Managing supply chain risk: the due diligence is in the details

Accellion. SolarWinds. Microsoft Exchange. Until 2021, most of these names were familiar to many organizations as parts of a whole: pieces of the supply chain, providing services that supported day-to-day operations.

Now, they’ve become better known as some of the biggest third-party breaches in recent history, allowing bad actors access to the systems and proprietary information of thousands of organizations worldwide.

These events highlight the need (now more than ever) for organizations to be more proactive with their supplier risk management.

Some context for supplier breaches

As of 2017, the average company had 181 suppliers access their network each week. In 2018, Ponemon Institute found that 59% of companies had experienced a third-party data breach, but only 16% of companies thought they were effectively mitigating third-party risks. In 2020, research indicated that 43% of third-party relationships never see any kind of due-diligence checks.

With this sort of negative data, it’s easy to understand the environment that makes suppliers look so very tempting to bad actors. Hacking the NSA and Microsoft would be time-consuming and challenging, but both organizations have an immense network of suppliers that expose them to risk. Even if every direct supplier were completely secure (which is unlikely), each of those suppliers has their own suppliers. And among those, some will be vulnerable to attack.

Hackers, like businesses, look for efficiencies. In the cases we saw in early 2021, hackers got into the systems of three widely-used suppliers, and that in turn gave them access to multiple high-profile targets.

Supplier risk management

Like many things in business, there’s no such thing as zero risk. In the vast majority of cases, to run a business, suppliers are necessary, from data hosting, to the shop that customizes giveaway pens.

The only solution is to manage the risk. According to the Association for Supply Chain Management:

Understanding who your critical first tier suppliers are should be the absolute bare minimum, and that starts with defining objective criteria to evaluate what makes a supplier critical in the first place.

At a high level, the key steps in supplier risk management are:

Identification

• Maintain a database of your suppliers
• Create a risk profile for each one
• Update the risk profile on a regular basis

Assessment

• Understand what level of risk the supplier poses (for example, what access they have, what could happen to your business if they were hacked or went out of business)

Mitigation

• Take the information from the identification and assessment stages and ask yourself, “What if?” (What if my data hosting location suffered a natural disaster? What could I do if it did? How would I respond to a third-party data leak?)

Due diligence in supplier risk management

Due diligence, or Know Your Business, is often seen as something that only financial institutions are required to undertake. However, structured appropriately, due diligence is a fundamental part of identifying and assessing risk, and can benefit any type of business.

Basic due diligence answers questions like:

• What kind of business are you signing a contract with?
• Where can you contact them?
• What services do they provide?
• Is the business legitimate, or a PO box out to take your money and vanish?
• Is the new CEO competent and ethical, or do they have a string of bankrupt businesses behind them, or perhaps a cease-trade order?
• Is the business adequately insured if something goes wrong?
• Will the business protect your information adequately?

This kind of information supports the creation of a supplier database, and provides a basic risk profile. Risk profiles can easily be augmented, depending on need and business vertical, with industry-standard questionnaires such as the CAIQ-lite, which assesses security in the cloud.

Due diligence also plays into assessing the risk the supplier poses to a business. The risk profile provided by due diligence gives businesses a baseline when it comes to evaluating what systems and information access a supplier can be granted without exceeding the business’s risk tolerance.

For example, the stationery supplier may be a high risk in terms of information security — but will only ever have direct access to very limited information. Likewise, that supplier is a small organization without much resilience in the event of something like its storage area catching fire — but the risk posed to your business continuity if the company goes out of business is minimal.

Due diligence also supports risk mitigation. If, for example, a supplier risk profile shows that the supplier is non-compliant with a law your business must comply with, that information can feed into the contracting stage as a contractual requirement: the supplier must make all commercially reasonable efforts to become compliant.

A chain is only as strong as its weakest link

It’s important to keep in mind that the supply chain is only as strong as the most vulnerable — or most targeted — supplier.

Without the awareness of supply chain vulnerabilities and without a monitoring and mitigation plan in place, companies leave themselves wide open to the potential for damaging breaches and exploits. Worse yet, without that supplier oversight in place, a company may not even know that a supplier is at risk until they show up in the headlines.

Supply chain risk management and due diligence work hand-in-hand to form a first layer of protection for businesses, and with the rise in SaaS and outsourcing prevalent in the business environment, good risk awareness is vital.