How to identify and manage cyber security risks in your supply chain
Cyber security is a fact of life for businesses. A
We have all had to get better at improving our cyber resilience over the last decade. The range of threats that both businesses and individuals face are growing in scale, sophistication and frequency. The challenge of detecting and reacting to security vulnerabilities means that buyers are spending more than ever before on cyber security in their supply chain. Making sure that these investments deliver long-term value in the form of stronger security practices is a strategic priority for risk managers. But it is often easier said than done.
The Accenture Security Third Annual State of Cyber Resilience report focuses on what sets leaders in cybersecurity apart from the rest of the pack. The company surveyed over 4,600 executives to understand how they are dealing with the increasingly sophisticated risks of cybercrime. While most companies are better at the basics of supply chain security, there are clear differences between those that are doing it well and those that are doing just enough.
Accenture’s research shows that 40% of security breaches are now indirect, targeting weak links in supply chains and business ecosystems. The threat of a supplier data breach is a real risk, but so are unsustainable costs and investments that aren’t creating value.
What are the companies that are leading the way in supply chain security doing, and what lessons can we all take from them? There are 3 things that they all do.
The speed at which a business is able to detect, respond and recover from a supply chain cyber-attack is one of the main things that separate the leaders from everyone else. While most supply chain security policies emphasise strength, those that are really effective focus on speed and having the right level of data oversight. According to Accenture, cybersecurity leaders are able to identify and plug security breaches in an average of 15 days or less.
46% of the suppliers in our Service Community have formally appointed a person to be responsible for information security, while 87% of those in our UVDB Community have a documented Security Management system. These are important steps towards embedding better security practices. More visibility and better agility enable faster threat detection but also means both buyers and suppliers can accurately measure their current capabilities.
Currently however, only 30% of suppliers in the community have a procedure in place to manage security incidents, meaning that their response will be ad-hoc and potentially slow and inefficient too.
Many businesses have seen a rapid rise in the cost of their cyber security investments without the value gains they were hoping for. Figures from Hiscox show that companies around the world have seen an average increase in cyber security spending of 39% between 2019 and 2020. With such an increase in resources in a short space of time, it is essential for companies to make sure that every penny counts. 69% of those surveyed for the Accenture report consider the current growth in costs to be unsustainable in the long-term.
Companies that are doing it right are directing investments towards solutions that create targeted results. They are creating tools that help them effectively identify potential vulnerabilities and areas of weakness throughout their entire supply chain, allowing them to focus protection around key assets.
There is always a temptation to add more tools and capabilities, but the leading organisations tend to focus more of their budget allocations on creating momentum with what they already have. This means making sure that the basics are always being done right. Despite the increasing sophistication of supplier data breaches, the majority of security vulnerabilities in supply chains still originate from failures in the fundamentals, such as securing customer records.
Our data shows that while progress is being made, there is still a lot that could be done. While 54% of the suppliers in our Technology and Manufacturing Community have a documented information security and data protection policy in place, only 7% can demonstrate it has undergone third party assurance or certification to ISO 27001:2005 or equivalent.
The consequences of not addressing security vulnerabilities in supply chains can lead to very costly data breaches. Recent examples include Uber’s 2016 data breach costing it $150 million, Heathrow Airport being fined £120,000 over a lost USB stick and the $575 million settlement Equifax agreed with US regulators in 2019.
Let’s level-up your cyber resilience
We can work with your risk management teams to increase supply chain visibility, detect potential weaknesses and reduce the risk of supplier data breaches. We’ll also reduce the workload of your teams and help you develop supply chain practices and protocols that minimize risks.
Find out more here.