Cyber security has become an increasingly high profile issue over the course of the past ten years. It has always been a consideration for business – not least in protecting intellectual property and commercially sensitive materials – but shifts in global politics, combined with evolutions in digital technology have heightened awareness of the threat of cyber crime and the various forms it can take.
For this reason, digital technology can be something of a double-edged sword for business. In today’s globalised markets, it is necessary for the future success of any operation, but it also generates unique vulnerabilities. These vulnerabilities are not simply found in your own systems, though. Indeed, your own business may have the most state-of-the-art protection from malware and data thieves; you may conduct regular security reviews and use digital systems that create audit trails of all activity; you may comply fully with the minutiae of recognised standards, and hold ISO 27001 certification to prove it. But, any business with a supply chain incurs additional vulnerabilities – and every business has a supply chain in one form or another. For this reason, Supply Chain Visibility is essential, and the key to truly robust cyber security.
What is Supply Chain Visibility?
Historically, Supply Chain Visibility (SCV) was simply the way in which businesses worked to ensure that the risk of supplier delay or disruption was minimised and focused heavily on internal and third party logistics. While this is still necessary – particularly for those operating in the manufacturing or product sales industries – Supply Chain Visibility today is also about the cyber security of those third parties and, as such, it is of concern to all types of business, regardless of industry.
It is the nature of the cyber crime threat that creates the need for this type of Supply Chain Visibility. Attacks can take many forms, including:
- Phishing – These are emails, phone calls, text messages, or social media interactions designed to trick the recipient into sharing information that will enable the sender to perpetrate a theft. For businesses, the risk is that staff members could engage with phishing communications.
- Malware – This is malicious software that infects computer systems for the purpose of causing harm or collecting information without permission. For businesses, it can deliver disruptive elements into computers systems (often known as ‘trojan’ malware), or it can steal personal, financial, or commercial data while digital systems seem to operate as normal (often known as ‘spyware’). This places intellectual property as well as the private information of customers and employees at risk. This type of attack can also lead to blackmail – if sensitive information or intellectual property is stolen, then this event could be used to extort money from a business, by threatening public release of that information or data.
- Logic bombs – These are similar to malware in that they are malicious programs ‘smuggled in’ to computer systems, but are designed to be triggered by a specific digital event within the system. The effect of the bomb is often the deletion of important sections of code – making the software system in question unusable.
- Data tampering – This is the unauthorised alteration of data inside a computer system and, for businesses, can result in catastrophic miscalculations in many areas, including finance, product design, product manufacturing, employment, or customer relations.
- Ransomware – This is a form of malicious software infection that enters your computer system, and locks your network and files, preventing access. A demand is then made, usually financial in nature, for the restoration of normal operations.
Each of these types of cyber crime will be a threat against which you have taken steps to protect your own systems, but as we become increasingly immersed in the global marketplace, with businesses and third party suppliers connecting, agreeing contracts, and establishing commercial relationships digitally, our own business is only as secure as those with which we deal.
In today’s business world, one of the most significant risks faced by business is a cyber crime committed within the supply chain, providing an onward point of entry for criminal enterprise. Less secure businesses are easily infiltrated and can be used as a means to attack a more mature, better protected commercial entity, by way of digital connections that maintain a third party business relationship between the two. This is the new reality of Supply Chain Visibility – making sure your third party connections do not leave your business vulnerable to cyber attack.
Third Party Risk Management
With the question now being, ‘How do you achieve robust cyber security in light of this increased third party risk?’ focus must turn to third party risk management strategies. For such strategies to be successful, then Supply Chain Visibility is required, at a granular level. It is vital to not only establish, but also to engage in consistent monitoring of the risk profile of each organisation with which your business maintains a relationship. By focusing on their risk profile, your business benefits from the due diligence performed by each third party in respect of their own supply chain.
There are several factors to consider when assessing the risk profile of a third party and, by extension, the risk exposure of your own business in maintaining that relationship:
- Business size – If a third party is a small, local operation, the risk it poses to your business is low. If a third party is a large international operation, the risk it poses is higher.
- Commodity, product or service type – If your business relationship with a third party involves the trading of sensitive materials, then the risk level is high.
- Location – The risk posed by dealing with third parties in other countries is constantly changing, and is impacted by global politics, environmental factors, and market shifts. The risk to your business posed by those operating in other territories will depend upon the nature of the business, the extent of the relationship, and the methods used for communication and logistics.
- Banking and financial practices – In order to minimise the risk of exposure to fraudulent activities, it is important to be confident in the banking and financial practices of all third party relationships.
- Stakeholders and executives – If a third party has stakeholders or leadership personnel who are themselves considered high risk – such as Politically Exposed Persons, or people with ties to fraudulent activity, corruption, or terrorism – then the risk to your business is significantly increased.
- Compliance history – Third parties that can demonstrate strict adherence to regulatory compliance requirements present a reduced risk, and those that exceed regulatory requirements lower the risk to your business even further.
With these factors to consider, a comprehensive system of data management is required, and this is provided by Third Party Risk Management Software. This platform solution – for example, Symfact - provides a broad range of tools designed to enhance your Supply Chain Visibility and optimise your risk mitigation processes.
- Data collection – The use of customisable Intelligent Questionnaires enables your business to conduct a thorough risk assessment of each third party relationship, by prompting the collection and examination of granular information.
- Centralised repository – With the platform built around a centralised repository for all data and documentation relating to third part risk management, your business is able to perform customised searches and generate detailed reports that highlight areas of risk exposure.
- External database access – Connections with all leading databases, including Dun & Bradstreet, Thomson Reuters, Dow Jones, and LexisNexis, allows your business to conduct advanced security profiling and background checks on all third parties.
- Incident Management tools – These features are designed to prevent fraudulent activity where possible and, in the event of a breach, provide early detection. This enables your business to protect revenue streams and keep associated costs contained.
- Investigation tools – These features enable your business to authenticate and monitor the identities of individuals and corporate entities, including aspects regarding fraud, corruption, sanctions, compliance, and the financing of terrorism. It also provides the ability to assess Politically Exposed Persons and Ultimate Beneficial Owners.
With cyber security being the matter of concern, platform-based Third Party Risk Management software packages, including Symfact, use a permission-based access system. This means that only authorised personnel can enter and work within the system, and all activity is logged in automated audit trails. Transparency and accountability are therefore guaranteed, while business continuity is enabled through the support of secure remote access.
Far from being your last line of defence against the threat of cyber crime, Third Party Risk Management Software can form the core of your Supply Chain Visibility strategy. Implemented through a phased, carefully managed roll-out, the package can play a key, foundational role in making your cyber security measures as robust as possible, through the mitigation of risk, and the optimisation of related administrative tasks.
The digital inter-connectedness of business is only increasing in our newly emerging post-pandemic world, so the protections afforded by such stringent, wide-ranging, and granular third party risk assessment are the most efficient and productive way to future-proof your organisation. Call Symfact today to discuss the way your third party risk assessment can be improved with greater Supply Chain Visibility.