How to Conduct a Supply Chain Risk Assessment at Scale

Kaitlyn Graham | May 13, 2021 | tag: Supply Chain Cybersecurity

Vendors and third party partners are essential to helping your business grow and stay competitive. But outsourcing to third parties also dramatically increases your attack surface. A recent independent study by Opinion Matters found that 92% of U.S. organizations have experienced a breach that originated with a vendor. 

In response to these issues, budgets for third-party cyber risk management programs realistically need to rise this year to meet the needs of the vendor management team. When those dollars are used wisely it results in properly vetting any vendor before they become a partner and for the life of the relationship.

But when you’re dealing with a large number of third parties – some who handle sensitive data – the supply chain risk assessment process can quickly become overwhelming, even with larger budgets allocated.

Here are five ways you can scale your program and ensure any gaps in your vendors’ security programs are identified and remediated as quickly as they are identified. 

1. Start with awareness

Before conducting any assessment, you need to quickly and easily discover each service provider within your extended supply chain. It may sound easy, but as the digital ecosystem expands to include more cloud technology, and shadow IT becomes more prevalent (think of all those SaaS subscriptions that employees can procure with a credit card), security leaders may be unaware of the complex web of interconnected business relationships that exist.

Awareness and full visibility is important because it allows you to track where your sensitive data flows, who has access to what, and the relative importance of certain vendor relationships. Using this insight, you can tier vendors based on perceived inherent risk and allocate assessment resources where the greatest risk to the business lies.

2. Assess the risk posture of your supply chain


It’s likely you already have a formal process in place for assessing your vendors that involves questionnaires, penetration testing, annual security audits, and on-site visits. These are all important tools, but they don’t offer a complete picture of cybersecurity risk.

Consider security questionnaires. While they provide insight into a vendors’ security policies, they only reflect risk within a single point in time. They also don’t include risks about which the vendor is unaware or may not be entirely honest about (just one third of respondents to the Opinion Matters survey said they believe the responses vendors provide). These questionnaires are also time-consuming to complete and analyze. 

The same is true of penetration tests. They may uncover hidden risk, but they are costly, disruptive, and hard to implement at scale across your entire supply chain.

Continuous monitoring solutions like security ratings can help fill the gaps by providing an immediate, near real-time snapshot of each third-party’s overall security posture. A higher rating indicates better security, while a lower rating signifies that improvement is needed. Depending on how they score, you can prioritize which vendors may need a more rigorous supply chain risk assessment that dives deeper into their security processes and policies.

Once onboarded, you can use these same tools and methods to continuously monitor your third parties over time. If a vendor’s security rating drops, automated alerts let you know so you can work with your vendor to mitigate the issue.

3. Establish pre-procurement standards


While technology can help reveal hidden risk, one of the surest ways to reduce that risk is to establish strong cybersecurity due diligence practices before your vendors are onboarded. For example, you might use security ratings to introduce a standard cybersecurity metric or acceptable risk threshold and develop contract language to ensure your entire third-party network meets those thresholds as the onboarding process moves forward.

4. Check your code


Many third-party technology providers, especially those that provide functionality to an organization’s websites, apps, or software platforms, infuse sections of proprietary code into their clients’ systems. Unfortunately, this can expose your software to malware.

Because of this, every third-party whose code, hardware, or environments have a part to play in the development of your software and applications should be considered part of your digital supply chain. You must take steps to regularly analyze their code for security risks to protect that chain. Read more about mitigating the risks affecting your software projects.

5. Solve the fourth-party problem 


Supply chain risk assessments shouldn’t begin and end with third parties. To fully protect against cyber risk, you need to address fourth-party risk. Think of these as your vendors’ subcontractors, and those subcontractors’ subcontractors, and so on. Once a third-party is compromised by a fourth-party, your organization is at risk too.

Traditionally, this has been an extremely challenging area to report on, if at all. However, with modern tooling you can continuously monitor fourth-party risk and gain unprecedented visibility into your entire vendor ecosystem. With these insights you can be alerted to newly uncovered relationships, validate your supply chain risk assessment questionnaires, and quickly triage risk in collaboration with your vendors –  it’s a win/win for all.. No more waiting for a breach to hit the headlines to realize your organization may be at risk.


When it comes to your vendors, trust, but verify


While security questionnaires remain an important part of any supply chain risk assessment program, if your company is looking to achieve better risk outcomes you need to trust, but verify.

Use data-driven insights to understand who’s who in your interconnected supply chain, assess potential vendors against established security policies, and continuously monitor their security performance for changes over time. In doing so you’ll reduce the time and cost it takes to assess supply chain risk and move forward knowing that every vendor in your digital ecosystem – even if they number in the hundreds of thousands – presents acceptable levels of risk.


3 Ways to Make Your Vendor Lifecycle More Efficient

Suggested Posts

4 Best Practices for Supply Chain Cyber Risk Management

Cyber risk management should be a priority for any organization. And while there are many measures your business can take to reduce cybersecurity risk across the enterprise, how do you discover and remediate unknown risks that may be...


What are Software Supply Chain Attacks?

Software supply chain attacks have become increasingly prevalent over the last couple of years. Noted as the first large-scale attack in recent months, the SolarWinds data breach wreaked havoc on supply chains across a multitude of...


What’s Most Notable in Biden’s Cybersecurity Executive Order?

In light of recent significant attacks targeting the U.S. government, the Biden administration issued an Executive Order (EO) on cybersecurity on May 8, 2021.

Overall, the EO starts to fill in some critical gaps in US government...


Get the Weekly Cybersecurity Newsletter.