Imagine that you can't fuel up your car when you need to drive to work or when you're set to go on a long vacation by car. In the United States, that was a reality in May 2021 when the Colonial Pipeline had to shut down its network due to a ransomware attack. A small percentage of gas stations in several American states were out of fuel, causing fuel prices to surge. The hackers, known as Darkside, have been raking in millions from organizations in more than 15 countries since August 2020. 

Technology has connected the world of business like never before. Organizations are able to scale at rapid speed and serve their customers in ways we never thought possible. This hyperconnectivity has opened new doors to a more seamless and integrated world.

However, it's important to remember that a door can swing both ways. This is not only applicable for IT environments, as with the disappearance of the airgap between IT and OT, this now also applies to OT environments. More reasons to up your game in mitigating cyber risks and solidify your cybersecurity.

<<< Start >>>

<<< End >>>

As businesses grow larger and more connected, they increasingly depend on suppliers to carry out business operations. As the technological landscape matures, this dependency, if not properly assessed, secured, and monitored, can become a vulnerability.   

Over the last few years, supply chains have been exposed as one of the major weak points in organizational security, providing an unintended back door into the private data and operations of unsuspecting businesses. While security may be top of mind within company walls, you are only as strong as your most vulnerable supplier.

It may be unsettling to know your risk profile depends on the vigilance of others, but taking proper steps to assess, secure, and monitor your supply chain can put you back in control. This article will help you understand the agile role security must play in your supply chain and how to adjust your practices to mitigate risk in the future.

<<< Start >>>

160%

A year-on-year increase of 160% in ransomware events in 2020—with little sign of any slow-down in early 2021. [Source: CIFR intrusion data]

$50M

The Accenture Cyber Investigations, Forensics & Response (CIFR) team observed ransom demands ranging from US$100,000 to US$50M in 2020. [Source: CIFR intrusion data]

<<< End >>>

Security’s evolving role in supply chain management

This dependency on suppliers is a result of the rise in interconnectivity between organizations as a mutual building block of each other's business model. It's also a consequence of the common practice of outsourcing departments like IT, HR, and Security, which is becoming the norm for many organizations.

As a result of a shortage of skilled people, increased hyperconnectivity, and the dawn of affordable SaaS services, suppliers have answered the call for more accessible and flexible operations, and security management.

  • Hospitals handle patient data more efficiently by connecting through smart technology and platform services.
  • Retailers are depending more than ever on their external suppliers for delivery of goods and services for JIT (just-in-time) delivery purposes.
  • Manufacturing organizations focus on their operations by outsourcing their SOC activities.
  • Chemical companies manage staffing shortages and acquire talent by hiring external engineers.

While this hyperconnectivity allows for faster growth, this dependency on third-party suppliers means organizations are not always aware where their crown jewels are, and who has access to them, or let alone what impact these dependencies will have if something goes wrong.

This makes securing your supply chain all the more important. Organizations need to understand that the management of your most valued information and data protection extends and depends on who you work with and how closely you guard your gateways and manage your risk.

It’s not impossible to secure your organization and manage this risk, it just requires you to take on a new role in an evolving supply chain and integrate this into your overall risk management strategy. Look at security not as an isolated protocol, but as a key element that extends into every element of your workflow. This will enable you to continuously assess and monitor your risk, making it easier to detect and neutralize threats.

<<< Start >>>

<<< End >>>

<<< Start >>>

Lunch & Learn: Securing your supply chain

Join us on June 9, 2021, from 12.00 to 13.00 CET, to learn more about the growing importance of supply chain security. This session is hosted by Suzanne Rijnbergen.

<<< End >>>

<<< Start >>>

<<< End >>>

Evolving cybercrime demands updated practices  

In the past few years, increased access to technology has led to more malicious and sophisticated cyber-attacks. Cybercriminals are constantly adapting their methods to break through organizational security, and suppliers have been identified as a weak spot.

Recent attacks have shown us that supply chains are a vulnerability for even the most seemingly secure businesses. Malicious actors continuously probe organizations and, through loosely secured suppliers, are able to penetrate their defenses even if those organizations have maximally secured the data within their premises. These attacks can often go undetected, causing further damage not only to the initial vendor or supplier, but also to their entire network. In some cases, actions are actually focused on those end-state targets.  

In 2020, US-based software company Solarwinds uncovered a months-long security breach that exposed an estimated 18,000 customers. Many high-profile Fortune 500 companies such as Microsoft, as well as some departments in the US government, unknowingly installed malware during a regular update. The lag in detection allowed hackers to collect untold amounts of data from Solarwinds clients, in some cases exposing highly guarded information.

Months later, Microsoft Exchange fell victim to another unrelated cyberattack with an estimated 250,000 servers belonging to organizations all over the world compromised. Sensitive information was exposed, and, like SolarWinds, the attack was detected too late to prevent damage. Several public service organizations in Germany had confidential data stolen. Hackers targeted mostly small to medium businesses, local governments, and institutions due to their tendency to outsource IT services.

<<< Start >>>

<<< End >>>

One of the most recent examples was the so-called ‘Cheesegate’, where the local cheese distributor to a retailer was hit by ransomware. This is thought to potentially be tied to the Microsoft Exchange vulnerability. As delivery was interrupted, the grocery chain experienced a shortage of cheese and empty shelves in the supermarket.

These cases show us just how much the security landscape has changed. Organizations are used to trusting their suppliers and do not foresee the risk of a breach. However, even the most air-tight organizations can be impacted if they do not update their approach. The responsibility lies with organizations to assess and address this risk to their protection. You must expand your security protocol both in and outside of company walls and, amongst other measures, monitor the risk of your suppliers constantly.

Becoming aware of the risks

We rely heavily on digitalization and for many years, organizations have been wary of increasing cybersecurity risks. Many have taken measures to secure their most valuable data within the walls of their organization. However, despite the controls taken, rapid hyperconnectivity of business has introduced a new type of security threat, something that the Dutch Intelligence Service urges to be vigilant for.

Supply chain risk refers to the risk of an organization that they share with their network. For example, when SolarWinds was breached, their network suffered equal or greater losses. Interconnected organizations share the risk associated with cyber-attacks. These shared risks include:

  • Financial risk: The financial effects of a data leak can be felt throughout the network. When the Microsoft breach occurred, this was not only a financial risk for Microsoft but for their customers as well. Many dealt with a financial fallout due to potential data leakage.
  • Reputational risk: A supplier breach damages the reputation of all parties involved, often calling trustworthiness into question. When such a breach becomes publicly known, the shortlists of organizations impacted by the breach also become available, shifting the reputational risk to many client organizations.
  • Operational risk: Your operations can be affected by a breach. The attackers might have access to the network to some degree and for an undetermined amount of time. In the case of supply chain risk, this involves the vendor/service supplier and can impact the client organization as well.
  • Social risk: The reliance of our systems on digitalization introduces a societal social risk if proper security measures are not taken. Uncertainty in the digital journey can break the social trust in the systems we rely on. This trust is essential for our operations and continued growth.

<<< Start >>>

Would your CFO admit to clicking on a phishing link? 

Most data breaches within organizations are the result of human errors. Listen to Accenture's panel discussion on how to develop a mature cybersecurity culture within your organization.

<<< End >>>

Knowledge is power and action is key 

As risks evolve, so must businesses. Security should not be an afterthought, but instead, play a key role in business operations. Knowing what’s going on both in and out of your company and gaining insight into your exposure and the exposure of your key suppliers is essential for both securing your organization and responding to threats. Investing in excellent threat intelligence and applying metrics to your security can help you minimize your risk.

Effective cybersecurity works not only to keep attackers out but also minimize the damage should your defenses fail. Tracking and immediately responding to incidents is crucial to monitoring the safety of your organization and catching hackers before they can do further damage. Given the nature of supply chain risk, organizations owe it not only to themselves but also the entire business ecosystem to secure their place in this new digital supply chain.

<<< Start >>>

"When assessing your supply chain, it is important your security practices extend from contracting to execution. [...] Look at security not as an isolated protocol, but as a key element that extends into every element of your workflow."

<<< End >>>

What to consider when securing your supply chain

When assessing your supply chain, it is important your security practices extend from contracting to execution. Access to your organization is a valuable thing, therefore security should be put in place from the beginning and continuously monitored to ensure its effectiveness.

Hold your suppliers to a high-security standard

Your security measures should carry into your contracting. Many organizations neglect to enforce the strict protocols they would also carry out, for example, when hiring a new employee. Adopting a ‘sign-and-forget- it' attitude toward your contract gives unwarranted trust that suppliers understand and will comply with your measures.

Supplier security should be approached with a Plan, Do, Control, Act (PDCA) mindset. Plan your contracts around secure practices. Do make sure measures are present throughout execution. Control and monitor the risk profile. And act on any issues that arise or improvements to be made.

Create a culture of protection

When it comes to access and data protection from the omnipresence of cyber threats, an alert and guarded workforce is your first line of defense. Those standing on the outskirts of the organization should only have access to need-to-know information. For suppliers, trust needs to be earned and managed properly.

In cybersecurity, the ideation is that if you can connect or detect it, you need to protect it. This means that prior to making a new data connection or detecting an issue, you must have taken steps to protect your crown jewels. While great effort is put into testing the functionality and features of new technology, you need to have just as much focus on testing security protocol. Do not assume a supplier fits into your security architecture without testing the product, service, and configuration first.

The nature of technology is that it needs regular updates, meaning your security must evolve over time to remain effective. Your supplier relationships, knowledge of access, and adaptation of technology should be part of a continuous cycle of improvement and risk assessment. By continuously assessing, evaluating, and monitoring the gateways to your organization, you minimize the risk of a security threat bypassing your defenses. 

<<< Start >>>

<<< End >>>

Steps to securing your supply chain

Protecting your supply chain may require you to rethink the way you approach security. There is no silver bullet when it comes to defending your organization. Therefore, security needs to become an integrated part of your business practice. 

Things to consider when securing your supply chain:

  1. Supplier management
    Include your security requirements in your contracts and apply, assess and monitor fulfillment during execution. Audit suppliers to ensure continued adherence and create a culture where suppliers will inform you proactively in case they are breached.
  1. Asset management
    Have a clear overview of what is running in your organization at all times. Know what suppliers you are working with, what role they play in your operation, and what access they have to your data.
  1. People Awareness
    Supply chain management applies to all suppliers, even contractors. Apply the same strict security standards to individuals as you do to all suppliers. Even if the person is familiar, only grant them access if they have the proper clearance and remember to revoke credentials once their contract has been terminated.
  1. Monitoring & Cyber threat intelligence
    Detect when something goes wrong and include tracked intelligence. For key suppliers, monitor your risk based on the security elements discussed in the contracting phase. Include cyber threat intelligence to understand your risk exposure and the risk exposure of your key suppliers, to effectively be able to manage these risks.
  1. Continuous third-party risk management
    Evaluate key suppliers on their security risk and apply security metrics as risk-based scoring to protect your organization effectively. Also apply cyber threat intelligence here, to ensure you are aware of the risk exposure of your key suppliers. Recognize that their security risk is your security risk and act accordingly.
  1. Penetration testing
    When introducing technology, think about security in your design and test it. There are many third parties that offer this as a service. High-impact organizations with access to highly sensitive data should acknowledge their responsibility to do this.
  1. Incident response support
    Monitoring issues is key to detecting vulnerabilities in your system. When you are breached, or know you have an increased risk, you may need the emergency support of some digital firefighters. Luckily, there are many third parties like Accenture who can provide the technical tools and strategy to put a security roadmap in place. 

<<< Start >>>

"Always remember that the security posture of your key technology vendor or service provider may become your weakest link."

<<< End >>>

Lastly, challenge your suppliers on how they have arranged their security in their digital journey. Always remember that the security posture of your key technology vendor or service provider may become your weakest link.

The business environment is changing, meaning that for many companies increased opportunity has come with increased risk. However, updating your security to work cross-functionally throughout your organization will help you secure your supply chain and reap the benefits of hyperconnectivity.

By adopting a mindset of continuous assessment and improvement, your organization can mitigate risk in the future.   

Looking for a partner to help you secure your supply chain? Get in touch with Suzanne below.

<<< Start >>>

Suzanne Rijnbergen

Associate Director - Cybersecurity, Resources and ICS, the Netherlands

Contact Suzanne here

<<< End >>>

<<< Start >>>

<<< End >>>

Want to learn more about cybersecurity strategies? Browse our Security archive

Accenture the Netherlands

Accenture the Netherlands

Subscription Center
Subscribe to Accenture Insights Subscribe to Accenture Insights