Building Supply Chain Resilience Through Third-Party Cyber Risk Management In Universities

September 28, 2022

Research released by the UK Government shows that only 62% of Higher Education institutions have reviewed supplier-related risks relating to cyber security. This is at odds with the fact that supply chain cyber attacks increased by 51% last year (2021).  

Gartner's 'Future of Supply Chain' study revealed that 87% of Procurement leaders (not limited to Higher Education) believe their supply chains need to become more resilient in the next two years. Due to suppliers' reliance on technology and potential access to sensitive University information, cyber security is a critical factor to consider when planning to improve resilience.

Higher Education regularly tops lists of the most targeted industries / sectors by cyber criminals. A combination of their expansive attack surface, large quantities of data and strict schedules make universities an appealing target for threat actors. 62% of higher education institutions report experiencing breaches or attacks at least weekly.

For more insight into cyber crime against universities, see Darkbeam's proprietary analysis of a 2022 ransomware attack against Florida International University.  

62% UK Higher Education Institutions who have reviewed cyber risks posed by their immediate suppliers or partners

University supply chains are vast. For example, one UK university revealed that it has more than 8,000 suppliers registered and an annual spend on goods and services of c£410m. Clearly, this does not lend itself to in-depth monitoring of each supplier. Despite this, the CPO must minimise disruption and the CISO must form an accurate picture of risk levels facing the entire University – including its supply chain. 

Darkbeam often observes a tiered approach to supplier cyber risk management when working with clients in the Higher Education sector, with responsibilities shared between the Procurement and Information Security teams. When onboarding (or analysing current) suppliers, a variation of the following process can be highly effective: 

All suppliers:

  • Perform Darkbeam analysis to gain visibility of the supplier's cyber security posture 
  • Complete an internal assessment to determine the level of risk exposed by the supplier 
    • This will highlight whether the supplier holds sensitive information or has the potential to disrupt the university's operations 

Low-risk suppliers:

  • Information Security approve the assessment 
  • Category Manager adds the supplier to a Darkbeam Watchlist to monitor for any spikes in risk levels 

 High-risk suppliers:

  • The supplier is asked to complete a detailed questionnaire and return it to Information Security for review. They approve the supplier once confident that internal thresholds for risk tolerance are satisfied 
  • Category Manager adds the supplier to a Darkbeam Watchlist to monitor for any spikes in risk levels 

The above approach provides a numerical 'Risk Score' for each supplier, allowing Leadership to assess and report risk levels against the institution's agreed tolerance. It also maximises efficiency for both Procurement and Information Security teams, by focusing resources on the highest risk suppliers and allowing automated Watchlists within the Darkbeam platform to monitor all suppliers and flag changes in risk levels. 

Anecdotally, when supporting clients to implement a Third-Party Cyber Risk process, we are often met with conflicting opinions of which team owns cyber risk associated with suppliers: Procurement or Information Security.  

Whilst ultimate responsibility will vary from institution to institution, implementing a process similar to the one above which utilises Darkbeam's automated Third Party Cyber Risk Management platform allows Procurement teams to take cyber security into consideration when assessing potential vendors and managing relationships with existing ones.  

There can be no 'one size fits all' approach to Third-Party Cyber Risk Management for Universities. Variations in risk profile, tolerance and available resources from institution to institution mean that processes will change accordingly. 

An effective third-party cyber risk management programme can tangibly reduce the risk of cyber-crime related disruption across the supply chain. When implemented properly, the programme provides actionable insights; resulting in heightened resilience and defensible governance practices.

Darkbeam works with a number of Higher Education institutions in the UK and overseas to provide support, tools and capabilities spanning their Attack Surface Management activities, from third-party cyber risk monitoring to full-service cyber threat intelligence. Our experts partner with Procurement and Information Security teams to assist in implementing and sustaining various risk and threat reduction programmes. 

For more information, please contact us using the form below:



Subscribe Here!