Companies should stick to consistent principles and identify processes, protocols, and systems to manage weak links. (Image: Shutterstock)

Preparedness and protection

Protecting and preparing an organization is challenging enough and so thinking about the potential vulnerabilities along an entire supply chain can seem daunting. There are steps organizations can take, at the very least, to begin to understand what they do not know, particularly with respect to sensitive data within the organization and across its supply chain:

• Know the business: Know where the data is, where it is duplicated, who has access internally and externally (i.e. where the data sits, moves, and resides).
• Protect the company: While insurance will not prevent a cyber attack, it will help a company recover more quickly in the event of a data breach or network security failure. The key is for companies to consider their insurance needs, i.e. they must know what they have before they know what to protect. Insurance can cover costs associated with responding to a breach, including investigation, notification, and legal costs. When considering supply chain risk in general, companies should also ask about coverages, such as contingent business interruption, which covers costs associated with a property loss at a supplier's location.
• Identify the supply chain: Businesses should understand that their vendors and suppliers may use subcontractors. A good proactive first step towards managing cyber risk in a supply chain is properly identifying the vendors and suppliers within it and knowing who exactly is handling data and how.
• Set standards and manage network access: Businesses should consider creating cyber security standards for partners within the supply chain that will be handling data. Are suppliers at least the company's equal when it comes to security? Sometimes a company may discover a supplier has more stringent standards than its own. Some cloud providers, for example, are as successful as they are because they are more secure and robust than the companies that use their services.
• Negotiate contracts: To the extent possible, a company should negotiate favourable terms in its contracts with vendors and suppliers, including the ability to undertake audits. Beyond the actual coverage protections, the underwriting process is usually thorough and sophisticated, and can act almost as a second audit beyond the company's own due diligence when vetting that vendor.

In summary, companies should stick to consistent principles and identify processes, protocols, and systems to manage weak links. The goal is for a company to understand what rights it has, and to establish clear expectations about obligations in the event of a breach at a vendor.

Threat intelligence and information sharing

When it comes to data security and breach response, there is a wealth of available information on specific threats that companies can leverage. Obtaining the data, however, is only an effective strategy if a company is able to properly interpret and leverage it. Information and actionable intelligence are different and companies must be able to identify the few pieces of information that will actually improve outcomes. Companies should make smart decisions about what security operations they can in-source and what they should out-source, keeping in mind how they can bake security into their outsourcing decisions.

Once a company understands and can leverage threat intelligence, it may consider sharing relevant information among its suppliers and vendors. The challenge is sharing meaningful and actionable intelligence rather than all information that passes through systems.

The company should consider when and how to appropriately share information, bearing in mind that it is not a managed security provider for its vendors. Hiring vendors that have effective security capabilities is ideal, but for a subset of vendors with useful services but limited security resources, periodically sending an email advising them about a threat to look out for may be an information sharing strategy companies could employ.

Realistic approach

It's not possible to eliminate cyber risk entirely throughout a global supply chain. Taking steps to limit risk should not be misinterpreted as an airtight defense against threats. But understanding the organization's operations, its supply chain, and its vulnerabilities can lead to the next best thing: resilience, or avoiding the potential for a single point of failure to disrupt the entire supply chain.

The first step, if not already taken, is to understand the operation and supply chain. Key personnel within the organization should be assembled to identify how much and what kind of data is held and where it sits. The supply chain should be audited, in as far as it is feasible, and protection implemented as thoroughly as possible through contracts with suppliers and vendors. An insurance professional can then advise about the proper coverages to help protect against cyber threats and other supply chain risks. The goal is to recognize the threats, limit exposure, and ensure supply chain redundancy.

Related: How industrial companies can manage cyber threats

This piece was originally published on Aspen Insurance's website. The Aspen White Paper “Cyber Risk and the Evolution of Supply Chains” discusses protection strategies against this constantly changing threat.