Targeted supply chain attacks have become increasingly prominent throughout the years. Creating a ripple effect within business ecosystems, cyber attacks can now impact hundreds of companies without discrimination. Just as supply chain cyber security is essential to all industries, no sector is an exception. Cybersecurity has become a business issue, rather than an IT or departmental issue.

Evolving cyber attacks have multiplied in terms of volume, sophistication and overall business impact.

Cyber attacks, especially those that involve ransomware, have evolved so much that they’ve created their own business ecosystem known as Ransomware as a Service (RaaS). As it raises the stake for its victims, RaaS has lowered the bar of entry into the ransomware business in a multifaceted approach.

APT groups have also begun to follow the extortion model, enabling a massive increase in frequency and sophistication. These cyberattacks can not only affect the availability of business systems but also result in the release of sensitive data which has serious ramifications on the business, customers and partners.

Supply chain collaboration is critical, especially during periods of disruption.

Supply chains as a target have become a common denominator in cyberattacks. We can expect to see more of these attacks in the coming years, as cybercrime has become industrialized and proven to be an easier model for cyber criminals.  Inherently, we’ve relentlessly talked about incorporating suppliers into your risk management equation.

While supply chain security requires IT resources for auditing and monitoring, it has never been limited to an IT department issue. In fact, IT departments oftentimes find it difficult to pull the complete list of suppliers, let alone manage the risks and continuously monitor these suppliers by themselves.

Although every department has its own supplier relationships, one department with a business mindset should own overall supply chain risk management. The right budget, resources and IT infrastructure are also needed to ensure logistics and regulatory compliance. The board should consider its oversight of supply chain risks and make it part of the risk management program.

Security investments require a business mindset, not just a technology mindset.

At the end of the day, a mature cybersecurity program boils down to selecting the right set of security controls and investments with the board’s approval. It is important to balance the security budget and the reduced risk, so the efforts will yield higher returns, or ‘Return on Security Investments’. That’s why these initiatives should be led by people with a business mindset, not just a control or technology mindset.

There are more effective ways to communicate risk throughout the organization.

It’s always easier said than done. Regardless, the board of directors and executive leadership need to engage in this critical conversation. To make that happen, we need to bridge the gap between the business and technical departments, which requires the adoption of risk language rather than vulnerability and CVE jargon.

That means the old-school, classification-based risk approach does not cut it any more. Critical elements of a good risk management program, such as ROI analyses as a part of the mitigation process, get lost in classification-based systems. The most effective way to get your board on board is to translate risk into financial terms.


Ready to revisit your organization’s third-party risk management strategy, but not sure where to start? Check out our do’s and don’ts for revamping your cybersecurity playbook.