Busting the Biggest Myths of Supply Chain Cyber Risk
Modern enterprises operate complex, interconnected supply chains and third-party networks full of security blind spots. High profile breaches like SolarWinds and Kaseya underscore the major risks that exist outside the firewall.
Yet myths and misconceptions regarding supply chain cybersecurity are still floating around. So I’m delving into examining the top 10 common ones – not an exhaustive list or in any priority order.
Myth 1: We can fully protect our ecosystem with vendor due diligence.
Reality: Vendor security reviews provide a false sense of safety. Questionnaires offer just a snapshot of controls and compliance. Hackers exploit the smallest vulnerabilities and constantly change attack vectors. No due diligence process provides full visibility across extended networks – unless it’s real-time and truly unified across the entire digital ecosystem with built in capability to seamlessly and quickly see the external digital footprint of the supplier and its existing vulnerabilities.
“Check-the-box security assessments give incomplete risk insights,” notes Gartner analyst Roberta Witty. “Partner ecosystems are too large and fast-moving to capture with traditional reviews.”
Myth 2: Securing our own environment is sufficient.
Reality: Hackers actively target supply chains to breach downstream customers. For example, the infamous NotPetya attack that crippled Maersk started with compromised accounting software. A vulnerability anywhere in an ecosystem can lead to catastrophic effects for all parties.
“With interconnectivity soaring, organisations cannot focus purely inside their four walls,” says Pete Cooper, Principal Analyst at Omdia. “Supply chain cyber risk management requires looking beyond just your owned assets.”
Myth 3: Third parties won’t share enough info for proper diligence.
Reality: Transparency limitations do exist, but maturing regulations and standards are making third parties more forthcoming. For example, CMMC drives accountability down the US defence supply chain. In the UK, guidance like the HMG Supplier Standard helps align expectations.
“The paradigm is shifting. As cyber supply chain management matures, third parties understand the need for appropriate transparency to build trust,” says Kishore Rao, Head of Cyber Practice at Tata Consultancy Services. “Proactively communicate your security posture and requirements.”
Myth 4: Our industry has less supply chain cyber risk.
Reality: Every industry is vulnerable, with attackers seeking targets in finance, healthcare, retail, government, and more. Data breaches are on the increase – in a number of different forms. No sector is immune.
“Supply chain cyber risk is ubiquitous across industries. Defence in depth is mandatory regardless of your sector.” – Amit Yoran, CEO at Tenable
Myth 5: We can fully assess risks through contractual terms.
Reality: While legal contracts are useful, they have limited utility in stopping attacks. Hackers don’t check contracts before breaching suppliers with weak defences. Enforceable contracts lag the pace of emerging threats.
“Contracts provide guidelines but zero guarantees of supplier security. Vigilance must go beyond the written page.” – Chris Wysopal, CTO at Veracode
Myth 6: Our customers don’t really care about our supply chain security.
Reality: Customers, regulators, and partners increasingly scrutinise the cyber risk management of suppliers. New laws also mandate diligence of vendors before sharing data. Don’t be fooled – robust supply chain security is now a competitive differentiator.
“Build trust with customers by transparently showing your supply chain security measures, don’t just claim it.” – Laura Koetzle, VP at Forrester
Myth 7: This is solely an IT problem to address.
Reality: Managing supply chain cyber risk requires coordination across security, procurement, legal, IT, and executive leadership. Holistic governance and cross-functional collaboration is key – there is no room for a blame culture.
“Making supply chains cyber resilient requires breaking down silos and bridging cross functional teams.” – Edwin van Schalkwyk, Partner at EY.
Myth 8: We can just avoid high-risk suppliers.
Reality: In today’s interconnected business ecosystem, no company can fully avoid dependencies on third-parties, even higher-risk small businesses. The focus should be risk management not risk avoidance.
“With today’s complex supplier networks, you can’t eliminate third-party cyber risks – you must manage them.” – Sandy Carielli, Director at RSA Security
Myth 9: Our people won’t click malicious links from suppliers.
Reality: Employees let their guard down with partners. Social engineering like vendor impersonation persuades staff to click risky links. Robust security awareness is essential across supplier interactions. Keep your people trained on what to look out for and carry out regular security training sessions to educate, educate, educate.
“Continuous security awareness is crucial – employees let down their guard with partners.” – Troy Hunt, Microsoft Regional Director.
Myth 10: Insurance fully covers supply chain breach damages.
Reality: While cyber insurance helps, it does not cover all liability, legal, recovery and reputation costs from incidents originating in the supply chain. Prevention and resilience are still critical.
“While insurance helps, robust supply chain cybersecurity is still imperative for managing business risk.” – Reshmi Khurana, MD at KPMG
Establishing facts on supply chain cyber risk:
So how can security leaders debunk these myths and strategically manage supply chain cyber risk? Ask these key questions:
– Where are our critical third-party connections and data flows? Map your ecosystem.
– How can we maintain real-time visibility across the attack surface? Monitor beyond periodic reviews.
– Are partners meeting our security expectations in reality? Validate don’t just trust.
– How quickly can risks or incidents be discovered and communicated? Improve threat sharing.
– Are we prepared to operationally respond if a third-party is compromised? Test incident response processes.
With ecosystems so fluid, organisations need continuous visibility and dynamic control across the extended attack surface, rather than trusting to point-in-time vendor reviews. New solutions allow just-in-time evaluation of supplier security. Emerging standards will also mandate greater transparency from third parties.
“Assume compromise will occur somewhere in your ecosystem,” advises Microsoft CVP Tom Burt. “Have the capacity to isolate and minimise the impact.”
The days of simply passing cyber risk down the supply chain are over. Every organisation is only as secure as its partners. As threat vectors rapidly multiply, security leaders must confront supply chain cybersecurity myths with facts. Managing risk holistically across the ecosystem is critical as enterprises digitally transform and interconnect.
With modern supply chain connectivity and risks, organisations need to move beyond outdated point-in-time vendor assessments. Continuous visibility and control across the entire third-party environment is required to truly manage risk.
“The expanding cyber attack surface requires a fundamentally new approach to third-party risk – shifting from imperfect periodic reviews to continuous contextual visibility and robust cyber hygiene standards across the entire ecosystem.” – Raj Meghani