. It will convene stakeholders to diagnose problems and surface solutions - large and small, public or private - that could help alleviate bottlenecks and supply constraints,” the White House said.
In late February, President Biden ordered a 100 day review of the supply chain across the key areas of medicine, raw materials and agriculture, the findings of which were released this week. While the COVID-19 health crisis had a deleterious effect on the nation’s supply chain, the published assessment of findings says the root cause runs much deeper. The review concludes that “decades of underinvestment”, alongside public policy choices that favour quarterly results and short-term solutions, have left the system “fragile”.
In response, the administration aims to address four key issues head on, strengthening its position in health and medicine, sustainable and alternative energy, critical mineral mining and processing, and computer chips.
Support domestic production of critical medicines
- A syndicate of public and private entities will jointly work towards manufacturing and onshoring of essential medical suppliers, beginning with a list of 50-100 “critical drugs” defined by the Food and Drug Administration.
- The consortium will be led by the Department of Health and Human Services, which will commit an initial $60m towards the development of a “novel platform technologies to increase domestic manufacturing capacity for API”.
- The aim is to increase domestic production and reduce the reliance upon global supply chains, particularly with regards to medications in short supply.
Secure an end-to-end domestic supply chain for advanced batteries
- The Department of Energy will publish a ‘National Blueprint for Lithium Batteries’, beginning a 10 year plan to "develop a domestic lithium battery supply chain that combats the climate crisis by creating good-paying clean energy jobs across America”.
- The effort will leverage billions in funding “to finance key strategic areas of development and fill deficits in the domestic supply chain capacity”.
Invest in sustainable domestic and international production and processing of critical minerals
- An interdepartmental group will be established by the Department of Interior to identify sites where critical minerals can be produced and processed within US borders. It will collaborate with businesses, states, tribal nations and stockholders to “expand sustainable, responsible critical minerals production and processing in the United States”.
- The group will also identify where regulations may need to be updated to ensure new mining and processing “meets strong standards”.
Partner with industry, allies, and partners to address semiconductor shortages
- The Department of Commerce will increase its partnership with industry to support further investment in R&D and production of semiconductor chips. The White House says its aim will be to “facilitate information flow between semiconductor producers and suppliers and end-users”, improving transparency and data sharing.
- Enhanced relationships with foreign allies, including Japan and South Korea will also be strengthened with the express proposed of increasing chip output, promoting further investment in the sector and “to promote fair semiconductor chip allocations”.