Cyber Risk – Actions and Mitigation Strategies

We have several new briefing papers available and today we’re delighted to bring you a paper written by Peter Smith and sponsored by riskmethods, who provide a leading supply chain risk management platform which helps users manage risks and provides real-time risk alerts to enable organisations to handle risk events better. Our short paper is titled “Cyber Attack – What It Is and Why You Should Care”.

We wrote five short briefing papers back in 2017/18 with the firm, covering geo-political risk, “man-made” risks (strikes, etc), reputational risk, supplier financial risk and natural disasters. These are still available here. Now, the latest in the series is all about cyber-related risk. Here's an extract to give you an idea of what it's all about - but do download the whole paper for free here.

 

Suggested Actions and Mitigation Strategies

For many supply chain risks, such as those related to natural disasters affecting key suppliers, organizations often have an established process to identify, track and assign ownership of such risks. In the case of cyber risk, perhaps because of its recent emergence, the process is often less well-defined. Yet the dangers can be as great as for most other risk types.

A 2015 report from CET-UK (now part of the UK National Cyber Security Group) says “the cyber-security of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain.  A determined aggressor, notably advanced persistent threats (APTs), will make use of this by identifying the organization with the weakest cybersecurity within the supply chain, and using these vulnerabilities present in their systems to gain access to other members of the supply chain”.

Any supplier who can access your organization’s systems at any point can be the source of external threats and damage. This is in addition to the risks from GDPR breaches, for example, which can occur inside supplier organizations’ own systems. While organizations will always be vulnerable to the latest devious actions taken by criminals, steps can be taken to reduce the impact any cyber attack will have on the business.

Understanding the supply base and examining which firms are potentially a source of risk is the starting point. Buyers can then look at steps such as contractual clauses in supplier contracts, incorporating cyber-risk reviews into wider contract and supplier management activities, the right to audit cyber precautions in supplying firms and so on. As always, broader risk mitigation strategies such as putting alternative supply sources in place, or appropriate insurance, can be relevant.

Note that some of the issues here do not neatly follow the model that says strategic suppliers need most attention, time and resources. For instance, a supplier seen as tactical in nature (in marketing or data processing) might hold sensitive data; if subject to attack or even internal human error, the buyer could be open to prosecution or fines under GDPR. This means that risk must be looked at across the whole supplier base, not just for the top 100 suppliers or those who participate in a strategic relationship management (SRM) program.

Even if you’ve successfully established a process for identifying risk, a second set of actions must be established related to the response to risk events. As with other risk types, knowing as soon as possible when a risk event occurs is vital. If a key supplier has suffered a major data breach, for example, knowing quickly will enable you to get moving quickly and plan the appropriate actions and responses, from PR activity to potentially making alternative supply arrangements.

(Download the paper here to read on).

 

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.