Ransomware Looms Large on Third-Party Risk Landscape

Billy Anglin
Author: Billy Anglin, Cybersecurity Exam Engineer, ISACA
Date Published: 10 January 2023

Cybersecurity supply chain risk management is an increasingly important concern for enterprises. As adoption of cloud datacenters and software as a service grows, so does reliance on complex and global supply chains that introduce a multitude of potential vulnerabilities that can be exploited by cybercriminals. In this blog post, we will explore some key strategies for identifying and mitigating supply chain risks, with a special emphasis on ransomware risks in the supply chain.

First, it is important to have a clear understanding of the enterprise’s IT-related supply chain. This includes identifying all of the suppliers, subcontractors and other partners that process, transmit or store data used in the creation of the enterprise’s products and services. It is also important to understand the relationships between these different entities, as well as the specific products and services that each one provides, which results in a mapping.

Once the supply chain has been mapped out, the next step is to identify the potential risks associated with each component of the chain. This includes both external and internal risks. External risks might include things like natural disasters, political instability or economic downturns. Internal risks might include things like employee turnover, equipment failure or data breaches.

To identify these risks, enterprises should consider conducting a risk assessment. This will involve gathering and analyzing data from a variety of sources, including supplier contracts, insurance policies and regulatory compliance reports. It might also involve conducting onsite visits to suppliers or engaging in other forms of due diligence.

Once the risks have been identified and documented, the next step is to develop strategies for mitigating them. This will involve implementing processes or technologies to reduce the likelihood of cyber supply chain disruptions or establishing contingency plans in case disruptions do occur. For example, an enterprise might implement a software platform that allows it to monitor its supply chain in real-time or to establish relationships with multiple email suppliers to reduce the impact of any single supplier’s disruption.

In addition to these proactive measures, it is important to have a plan in place to respond to supply chain disruptions if and when they occur. It is also important to communicate clearly and effectively with stakeholders, including employees, customers and shareholders, to ensure that they are aware of the situation and the steps being taken to address it. This might involve activating contingency plans, such as sourcing products from alternative suppliers or temporarily suspending operations.

Addressing Ransomware Risk

Currently, ransomware is a significant risk for enterprises that rely on third-party vendors for business-critical operations. A ransomware attack on a vendor’s system can disrupt the flow of goods and services, leading to financial losses and reputational damage for enterprises. Vendors that have fallen victim to ransomware attacks may not be able to provide assurance that the attack has been fully contained or that customer data have not been compromised.

To mitigate the risk of a ransomware attack through third-party, it is important for enterprises to conduct thorough due diligence when selecting vendors. This might include reviewing vendors’ cybersecurity practices and policies, as well as assessing their track records of security breaches or incidents using a third-party vendor management platform or online news sources. Enterprises should also consider requiring vendors to demonstrate their cyber resilience though regular assessments or certifications.

In addition to conducting due diligence, enterprises can implement other risk management strategies to protect themselves from ransomware attacks through their supply chains. This might include implementing and testing contingency plans for responding to disruptions, having alternate communication methods, having robust data and system backups that are tested for recoverability, and regularly updating software and systems to protect against new threats.

In conclusion, supply chain risk management is an essential concern for enterprises. By taking the time to understand the enterprise’s supply chain and identify potential risks, enterprises can help mitigate these risks and protect the enterprise from potential disruptions. By implementing proactive measures and having a clear plan in place for responding to disruptions, enterprises can help ensure that they continue operating effectively in the face of any challenge.

Editor’s note: For additional resources on this topic, download ISACA’s Ransomware Readiness Audit Program.