Massive events like the coronavirus (COVID-19) and trade wars between the U.S. and China are disrupting the entire global economy, including the supply chain. Analysts such as Mark Zandi, Chief Economist at Moody’s Analytics, are making dire predictions when it comes to coronavirus and its impact on world financial markets.
Meanwhile, even before the current pandemic crisis, the complexity and interconnectedness of supply chains has grown at a breakneck pace. The dynamism of the marketplace requires constant evolution and improvement, whether it be lower prices, faster delivery, or specialized services. These changes have also brought increased risks to the supply chain — some more obvious than others, but many that fall into the purview of security and IT professionals.
In this blog, I’ll discuss those risks and what you can do to mitigate them, especially in light of the current situation.
Why Is Reducing Supply Chain Risk So Hard?
One reason reducing supply chain risk is so difficult is because of supply chain fraud. According to KPMG, 44.7 percent of cases of supply chain fraud are discovered through a tip or by accident. The takeaway here is that fraud isn’t easy to find. Existing controls, policies and supervisory measures are only marginally effective at identifying it. If companies are relying on tips or accidents to identify nearly half of the cases of supply chain fraud, this makes reducing them that much more difficult.
Cyber Security Risk to the Supply Chain
The reality is fraud is only one part of supply chain risk. Another element to consider is the cyber security risk. One of the fundamental reasons this type of risk is difficult to identify is the “interior” versus “exterior” outlook. For example, when a company does an internal assessment of a business process or vendor, they’ll likely review policies they’ve created and understand. They might also evaluate samples of transactions, but for the most part, they “know” the process and how things should run. Unfortunately, there’s a good chance a nefarious actor is also familiar with this process, which is why companies can strongly benefit from having an outsider’s perspective.
With most threats going undetected, it’s critical to know who your third-party suppliers and partners are. A vendor risk assessment is one way to do this. It will help your company get a much better picture of current relationships, dependencies, and possible gaps.
In my own experience conducting third-party vendor assessments, I helped a large international business in their vendor risk management process. The program was standardized, detailed, and reflected risk questions from across the enterprise. Special attention was directed toward cyber security and data management, but supply chain, and business continuity plans were also covered. This was extremely helpful in allowing the enterprise to independently assess risk before starting a business relationship with a new supplier or service provider.
My assessment reports were used as a baseline for their future risk assessments. As an additional measure to constantly identify and reassess risk, when vendor risk assessments were completed again, on a periodic basis, someone else would always perform that assessment. This prevented the same assessor from conducting an assessment consecutively.
If you don’t know if your vendors or cyber security risks are being affected by the coronavirus or the trade war, you need to find out as soon as possible. If they are, a preparatory vendor security assessment can help you mitigate future disruptions, by making risk-based decisions. Consider having multiple assessors as part of your vendor risk management plan.
Supply Chain Resources
Another way you can be proactive is by taking advantage of government resources provided to help U.S. companies mitigate some supply chain disruptions.
The Manufacturing Extension Partnership (MEP), through the National Institute of Standards and Technology (NIST), is a public-private partnership that provides supply chain management and cyber security resources for U.S. companies. They post current projects and success stories, and the examples provide insight to business owners and entrepreneurs. I predict that this program will be expanded in the future.
In his recent article, Tom Bray of the Information Systems Audit and Control Association (ISACA) talked about some existing control frameworks to help with assessing risk in supply chains. He discusses both NIST and ISO frameworks. He points out how suppliers are “an extensions of the enterprise…enterprises are best served by establishing base-level data and system-control requirements for suppliers.” The cyber security elements of both NIST and ISO interweave with the supply chain controls and should be assessed together.
Additionally, there are many similarities between the Contingency Planning Family of controls in NIST 800-53 and NIST 800-161. Companies would be well served to combine the assessments. By combining the cyber security and supply chain assessments, enterprises can experience a more holistic risk assessment, and save on cost.
Although the impact of the current situation on the global supply chain has yet to be fully realized or understood, you can still be proactive. If your organization is concerned with how secure your suppliers, third-party vendors, business partners and emerging technologies are, or you just want to be safe given the current climate, a vendor risk assessment is always smart. These assessments can be updated if they already exist, or another option is putting your risk plan under a stress test.