An IT expert explains to a businessman how to protect himself from supply-chain cyber risk

How to manage supply chain cyber risk

Supply chains can be complex and opaque, making it very challenging to manage supply chain cyber risks. But while the risks are growing, the solutions are too.

Cybercriminals are always searching for the weakest link in a company’s defences, and all too often, that vulnerability is being found in the supply chain. Recent research by BlueVoyant International1 found that 82% of UK organisations had reported a cybersecurity breach caused by their supply chain in 2020. Across the global respondents, just 22% of the companies were monitoring their entire supply chain and only 40% were reassessing their vendors’ cyber risk position after they were onboarded.

Supply chain fraud represents a challenging risk vector for companies large and small. No matter where your company is in the chain, it only takes one vulnerability to expose the whole chain to potential cyber fraud.

Large corporations have the resources of staff and capital to constantly monitor their cyber risk and protect their business. But their suppliers may not have the same resources. Even if Tier 1 suppliers are well-protected, there are Tier 2, Tier 3, Tier 4 and vendors down the chain, as well as companies that are progressively smaller and less capable of buying top security software or even having their own IT team.

“The nastiest and easiest hack for the bad guys is to look for your smallest supplier. A company like IBM or Coca-Cola or Diageo, they have hundreds and thousands of suppliers. And the farther out you go from your Tier 1 suppliers, the smaller they get and the more vulnerable they are to cyber attacks,” says Greg Schlegel, Co-Head of the Supply Chain Risk Management (SCRM) Consortium and spokesperson for the Institute of Risk Management.

The bad guys don’t try to break through tough security at big companies. They go all the way down to the smaller suppliers, because they’re looking for the weakest link.

Doing your due diligence

Most companies have a vetting process in place to ensure that the suppliers they contract have the right credentials for them – including cybersecurity. In fact, many of the larger companies will even help smaller firms with guidance, training and sometimes financial incentives to beef up their security. Barclays itself, for example, works very closely with its partners, offering advice and guidance to help them, says Nimesh Patel, Global Head and Director of Third Party Security Assurance and Monitoring at Barclays.

But for many companies, the problem lies in vetting once and then relying on the supplier to maintain that posture.

“We have seen many organisations manage their suppliers in a fairly binary way. They’ll send them a questionnaire once a year and if it all comes back hunky dory, they won’t take any further action.  But really, you have to go to that organisation and kick the tyres yourself, because its your brand reputation, your customers’ assets and your business processes that you’re putting into their hands,” says Patel.

“And the other problem is that a supplier could have a great posture when you go to review them, but that’s a moment in time. You need a solid set of foundational controls, with due diligence and risk assessment. But then you also need lifecycle management once they’re onboarded. You need continuous monitoring tools to look for changes in their posture. You need to be sure that if they change their tech, or their suppliers do, they conduct penetration tests and inform you.”

Growing risks in supply chains

There are many reasons why cyber risks to the supply chain are growing, but they are linked to the increased complexity of supply chains. Globalisation, for example, has increased complexities in monitoring and managing suppliers across borders.

“In the last 10 years, most companies have started operating in regions of the world where they’ve never operated before. Why? Because they want to grow their top line revenue. So they have to go after immature markets, they build facilities in that country, they put in a distribution centre, they hire local employees, freight forwarders, agents, and so on. To do this, as a strategy, you need to grow your supply chain infrastructure,” explains Schlegel.

“If you had a hundred facilities before, suddenly, you’ve now added another hundred facilities to increase your supply chain and that increases your complexity and the number of touchpoints. 

The more nodes you have in the supply chain, the higher probability that you’re going to have a risk event. That’s just simple maths.

The new normal has new challenges

More recently, the Covid-19 pandemic has opened up new risk vectors by forcing people to work from home en masse. Not only does that have a tendency to make business processes less precise, it’s also simply a less secure environment.

“No matter how big or small the company, many of us are now working from home. The threats are with our laptops, our smartphones and other devices and that caught out a lot of firms, even big ones, when lockdowns first started,” says Schlegel.

“The frequent headaches are malware, phishing and ransomware, those are the most common problems that any IT specialist has to live with.”

“When people are working from home, they’re in a more trusted environment, they’re less vigilant and I think they’re more susceptible to potentially downloading links that infect the organisation,” adds Patel.

“At the same time, organisations are looking to implement technology more quickly, responding to the pandemic and also to potential weaknesses in their supply chains, so they introduce new tech and new functionality. And sometimes speed becomes more important than checks and balances.”

How to handle supply chain risk

For companies across the supply chain, cybersecurity is increasing in importance, and so are the potential solutions. Today, there are hundreds of new cybersecurity software firms that are great options for companies who don’t have the resources for top tier solutions. But it’s also important for all companies to source help wherever they can find it.

“If you are supplying a bigger customer or working with a firm that is bigger than you, I would solicit them,” says Schlegel. “They’re not doing it altruistically, they’re doing it to survive and thrive and many collaborate with their suppliers on cybersecurity.”

Patel also points out that many industry bodies offer resources and guidance, including those in the law, accountancy and financial services industries.

Cybersecurity accreditation is available from many companies that will test your systems and try to hack them in order to help you improve your security. You could request that suppliers undertake the same testing, making it part of your contractual process. There are also companies that provide cyber assurance, and will consult on suppliers, providing evidence on what their security protocols are.

There are also standards and practices available to help build cybersecurity into supply chains. Internationally, the US National Institute of Standards and Technology (NIST) has a Cyber Supply Chain Risk Management (C-SCRM) project and ISO offers a number of standards. Here in the UK, there are resources available from the National Cybersecurity Centre (NCSC) and other departments in the UK government.

Supply chain risk checklist

  • Ensure you run regular checks on your supplier’s cyber security – conduct proper lifecycle management, go and kick the tyres yourself, don’t just take their word for it
  • Consult guidance from industry bodies, and if you’re able to, share your expertise with your own suppliers
  • Get independent cyber security accreditation for your firm, that is regularly refreshed – giving both you and the businesses you supply additional reassurance
  • Conduct regular fraud awareness training for your staff to ensure they are primed to not fall victim to some of the most common fraud types like phishing. Barclays runs a quarterly webinar which we encourage your colleagues to register for. 
  • Regularly audit payments to ensure that suppliers’ payment details have not become compromised.

Regardless of the strategy, the supply chain needs to protect itself at every link to stop fraud.

“Good customers will go out and train their suppliers, because they understand that your suppliers’ risks are your risks. We’ve come to the conclusion over 12 years of operation at the Consortium that changing a key supplier can cost $1m to $3m. That’s pretty big money, so it’s incumbent on you to mitigate that risk,” concludes Schlegel.

Where to next

Fraud Protection

Fraud Protection

Head back to our dedicated hub for the latest fraud trends and useful resources to help protect your business from cyber criminals.


CEO fraud

How to protect your organisation from fraudsters.

Latest insights