Supply-Chain-Security-Management

Cyber Supply Chain Risk Management

Identify, assess & mitigate the cyber risks to your supply chain

Request a Quote

Cyber Supply Chain Risk Management (C-SCRM)

As clearly demonstrated in recent breaches, the security of 3rd party suppliers connected to your systems and processing your information assets is directly correlated to the cyber security resilience of your business. Your business systems are only as secure as those systems connected to them. This simple logic is often overlooked.

Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the cyber risks associated with the complex connected nature of the extended chain of your product and service suppliers. It should encompass their entire lifespan from on-boarding - through service delivery or product provision - to off-boarding as threats and vulnerabilities may change in each step of the process depending on the associated activity and connectivity.

A one-size-fits all cyber risk management approach will not work. Each supplier requires an individual assessment and response to ensure they meet your business’ security governance risk and compliance requirements and operate within your risk appetite and tolerance. This is no easy challenge. But we can help you.

Risk Crew provide a simple and effective C-SCRM process to assist you in meeting and successfully managing this challenge.

Download the Service Overview

Features and Components

Our pragmatic, cost-effective and scalable solution is fully customizable to meet your specific risk objectives. It can be designed and deployed within your existing business’ supplier management processes or platforms or automated and fully outsourced to Risk Crew for management.

The methodology is comprised of seven components:

Supplier On-Boarding

We begin the engagement by establishing the definition of a “Supplier,” as this is often misunderstood across the business and can result in unidentified 3rd party services and connections going unaddressed. Next, we draft a C-SCRM plan for your business’ governance framework that meets your risk appetite and tolerance objectives.

Risk Crew will then assess and align your current information asset classification scheme to appropriate the service level agreement language and include it in all applicable supplier agreements so that security requirements are understood and contractually agreed upon during on-boarding.

Cyber Risk Triage

Risk Crew designs and deploys a supply chain risk triage portal based on the volume and sensitivity of the business’ information assets that the supplier processes, stores or transmits on your behalf – along with specific connectivity and compliance requirements such as DPA, GDPR or the PCI DSS.

Once deployed, the model will segment your suppliers into risk categories of Low, Medium or High to accordingly prioritise the risk management process – giving a clear risk-driven view of your supply chain.

Automated Risk Assessment

Once triaged into applicable cyber risk categories (Low, Medium or High), suppliers are directed to complete a risk assessment questionnaire suitable to their risk profile.

After questionnaires are complete, you will knowledgeably align specific risk assessment criteria to each supplier across the chain based on their potential risk to your systems and business information assets. The questionnaire is designed to identify and document the existing “inherent” risks associated with each supplier's current security controls. This tailored approach is important because when it comes to risk, one size does not fit all.

Prioritised Risk Remediation

Now that explicit, “inherent” risks are identified for each supplier, you can assign specific actions to supplement or enhance existing security controls and reduce those risks to a level within your business’ risk appetite and tolerance.

Supplier-specific risk-reduction activities are tracked through remediation and their “residual” risk status is logged for annual review.

Key performance indicators (KPIs) are identified and collected throughout the process to verify overall risk reduction.

Security Testing

Throughout the engagement, Risk Crew conducts routine security testing to ensure the effectiveness of controls the supplier has implemented to secure your information assets and connectivity to your systems.

Risk Crew will scope and conduct routine security testing of the supplier’s systems applicable to their residual risk profile and the technology platform processing, storing or transmitting your information assets such as web application, network, API, cloud or IoT. Bespoke control testing = bespoke cyber risk management.

Monitoring & Mentoring

Once the process is implemented, there is still work to be done. Risk Crew strongly believes that suppliers need continual monitoring and mentoring to ensure their understanding and correct implementation of the controls required to protect your information assets and their connectivity to your systems.

The Risk Crew C-SCRM solution includes a supplier “helpline“ to answer any specific questions that may arise and provide best practice advice when needed. It also includes daily CERT alerts and monthly cyber security bulletins to keep suppliers apprised of current threats and vulnerabilities We do this because we believe that education is the silver bullet.

Supplier Off-Boarding

Finally, it's not over until it's over. One of the most important (and overlooked) steps in any supply chain risk management lifecycle is the “goodbye”. The Risk Crew C-SCRM process includes detailed contract close requirements from data retrieval or destruction to verifying termination of supplier connectivity to business systems.

Requirements will be mapped to the existing business process to ensure their execution and the secure off-boarding of your supplier. This simple follow-through will dramatically decrease the chances of an accidental breach.

 

The Risk Crew C-SCRM process can be delivered manually or through our fully automated 3PA™ and 3PA Triage™ hosted software solutions.

C-SCRM Benefits

C-SCRM Service Benefits

Today, everything connects to everything. Therefore, businesses can no longer solely focus their cyber risk strategy only on protecting their internal infrastructures. Serious threat actors seek to exploit the less protected threat vectors provided by suppliers to their more cyber mature target. They bypass more mature cyber controls and exploit the weakest link in the chain. The risk is real and substantial.

The Risk Crew C-SCRM service delivers a comprehensive and cost-effective solution for identifying, minimising, and managing this risk, and provides metrics to calculate the return on your investment. It delivers risk transparency, liability, and accountability for each supplier in your chain. It doesn’t get any better than that.

Why Choose Risk Crew

Risk Crew professionals possess over 30 years of experience in designing and delivering effective cyber supply chain risk management solutions. Our seasoned information security governance, risk and compliance consultants implement proven methodologies for documenting, assessing, and remediating the cyber security risks to the information in your supply chain.

It’s hard to be humble when you are this good. Try us and find out.

Frequently Asked Questions

Is the supply chain a high-risk cyber-attack vector?
Yes. Over 75% of breaches publicly identified since 2015 have been attributed to “trusted” 3rd party connections.
What are supply chain cyber-attacks?
A supply chain cyber-attack is a cyber-attack that seeks to damage or breach an organization by targeting less-secure elements in the supply network of that organisation.
What is an example of a supply-chain cyber-attack?
The first high-profile supply chain cyber-attack identified was the Target breach in 2013 wherein attackers entered into Target systems through a heating and cooling supplier connection and removed 78 million credit cards. A more recent example is the NotPetya ransomware attack identified in 2017 which specifically spread through supplier systems resulting in over 10 billion dollars in damage.