Today's supply chains are incredibly vulnerable to cyber risks. Across both direct and indirect procurement categories, the hyper-connected nature of global supply means that an incident affecting one business can have an impact up and down their supply chain.
On top of the operational damage a supplier's breach can inflict (disruption to supply being the most visible), significant reputational harm can also be suffered. This is because businesses hold a large amount of sensitive data about their customers, placing them in a position of trust. If this data is breached (whether directly or via an attack on a supplier), individuals can come to personal harm and their trust in the business can be broken.
All of this ultimately causes a significant governance issue. Not only from a regulatory standpoint but also in the context of shareholder value. A 2022 report found that the average impact on a business's valuation following a cyber attack is 4.6%.
Cyber crime is prolific
Darkbeam routinely and automatically monitors the dark web activity of the world's leading ransomware gangs. On Feburary 14th, one gang alone showed evidence of having breached 17 organisations; including a global logistics firm, several engineering firms, widely recognised retailers, two medical institutions and a law firm. This number is typical of a ransomware gang on a daily basis and there are many such gangs in operation.
Supply chains present multiple entry points for attack...
Within a supply chain, each vendor is a potential entry point for an attack. Darkbeam has clients with over 10,000 suppliers, representing a very large 'attack surface' in the parlance of cybersecurity analysts.
Almost half of businesses have suffered major impacts due to a supplier being breached
...but Procurement teams have limited visibility and control.
Across such a vast supply chain, very few businesses have visibility of their cyber risk levels. A UK Government report in 2022 revealed that only 13% of UK companies have any level of cyber risk visibility among suppliers.
Not only is this lack of visibility a governance issue, it presents significant opportunity for risks to surpass a business's "accepted" level and ultimately lead to a breach which goes undetected until it is too late to prevent or reduce its impact. In 2022, the average time to detect a security breach was 207 days, by which time information regarding the impacted data and its wider implications may be lost.
Saving time can reduce disruption
Breaches happen and cannot be avoided completely. However, the sooner a business knows about a breach, the sooner it can enact important processes to protect its operations, finances and reputation. Dark web monitoring from Darkbeam often discovers that a supplier has been breached before they were aware, placing Darkbeam clients on the front foot of incident response and business protection.
Businesses lack cyber risk management processes.
Of course, measuring risk is not – on its own – a solution to the problem. It does, however, provide visibility of a company's unmitigated risk levels. With this mapped, a business can begin a strategic approach to Supplier Cyber Risk Management.
A visualisation of cyber risk against the business's risk tolerance, divided by category.
This approach might include implementing playbooks for working with high risk suppliers, offsetting risk levels through warranties and insurance or replacing high risk suppliers altogether. All of these tactics extend to the initial stages of Procurement, with cybersecurity being a valuable consideration during the RFP process.
This risk can be managed.
This lack of Supplier Cyber Risk Management is not a symptom of negligence by Procurement leaders. It is simply a result of conflicting demands on time and a global shortage of cybersecurity skills and tools.
Darkbeam has been specifically designed to help Procurement organisations measure, monitor and address the level of cyber risk in their supply chain.
Darkbeam's platform automatically assesses and monitors the cyber risk levels of all suppliers in a supply chain - saving time (against manual Vendor Risk Assessments), providing consistent accuracy and benefiting from large-scale visibility of risks and threats in an understandable way.
Through the powerful Darkbeam platform, the whole process fast and largely automated. Even the busiest or least tech-savvy professional can reduce the opportunity for cyber criminals to cause operational, financial or reputational harm in their Category.
For more information, create a Darkbeam account or contact us using the form below.