8 Consider insurance.
remains with the company,” Brown says. Potential consequences include damage to the company’s reputation and compliance penalties. Companies need to consider warranty, indemnity, and liability provisions in their contracts with service providers. They also need to put in place the systems, policies, and technology that enhance the resilience of their digital supply chains and their supply chain networks. The security challenges to digital supply chains remain formidable, yet a bright spot can be found. A growing number of business leaders and board members understand the importance of active involvement in building cyber- resilience, as well as the connection between cyber risk and their strategies. More than 82% of respondents
Other cyber-hygiene controls Waters recommends include endpoint detection and response; secured, encrypted, and tested backups; and privileged access management. Cyber-risk management information systems that consider key risk indicators can provide the transparency supply chain leaders need to ensure their organizations’ cyber resilience, Reiter says. Looking at key risk indicators can help companies evaluate their digital assets and determine what controls are appropriate, given the threat levels to which assets are exposed. 6 Consider the cloud. market and smaller companies. “With the increasing scale of many cloud providers, they can deliver security capabilities that may be out of reach for middle-market companies,” according to the RSM US Middle Market Business Index 2021 Cybersecurity The cloud is gaining traction as a security tool, particularly for mid- Special Report. Forty percent of survey respondents indicate they moved data to the cloud due to security concerns over the past year. 7 Test. The axiom “failing to prepare means preparing to fail” holds true when safeguarding digital supply chains. The traditional approach to testing supply chain services has generally been threefold: completing a questionnaire of compliance/risk management, and incorporating an annual right to audit review as well as an independent audit review, like a SOC 2 report, Brown says. Today’s approach takes these actions one step further and incorporates real-time monitoring of information on critical suppliers within digital supply chains. As part of their testing efforts, organizations should develop business continuity plans, says Raj Samani, chief scientist and fellow with McAfee Enterprise and FireEye. That includes outlining the steps to take if a system goes down.
When evaluating cybersecurity efforts, consider whether risk
transfer products have a role to play. No matter its size, any organization that is heavily reliant on its digital infrastructure should evaluate whether a cybersecurity insurance policy is right for them, Waters says. A policy can reduce balance sheet volatility and the overall risk to the business, while helping to ensure its ability to continue serving customers. 9 Accountability remains. While many supply chain organizations benefit greatly from partnering with third-party service providers, such as cloud computing partners, they can’t outsource accountability. “Where an external service provision within the digital supply chain operations fails, the accountability
to the BCI report say management’s commitment to supply chain risk is “medium” or “high”—up nearly 10 percentage points from 2019.
n
These practices can help organizations manage their cyber- supply chain risks, according to the National Institute of Standards and Technology (NIST): • Include security requirements in every RFP and contract. • Deploy a security team to work on-site with vendors that have been accepted into the formal supply chain, to address any vulnerabilities and security gaps. • Implement “one strike and you’re out” policies with respect to vendor products that are either counterfeit or do not match specifications. • Control component purchases tightly. Prequalify component purchases from approved vendors. Unpack, inspect, and X-ray parts purchased from other vendors before accepting them. • Obtain source code for all purchased software. • Establish track-and-trace programs to identify the provenance of all parts, components, and systems. • Ensure personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development lifecycle and that cybersecurity is part of suppliers’ and developers’ employee experience, processes, and tools.
February 2022 • Inbound Logistics 41
Powered by FlippingBook