Continuity | Risk
You are only as strong as the weakest link in your supply chain
Last August, Clorox was the victim of a cyberattack that caused the cleaning products giant to take many of its systems offline, and resulted in a shortage of Clorox products this past fall. The breach, which cost the company $356 million, was reported to have been caused by a social engineering attack on one of Clorox’s suppliers, an IT help desk vendor.
The Clorox story illustrates an important fact about security and third parties: you are only as strong as the weakest link in your supply chain.
The growing risk from your third parties
Most businesses can’t do business without third parties; they are your partners, vendors, suppliers, distributors and any other outside group that helps you make or sell your product.
However, for years, third parties have been a notorious weak spot in the security of the extended enterprise; breaches last longer, are more difficult to detect, and tend to cost more when third parties are involved. This is complicated by the fact that you can’t control and monitor vendors’ security controls the way you can within your own organization, and some vendors may not have the same levels of controls that your enterprise has.
Criminals are aware of this; supply chain data breaches reached an all-time high in 2023 with threat actors criminals cashing in on the fact that if they attack one supplier, they are likely to reap the data of several enterprises at once.
How can you secure your supply chain?
You can’t be expected to police the security of your entire supply chain. At best, it's impractical (and expensive). At worst, it's impossible. Most supply chains are a large, complex ecosystem of organizations, each with varying degrees of security. However, you don’t have to secure your whole supply chain — just your most critical tier one suppliers.
Most businesses don’t go further than security questionnaires when they are trying to secure their most critical third parties, for several reasons:
They lack the time or money to conduct the necessary deep security on their critical tier one suppliers
They are unable to obtain information from all their most important suppliers
They don’t know what controls to check, or lack the skills to perform an assessment
They haven’t made supply chain security a priority
They don’t know which suppliers are their critical tier one suppliers, and may feel as though they have to secure the entire supply chain
What is a tier one supplier?
A tier one supplier provides mission critical or important services or goods to your organization. They have access to your networks and systems and can potentially be an attack vector for a threat actor.
Here’s our rule of thumb for defining critical tier one suppliers:
If a supplier shutting down would shut your business down (and you don’t have an alternate in place) that's a critical tier one supplier.
For those most important suppliers, it’s important to make sure your contracts include security considerations that protect your business.
The power of contractual requirements
When you are onboarding a new supplier, we suggest building security into the contract, requiring your third parties to adopt your security process. These requirements may look something like this:
You, our supplier, will conduct security assessments at your sites annually.
You will prove that you are assessing your sites annually
You will require your own tier one suppliers to conduct the same assessments and provide proof to you.
By making security controls part of your contractual requirements, you’re not taking on the security of your vendors alone — nor should you. These are your partners and suppliers for a reason; you should be able to rely on them.
Managing supplier risk and implementing a risk management platform is crucial for strengthening supply chain resilience. Circadian Risk can give your business the tools to ensure your tier one suppliers are implementing your required security controls. Contact us today to speak with an expert.
About the Author
