This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
Cybersecurity Risk in the Supply Chain
As the U.S. economy recovers and businesses continue to outsource specialized products and services, supply chains become more complex. Such intricacy allows cyber attackers to leverage vulnerabilities in organizations with weak IT security processes, exposing not only that organization to a breach of system security and integrity, but also higher value targets up and down the supply chain.
The past year has been marked by an increasing number of attacks designed to compromise a target entity through a supplier organization with weaker security controls. SolarWinds, a widely used IT monitoring and administration platform, experienced a massive cybersecurity attack that went undetected for months and opened up the networks of up to 18,000 companies,[1] including many Fortune 500 companies and U.S. government agencies.
The Colonial Pipeline ransomware attack in early 2021 was a breach of a large branch of the nation's gasoline supply chain impacting other distribution companies' ability to deliver fuel. And an attack on Apple, Inc. supplier Quanta resulted in the theft of highly confidential schematics of unannounced Apple products, including an attempt to extort a $50 million ransom.
Focus on Supply Chains and Vendor Management
To help reduce impact to their data and systems, large enterprises are enhancing their vendor management programs by introducing more stringent requirements on their down-chain providers. Third-party audits of smaller providers are becoming common, and organizations should prepare to respond with a comprehensive program for protection of data and systems. DHG recommends consideration of the following three priorities:
| 1 | Build or enhance your cybersecurity program. The National Institute of Standards and Technology (NIST) stresses that "cybersecurity in the supply chain cannot be viewed as an IT problem only."[2] The combination of people, processes, and technology all factor into mitigating cybersecurity breaches and bringing visibility to the security and integrity of the supply chain. |
| 2 | Identify and assess your supply chain. Careful vetting and monitoring of the IT security practices of partners, vendors and suppliers can help strengthen your defense against cybersecurity attacks. NIST has compiled a list of additional best practices, such as incorporating security requirements into contracts and tracking vendor processes for hardware and software procurement. |
| 3 | Focus on evolving compliance obligations that address supply chain risk. New and existing cyber compliance frameworks are evolving to include increased focus on third-party and supply chain risk. Commercial service contracts are increasingly requiring demonstrated compliance with frameworks such as ISO 27001, SOC 2 and HITRUST. Additionally, organizations working with the federal government may need to consider frameworks such as NIST 800-161, NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) that may be incorporated into federal contracts and subcontracts. |
How DHG Can Help
As you evaluate your supply chain risk, look to the team of IT professionals at FORVIS to tailor our industry insight to the specific needs of your organization. DHG offers a comprehensive suite of cyber and data privacy and compliance services, focused on supply chain and third-party risk:
- Third-party risk management (TPRM) program consulting and advisory
- SOC 2 and SOC for Vendor Supply Chain examinations and reporting
- Third-party security assessments and audits
- NIST 800-161 and 800-171 compliance assessments
- CMMC readiness advisory
- Policy and procedure development and enhancement
Equally important, FORVIS' future-focused approach means you can trust that as cyber-threats change, we can help you adapt your strategy to proactively mitigate these threats. To learn more about our technology services, please contact us.
References:
