Cybersecurity: Are Your Suppliers Putting You at Risk?

Cybersecurity: Are Your Suppliers Putting You at Risk?

By | January 27, 2021

Enterprises have to defend their data from millions of criminal attempts to infiltrate their IT systems every day. But do you know who got the ball rolling, and why?

Blame Robert T. Morris. In 1988, the grad student set loose the first malicious code – reportedly to find out “how big” the internet was. Many people regard the Morris worm as the first cyberattack.

To find out what happened next, read on:

Table of Contents:

  1. What is cybersecurity?
  2. Why cybersecurity is important
  3. How cybersecurity works
  4. What is a cybersecurity risk assessment?
  5. What are the top three cybersecurity threats?
  6. Why is cybersecurity awareness training necessary?
  7. Five steps for managing cyber threats

1. What is cybersecurity?

In its broadest definition, cybersecurity is the protection of digital networks, devices, programs and data from attacks. Such measures include technologies that offer multiple layers of protection. Some examples are firewalls (that allow or block access), encryption (making data unreadable to unauthorized users), and authentication (proof of identity). However, good cybersecurity strategy also includes policies and practices, so that users understand cybersecurity risk, how to defend their systems and why they must do so.

Back in 1988, in releasing the self-replicating worm, Morris’s stated aim was “to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects.” And it did. Within 24 hours, the Morris worm had spread to about 10% of the world’s 60,000 connected computers at the time, disabling most of them.

On the positive side, this early malware also triggered the start of an entirely new field, cybersecurity – which serves to safeguard today’s more than seven billion internet users. So perhaps instead of blaming Morris, we should thank him.

2. Why cybersecurity is important

Discovering how cybersecurity started helps explain why it is important. Because not only has internet use exploded in the past 30 years, cyber risk has kept pace, and cyberattacks continue to evolve. So, when you understand cyber risks and cyber risk management, you can better protect your business and your supply chain.

Increasingly, your cyber risk strategy, or more specifically, cyber risk management strategy, must involve suppliers, vendors and any other third parties in your supply network. Here’s what you need to know:

  • Supply chain cyber risk is growing. Digitalization, mobile devices, Internet of Things, and the rise in home-office working expand the playing field
  • 50% of all cyberattacks use island-hopping – moving laterally in a network – to access and infiltrate supply chain partners
  • On average, data breaches go undetected for 280 days
  • 66% of small businesses were victim of cyberattack in 2019

In short, cybercriminals seek out the weakest link in your supply chain to gain access to your digital systems, so your cyber risk and security may depend largely on how effectively you monitor your supply base. Greater visibility into your sub-tiers improves your cybersecurity risk management. Properly vetting suppliers’ cybersecurity, cyber risk management and data protection measures can save you money and save your reputation.

Using Sphera Supply Chain Risk Management [formerly riskmethods] you can continuously monitor cyber risk in your supply network – and demonstrate proactive risk management.

3. How cybersecurity works

To be effective, cybersecurity combines technology with human behavior. The most advanced firewalls or antivirus software are not secure if staff are not aware of or do not follow data protection policies.

Even if your enterprise has advanced cybersecurity policies and technology in place, you might have sub-tier suppliers unable to protect their networks, for reasons including technology failure (incorrectly configured software), lack of resources (not enough staff, outdated patches), lack of awareness (insufficient knowledge or low priority). The broad attack field means that cybersecurity risks for businesses are much more multilayered than in Morris’ student days.

Yet cyber supply chain risk management is not all doom and gloom. In today’s increasingly digitalized procurement environment, it offers solid business benefits as well:

  • Raise awareness with stakeholders and executive leadership
  • Improve communication on cybersecurity expectations with business partners, suppliers, and other third parties
  • Align internal guidelines with industry standards, legislation
  • Learn and show industry best practice

4. What is a cybersecurity risk assessment?

With a cybersecurity risk assessment, you take a close look at your – or your suppliers’– level of risk preparedness. To identify and rate cyber threats and vulnerabilities, independent auditors or cyber risk management companies review the relevant IT-infrastructures. Many cybersecurity specialists rely on the international standard ISO/IEC 27001 2013, which details specifications for managing risk in an information security management system.

As with any risk assessment, when assessing cyber risk, several aspects are essential:

  1. Determine which data is most critical. Here you might apply the information-security triad of Confidentiality, Integrity and Availability. Ask yourself these questions:
      • Confidentiality: What if the data becomes public?
      • Integrity: What if the data becomes altered of falsified?
      • Availability: What if the data can no longer be accessed?
  2. Understand risk and consequences. You might want to group critical data by topic, its contribution to essential business operations or risk in cost, image, quality and performance.
  3. Assess systems. What measures do I have in place to protect my data and IT-systems?
  4. Evaluate probability. How likely is data breach in my system? The human aspect cannot be neglected here.
  5. Calculate a risk scorecard. This gives you an easy-to-understand snapshot of the risk status on an established numerical scale.
  6. Create a criticality assessment. Once you’ve identified risks and established your critical assets, you can develop plans to mitigate any cybersecurity risk.

For greater details, you can download cybersecurity risk assessments offered by government agencies or cybersecurity companies. And, because cyberattacks on supply chains are increasing, a cybersecurity assessment is critical. This is also why cyber risk assessment needs to be anchored in your supplier evaluation and third-party risk management. If your suppliers are hit, you too are likely to suffer the consequences.

5. What are the top three cybersecurity threats?

Attacks continue to evolve, so it’s difficult to name the top 3 cybersecurity threats. The following types of attack are among the most common cybersecurity risks:

  • Advanced Persistent Threats (APTs) An intruder settles in your network to mine sensitive data.
  • Denial of Service (DoS) The perpetrator sends a huge volume of fake requests to cripple your website or server. A Distributed DoS launches attacks from multiple devices.
  • Ransomware Locks access to your IT-system or encrypts files. It can spread to the entire network. The attacker demands money, ransom, to unlock the code. Ransomware is a type of malware, or malicious software.

The list of cybersecurity threats is, of course, much longer. Sphera Supply Chain Risk Management [formerly riskmethods] automatically provides you an instant risk evaluation of any vulnerability in cybersecurity, as well as real-time warnings of cyberattacks in your supply network. And you can seamlessly integrate additional specialized cyber risk intelligence from a number of other organizations.

6. Why is cybersecurity awareness training necessary?

Cyberattacks are powered by increasingly advanced software and bots, but threat actors often bypass security technology by manipulating users. In fact, most data breaches can be traced to human error. Employees are fooled by phishing (fake sites or emails), they use insecure passwords, or fall victim to social engineering, when hackers speak or write to users to get access to IT-systems. Just one person’s mistake can infiltrate your entire network and put sensitive data at risk.

Awareness is the first step to managing cyber threats. To reduce cyber risk, staff must be trained on the need for cybersecurity. And training must be ongoing, to keep pace with rapidly evolving technologies and tricks.

But that’s not all. Mistakes when handling data may have legal consequences, including fines. And when your customer data is handled by a supplier, they might unknowingly breach the General Data Protection Regulation (GDPR), for example, which mandates the controlling and processing of personally identifiable information, as well as reporting cyberattacks and notification of breach.

By the way, Morris was the first person sentenced under the then-new US cybersecurity bill called the Computer Fraud and Abuse Act (CFAA), which prohibits accessing protected computer systems without authorization.

7. Five steps for managing cybersecurity threats

Cybersecurity management for your supply chain management cybersecurity is one focus of U.S. National Institute of Standards and Technology (NIST). Their cybersecurity specialists have developed a five-point framework of voluntary guidelines for reducing cyber threats and vulnerabilities in critical infrastructure – including supply chains.

  1. Identify. Develop understanding of cybersecurity risk to systems, people, assets, data, and capabilities
  2. Protect. Install appropriate safeguards to ensure delivery of critical infrastructure services
  3. Detect. Implement activities, such as continuous monitoring and detection, to identify the occurrence of a cybersecurity event
  4. Respond. Create action plans for response when a cybersecurity incident is detected
  5. Recover. Maintain plans to ensure resilience and to restore any capabilities that were impaired in an attack. Organizations commonly develop an IT-disaster recovery plan to get critical systems up and running

You’ve probably noticed that the NIST framework contains many aspects of sound supply chain risk management. And indeed, integrating cybersecurity into your supply chain risk management is critical for protecting your business resilience.

And speaking of resilience, did Morris bounce back? The early bird of cybersecurity now belongs to the faculty of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology (MIT). With luck, he’ll be the first to catch today’s runaway worms.

riskmethods was acquired by Sphera in October 2022. This content originally appeared on the riskmethods website and was slightly modified for

The Best of Spark Delivered to Your Inbox
Sphera is the leading provider of Environmental, Social and Governance (ESG) performance and risk management software, data and consulting services with a focus on Environment, Health, Safety & Sustainability (EHS&S), Operational Risk Management and Product Stewardship.
Subscribe to Spark
Receive expert content from Sphera about Safety, Sustainability and Productivity.