How to Optimize Cybersecurity Within Your Supply Chain
How many links make up your company’s supply chain?
If you’re part of a growing enterprise, that supply chain is likely growing too—and it is increasing the risk you’ll be the target of cybercriminals, industry experts say.
“As more and more people become involved in your supply chain, the greater the challenge to secure [data] across the ever-expanding perimeter,” says Steve Durbin, managing director of the Information Security Forum (ISF). “As the supply chain continues to expand, control of that perimeter is all but gone.’
“Service providers present a significant vulnerability to retailers,” echoes Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams LLP. “While a retailer’s system can resemble a fortress, complete with moat and man-eating alligators, if the bridge is down to a vendor with authorized access to the system and that vendor’s credentials are compromised, the fortress is easily penetrated. The more vendors a retailer has, the more vulnerability there is.”
That colorful analogy illustrates the significant challenges grocery retailers face in securing data throughout the supply chain.
A Prevalent Problem
Business leaders and consumers alike recognize how prevalent, and costly, problem data breaches have become.
According to the 18th Annual Global CEO Survey from PwC, a leading professional services network, concern about cybersecurity saw the biggest increase of all of the potential threats business leaders were asked about, with 61 percent of CEOs citing concerns compared with 48 percent a year ago.
In addition, 24 percent of respondents in a 2015 PwC consumer poll said their trust in companies’ ability to protect their personal data had declined over the past 12 months.
“Cybersecurity incidents are now so commonplace that the number of detected incidents soared 48 percent in 2013 to 42.8 million. In the past year virtually every industry has been impacted, with many incurring significant costs as they seek to manage and mitigate the breaches,” the survey reported.
Identifying and Overcoming the Challenges
Clearly, supply chain security management is—or should be—one of the most critical aspects of any company’s cybersecurity program today, says Eddie Schwartz, CISA, CISM, chair of ISACA’s Cybersecurity Task Force and president and COO of digital security firm White Ops.
“Financial services organizations recognized this risk area and developed programs to mitigate third-party risks many years ago,” Schwartz says. “Other industries, such as retail and healthcare, are just becoming aware of the threats and vulnerabilities from the supply chain and the need for structured programs to address these concerns.”
Grocery retail can be an especially complex business, Durbin notes.
“The number of suppliers a large grocery retailer has is probably increasing and now coming from all parts of the world,” he says. “How do you get your arms around that? You can’t cover all of [the suppliers], so you have to be ok with accepting some degree of risk.”
After determining what Durbin calls “your risk appetite,” putting processes in place to manage that risk is the next step.
“Determine what the most important information is in your organization and protect what would cause the most significant problems if a breach were to occur,” Durbin suggests. “It is probably some form of financial information, or personal information. Determine what is most important to you as an organization and what you’re doing to protect your ‘crown jewels.’”
Sotto says there is a troika of protections that can be used with service providers. ‘First, it is critical to conduct significant due diligence on vendors with access to the retailer’s system to ensure that the vendor has the capability of protecting data in the manner the retailer expects,” she says. “Second, retailers should imbed stringent contractual protections in their vendor contracts imposing strong data security requirements. And third, it is critical to do ongoing monitoring of vendors with deep access to the retailer’s system to ensure that the vendor is living up to the retailer’s expectations in protecting the data.”
And Schwartz advises retailers to classify supply chain providers into the different levels of risk they pose to the enterprise. “Then, depending upon the potential risks, minimum security expectations must be set contractually by retailers with their supply chain partner,” he says. “Supply chain partners must prove compliance with these standards through a combination of self-assessment, audit, and continuous monitoring.”
With the omnipresence of digital technology showing no sign of abating, cybersecurity issues likely will continue to threaten businesses across industries for years to come. The good news is that organizations are becoming more aware of the risks and are adapting to this new reality—a trend that bodes well for retailers and consumers alike.
“The central role of information places cybersecurity squarely on the CEO agenda, particularly given the series of high-profile hacks over the past year,” PwC’s CEO survey says. “With vast quantities of their information readily accessible around the clock, customers expect a certain amount of privacy and confidentiality. How companies honor this will mean much for their ability to engage with and retain customers, and build brand value.”