Rethinking Cybersecurity: Ready for a makeover in supply chain risk management

Concerns are growing of cyberattacks on supply chains. Our research shows that more than half of companies believe supply chain disruptions have altered the cybersecurity threat landscape and heightened risk to the business. Two-thirds singled out generative AI as a concern, as companies fear that bad actors might use it to carry out new cyberattacks.

The numbers show that digital innovation comes with greater responsibility in terms of managing, responding to, and recovering from potential risk. Forty-one percent of organizations hit by major cybersecurity incidents in 2023 found that a third-party vendor was to blame, according to the Global Cybersecurity Outlook 2024 report by the World Economic Forum and Accenture—the result of rising cyber inequity.

Third parties with inadequate security practices become the weak links in the supply chain, offering entry points for cyberattacks. Just consider the recent CDK Global ransomware attack, which disrupted U.S. and Canadian auto dealerships and led to losses exceeding $1 billion.

Why does traditional risk management fall short?

Traditional methods like periodic assessments and supplier questionnaires often fail because of the following.

Manual operations. Many companies’ risk management organizations spend most of their time sending questionnaires to suppliers asking how they deal with their vulnerabilities, then manually collecting and collating responses. Other, more mature companies may conduct “outside-in” scans of the internet to inform them of their suppliers’ potential risk exposure, but even that doesn’t enable a company to accurately
attribute risk—i.e., which
supplier is exposed to what.

Inaccurate data. Self-reported data from suppliers may not reflect their current cybersecurity state. Suppliers might hide vulnerabilities or give outdated information.

Delayed detection. Periodic assessments give a snapshot of risk at one point in time. This delay makes businesses vulnerable to newer threats.

Limited insight. Static assessments might miss complex or hidden threats because they are too narrowly focused.

How to counter rising risk

Intelligent technologies and new practices can help organizations manage risk exposure from third parties more effectively. They should take the following five steps to get started.

1. Switch to continuous monitoring. Move from one-time risk assessments to 24/7 monitoring. Real-time insights help you spot and fix vulnerabilities quickly. Generative AI can step up with continuous threat detection from multiple sources, automating risk assessments with up-to-date information, and using behavioral analytics to spot unusual patterns or anomalies.

This approach helps identify potential issues before they become serious problems. Companies that have implemented continuous monitoring often see a significant reduction in breach detection times—up to four times faster, leading to lower costs associated with data breaches.

2. Work closely with suppliers. Build strong partnerships with your suppliers. Collaborate on risk identification and response. Day-to-day tips include regular check-ins, sharing threat intelligence, and creating joint response plans with clear line of decision making.

To mitigate increasing cyber inequity, larger organizations should help smaller businesses improve their cybersecurity maturity, as many lack the finances and talent to achieve acceptable security levels.

3. Check your cyber insurance. Ensure that your cyber insurance is up to date and covers potential risks. Many businesses find their coverage lacking only after an incident. Investing in comprehensive insurance can save significant costs in the event of a breach, covering expenses that could otherwise run into millions and billions.

4. Support critical partners and build strong partnerships. Invest in risk intelligence programs for essential third parties, especially those with limited resources. While these programs can be costly—covering technology, software, consulting, and continuous monitoring, data analysis and staffing (such as cybersecurity experts)—they protect your supply chain and strengthen partnerships.

Small- and medium-sized businesses, particularly in emerging markets, may struggle with these costs, but helping them not only shields your supply chain from disruptions but also reinforces your partnerships, ensuring a more robust and resilient network.

The threat exposure management space offers many new and evolving AI tools that use publicly available data to assess cyber-risk posture and
identify threats. Regular communication and setting clear expectations with suppliers will further enhance security and partnership management.

5. Contractual obligations for third parties. Third parties should be contractually bound to assist appropriately in the event of a cyber incident. Whether they operate controls on your behalf or if they have been attacked, having access to critical
information is essential for steering your own response effectively.

Staying ahead

Traditional risk management methods are no longer enough. To build a strong cybersecurity framework, companies should integrate AI and generative AI into their strategic planning. This involves aligning these technologies with compliance requirements, incident response plans, and risk management strategies.

As AI technology advances, it will enhance threat detection and prediction capabilities. Blockchain and predictive analytics will further boost AI’s role in cybersecurity. Staying ahead of these trends is crucial for maintaining a competitive edge and safeguarding supply chains.