Forum: Supply Chain Security
Roundtable: The Overwhelming Task of Mitigating Supply Chain Risks.
As if protecting businesses from cyber threats wasn’t a hard task already, its complexity escalates in the supply chain. Does an organisation’s security level depend on the safety of every-business-it-makes-business-with? Is mitigating the risks of your organisation and of all external parties in your network a viable task? We ask the experts:
How to take suppliers & third-service providers into account when mitigating risks?
“There is no easy answer to this question,” says Markus Braendle, SVP and Head of Cyber Security at Airbus. “When mitigating supply chain risks, you need the IT and OT security departments, but also the procurement, legal, and business teams to be involved. Different functions need to collaborate to tackle this challenge.”
“To me, information security represents 90% of the approach when considering incorporating new suppliers into your network”, says Matthias Muhlert, CISO at HELLA. “You need to define what third-party suppliers should be allowed to access and what they are authorised to do with it. Only once these guidelines are established, can they demonstrate that your data is being handled accordingly.”
“Cyber security is the remaining 10% of the approach- It can determine, for example, if the data shared can be destroyed later,” he continues. “Use cyber security as a technical measure to limit your risks, and Information security as a preventive measure to control your exposure.”
Claudio Bolla, Group Information Security Director at INEOS suggests that “information security in the supply chain should be a shared responsibility between all parties in the network. They need to agree on the required level of assurance of all data exchanged.”
“Understanding third party risk is crucial,” answers Steve Mulhearn, Director of Enhanced Technologies at Fortinet. “There needs to be an auditable standard that third-parties adhere to. Procedures for understanding, processing and managing the ongoing threat landscape don’t prevent breaches from happening, but are helpful for mitigating risks and managing damage caused by breaches.”
Is a company only as safe as its weakest link in the supply chain?
Markus: “Yes, of course. And that’s always the challenge with cyber security – external factors keep forcing you to adapt and adjust your own risk mitigation approach.”
So to what extent can you control what will be done with your information in the supply chain?
Claudio: “Well… besides contractual and industry specific requirements, you are not really able to control information once they leave your system. Data leakage via third parties is always a risk, so it’s best to take a ‘better safe than sorry’ approach when sharing information.”
Matthias: “The only thing you can protect is your information, so start by establishing its levels of confidentiality. If an attacker accesses one of your documents, you can only limit what they will be able to do with it– such as by making it read-only. But of course the content will still be exposed… That’s why it is crucial to evaluate your information’s worth before sharing anything with anyone.”
Is it possible to assess another business’ level of cyber security before sharing information with them?
Markus: “I think it is possible to have a good idea of how secure your supplier is, but it all depends on your arrangement, level of trust, and on what’s stated in your contract.”
Matthias: “Ultimately, you need to limit your efforts. I focus strictly on confidential information. When considering adding a company to the supply chain or outsourcing services, we look at minimum requirements from the earliest stage possible – such as whether they are ISO 2700 certified. If they don’t have certain standards and certifications, we simply don’t consider dealing with them.”
Claudio: “The subject is complicated in the supply chain because there are no single set of rules or standards that companies can follow. Some companies offer broker services to ensure a common level of cyber security between the parties involved. But in many cases, there is little visibility on how secure a partner really is.”
“If a broker service isn’t available, companies should create protocols and minimum cyber security requirements that third parties must subscribe to in order to be considered for business,” recommends Claudio.
Steve: “Risk is not good or bad- it’s about how much is acceptable. Leaders must assess and understand their risks, valuable assets, and potential exposure in the event of a breach, and then they must evaluate what risks they are willing to accept.”
HELLA, Airbus Cyber Security and Fortinet will continue this conversation in Munich, February 7th – 8th 2019 at ManuSec Europe – the Cyber Security for Critical Manufacturing Summit. Join them to network, debate, learn and assess the best practices to achieve Industry 4.0 resilience. Save €250 on your Early Bird conference pass before the 18th of November– More details at the website.