In today’s interconnected global economy—and increasingly digital and cloud-based environments—supply chain cybersecurity has become a collaborative effort. It is no longer enough for enterprise organizations to rely on perimeter-based security and third-party promises.
As the digital landscape continues to expand, opportunistic cyberattackers are turning their focus on more vulnerable vendors and n-tier suppliers to gain footholds into major corporations and supply chains. In other words, supply chains are only as resilient as their weakest link. This means organizations must secure their enterprise environment while accounting for third-party security risk as well.
As the digital landscape expanded during the pandemic—with a surge in cloud adoption, digital transformation, and remote work—cybersecurity risks grew with it. Cyberattackers found easy targets in lower-profile vendors and suppliers along the supply chain that had fewer resources to invest in cyber defense. By focusing on these “small fish,” hackers are able to gain entry and from there exploit weak points to eventually penetrate the enterprise systems.
This phenomenon has been especially notable in the rise of ransomware-as-a-service attacks. Hackers use ransomware to breach a target and then encrypt data to lock owners out of their systems until they pay a ransom. This disruption can shut down entire supply chains and operations and costs companies hundreds of thousands to millions of dollars.
One recent example of this was the ransomware attack on Hanesbrands in May 2022. The attack was first detected on the brand's IT system. The breach prevented Hanes from fulfilling product orders for three weeks, impacting its ability to purchase supplies, ship orders, and process payments. To recover, Hanesbrands had to rebuild its systems, re-secure its data, and manage the infection across multiple machines—all to the tune of $15 million.
Bottom line: even if your enterprise supply chain security is well resourced and sophisticated, it doesn’t mean your suppliers adhere to the same security standards. And this can cost you—and your suppliers—big if and when they are targeted.
That’s why enterprises must include their suppliers in their cyber risk calculations and management—especially SMBs which typically have fewer resources to invest in security.
So what does good cybersecurity hygiene look like? Work with your suppliers to review their security standards and current cybersecurity strategies.
Here are a few key checklist items to look out for:
Passwords are a first line of defense against hackers. But they are also one of the easiest targets. In fact, 4 in 5 data breaches are due to weak or stolen passwords. Compounding the problem is that many small businesses do not have a password policy. So enforcing policy and using strong passwords is a simple but important step to good cybersecurity hygiene.
Good password standards include:
In addition to strong passwords and a robust password management system, suppliers should set up multi-factor authentication on all tools and systems, such as VPNs, email, calendar, and collaboration tools. Multifactor authentication requires users to submit two or more credentials to verify their identity for login. This provides an additional layer of protection to strong password policies, making it harder for bad actors to gain entrance if they crack a password.
Bad actors will look for vulnerabilities in a supplier’s software. While network security developers should be regularly patching the system, users must also update their software to implement those fixes. Make sure supplier policies include automatic updates for all devices, applications, and operating systems.
Make sure all data is encrypted and configured properly. Encryption helps protect sensitive information as it is transferred and stored, adding another layer of protection should the system be breached.
Despite the rise in frequency of cyber attacks, more than 77% of organizations don’t have an incident response plan. Without a clear plan in place, when an attack does occur, the damage may go undetected or unmitigated for longer than necessary. An incident response plan helps mobilize the cybersecurity team to action to reduce damage, minimize risks to other parts of the systems, and return to full operation.
There are many technical components involved in incident response and risk management, so it's also important that suppliers have adequate technical knowledge in order to install, update and maintain systems and technology to prevent phishing and malware.
This also includes cybersecurity training for non-IT employees, who are often the most vulnerable point. For instance, an estimated 90% of cyberattacks start with a phishing email. If an unwitting employee clicks a link or opens an attachment in a phishing email, it can trigger malware installation that steals data, locks users out of the system, or even creates a backdoor into the computer for later entry. Educating employees on what to look for and what to do can help prevent attacks that impact the supplier and the extended network.
Small and medium-sized businesses typically don’t have the resources that larger enterprises do to invest in robust cybersecurity programs. For instance, one of the main reasons why SMBs have trouble implementing MFA is not because they don’t want to but because they do not always have the funding or technical expertise to do so.
Enterprises can help bridge these security gaps through education, communication, and resource support.
Communicate the Benefits of Cybersecurity
Investing in cybersecurity is a big undertaking, especially for resource-strapped SMBs. Take time to educate your suppliers and reframe the investment as a benefit to the supplier to encourage buy-in. Simple steps like password policies and multifactor authentication can make a big difference without requiring a massive lift from the supplier.
Pro Tip: Don’t present your cybersecurity requirements as an audit or a punitive measure but as something that is beneficial to them.
Clarify the Terms and Expectations Before Contracting
When vetting new suppliers, use your pre-contractual leverage to influence cybersecurity adoption. Clarify the specific terms & conditions upfront, as it is much harder to negotiate and mandate cybersecurity health requirements after contracts are signed.
Share Resources and Invest in Their Success
Help your suppliers help themselves by sharing resources and lending support. This can include something as simple as leading them to resources like the Cyber Readiness Institute or offering additional funding or investment if suppliers obtain certain certifications, training, or audits. Rewarding suppliers for improving their security posture will incentivize them to take action and invest in their long-term supply chain cybersecurity.
Use a Supplier Intelligence Platform to Track Progress and Monitor Risks
Suppliers won’t always reach out immediately when something goes wrong. That’s why it's important to monitor your suppliers’ progress and conduct regular cybersecurity risk assessments. Use a supplier intelligence platform that tracks all of your suppliers in one place, and you can also enlist the help of organizations such as Cyber Readiness Institute, which helps train up SMBs who have few internal resources and technical expertise .