How to Protect your Supply Chain from Disruptive Cyber Attacks Part 2: How Specialization is Affecting Cyber Security

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Environmental, Health, Safety, Security, and Sustainability.

December 13, 2022 - Cybersecurity attacks on the supply chain have increased significantly in recent years, and it's become more crucial than ever for private companies to protect their supply chain from this growing threat.

Part 1: How Globalization is Affecting Cybersecurity covered how the cyber-related risks of an organization are directly affected as industries become more globalized. Now in part two, let's look at how increased specialization in manufacturing processes inevitably leads to the onboarding of more partners and, additionally, higher risks.

For many manufacturing organizations, dividing the production process into smaller tasks performed by a larger number of specialized partners, increases productivity. This subdivision of labor means that organizations are working with an ever-growing number of partners or third-parties who are all responsible for a small portion of the end product.

However, working with more partners makes managing your supply chain more complicated. With more and more third-parties working with complex supply chains, the potential attack surface for bad actors grows wider. More accessibility to the target and vulnerabilities become less challenging to exploit; a soft target. For example, in March 2020, hackers penetrated the US government's internal communications after their third-party software company, SolarWinds, ran a compromised update. The situation could have been prevented or mitigated with some simple measures.

Firstly, to mitigate any potential risks that come with utilizing multiple partners, your organization should account for and build your workflow to include any additional shareholders. In addition, you must be sure to review your current partners' connectivity with your systems and evaluate what data is shared. If one of your Suppliers has a cybersecurity breach, you need to ensure that even if your supplier's systems may be compromised, your data will remain secure and accessible.

You want your organization to be resilient in the likely event of a cyberattack; it's "when", not just "if". It is crucial that you put processes in place to protect the data and systems that partners access on your platforms. A proactive way to ensure this is to require new suppliers to provide a framework of their cybersecurity measures during onboarding to verify that they are operating securely and safeguarding their data.

Similar to the recommendations in Part 1, making cybersecurity requirements part of your third-party supplier contracts is pivotal. Requirements could include ensuring your suppliers provide attestation or compliance with well-known cybersecurity frameworks, such as ISO 27001, NIST CSF and SP 800-53, SSAE, and others. This will go a long way to safeguarding your organization from a disruptive attack.

Follow Mark Brown’s three-part blog series 'How to Protect Supply Chain from Disruptive Cyber Attacks' to better understand how industrial globalization affects organizational cyber risk. For more insight on other Digital Trust and Environmental, Health, and Safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.