How to get started with supplier cyber risk management


A banner promoting the free version of Darkbeam's Supplier Cyber Risk Management platform. Click the image to create an account.

As much as half of all supply chain disruption is caused by cybersecurity incidents among suppliers. By any standards, this makes supplier cyber risks unignorable for any sized business.

 

Quick summary

Cyber attacks against suppliers are a significant financial and operational risk for any business. Many don't manage this risk because they thing it'll be too complicated, too expensive or require too much co-operation from suppliers. These concerns can be overcome by utilising modern technology which automates almost all of the process in-line with the three S's of Speed, Scale and Scope.

Starting to manage cybersecurity risks among your suppliers is as simple as signing up for a free Darkbeam account. Alternatively, you can upskill your team with this free online course (it takes less than 20 minutes) or speak to one of our experts.

 

Cyber attacks occur with frightening regularity. It’s difficult to know how many attacks take place but estimates place it at roughly one attack every 14 seconds. There might have been two cyber attacks in the time it’s taken you to read this far.

When one of those attacks strikes one of your suppliers, the impact on your organisation can be severe. From disrupted supplies impacting production to breached data belonging to customers and employees, the lost revenue and regulatory response can very quickly amount to a serious financial impact.

The average data breach costs $4.45m (IBM/Ponemon Institute)

 

Does cybersecurity matter for your supply chain?

Darkbeam works with organisations of all sizes. One of the most common things we hear (particularly among medium sized companies) is that they don’t share enough sensitive information with suppliers for cybersecurity to be an issue.

This is an understandable viewpoint but misses the inescapable fact that, not only do we share significantly more data than we think, our suppliers are entirely reliant upon technology to deliver the goods and services that keep our businesses moving.

A graphic showing that cybersecurity risk covers multiple risk factors

Some examples:

  • Your HR and Payroll systems hold some of the most sensitive data relating to your colleagues/employees. This year (2023), a breached file transfer tool impacted at least one payroll provider who had been using it. This led to details including employee addresses and national insurance numbers being stolen.

  • Your direct suppliers rely on technology to manufacture the goods you purchase from them. If their technology is disrupted by cyber criminals, they might not be able to deliver the products you rely on. A car manufacturer reportedly “suspended operations in 28 production lines across 14 plants” after an apparent incident within a direct supplier.

In incidents like these when suppliers are impacted, it doesn’t necessarily reflect incompetence on either side. Cyber criminals are often highly skilled and are part of professional organisations not too dissimilar from your own. They have management structures, customer service teams and even PR. Their business is disrupting your business for profit.

So with highly skilled cyber criminals targeting organisations constantly, one of your suppliers is likely to be affected - leading to a very real impact on your business. You can’t fully prevent this, but through effective supplier cyber risk management, you can reduce the likely impact on your business’s operations, data, reputation and finances.

A banner promoting Darkbeam's free supplier cyber risk management course for Procurement professionals. Click the image to register for the course.

You aren't alone in not managing these risks

With attacks against suppliers being a significant business risk (not just a problem for the IT department!), you might be surprised to learn that very few companies are actively monitoring for it. UK Government data from 2022 shows “just over one in ten businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 7%.”

In our conversations with businesses who have decided to start managing this risk, we typically hear the following explanations for why they haven’t started until now:

  • Lack of available experience and resource to devise a supplier cyber risk management strategy

  • Lack of time to implement processes or respond to issues that arise

  • Perceived difficulties engaging suppliers

  • Perceived costs associated with the project

On its own, each of these would be a significant roadblock. Combined, they make supplier cyber risk management appear unapproachable for even the most sophisticated organisation.

Luckily, all of these issues can be overcome with significantly more ease than you might imagine.

 

Free course for Procurement professionals

Darkbeam provides a free supplier cyber risk management training course for Procurement professionals. It takes less than 20 minutes to complete and will give you and your team the foundational knowledge required to reduce the risk of unexpected costs and disruption.

Click here to register (no payment details required).

 

How to get started with supplier cyber risk management

Supplier cyber risk management is the relatively straightforward process of identifying which suppliers pose the greatest cyber-related risk to your business and reducing their likely impact. Remember, we aren’t necessarily talking about your company being ‘hacked’ through a supplier - we are talking about an attack on a supplier having an adverse impact on your company’s finances or the way it operates.

When introducing this concept to any organisation, we focus on three S’s:

  • Speed - measuring, managing and monitoring risk levels without imposing additional burdens on your internal team

  • Scale - ensuring maximum visibility by not excluding any suppliers from your monitoring processes (regardless of how insignificant they might seem)

  • Scope - considering cybersecurity risk levels from the outset of supplier selection and managing them throughout the relationship - supported by monitoring for data breaches and related incidents

In a sentence, this means that any supplier cyber risk management process you adopt should allow your team to manage risk levels across the entire supplier base - from selection and onboarding through delivery - without significantly adding to their workload. Doing this requires intelligent practices and automated systems.

Darkbeam enables this by providing an automated, easy-to-use supplier cyber risk management platform which handles the measurement and monitoring of suppliers on your behalf (either as a standalone platform or integrated with your existing supplier management systems). To help implement this efficiently, our team of seasoned experts will help you to develop the policies and processes you need to set expectations among suppliers and monitor their compliance.

 

 

Next steps

Darkbeam

Subscribe Here!