By: Joram Borenstein, General Manager of Microsoft’s Cybersecurity Solutions Group
This article was first published by BRINK on December 17, 2019
In the world of global supply chains, trust is becoming an increasingly important commodity.
The concept of “technological social responsibility” — the recognition and acknowledgement by each organization of its cybersecurity obligations within the supply chain — is now on the agenda for many industry leaders.
Every organization needs to play a role in the integrity and security of its digital supply chains, as a lack of trust can impede business performance and innovation.
“Risk management, supply chain security assurance, safety, regulatory compliance and licensing all require a synergetic approach toward quality assurance and end-to-end discipline, traceability and visibility,” according to a report titled ICT Supply Chain Integrity: Principles for Governmental and Corporate Policies from the Carnegie Endowment for International Peace.
Are You a Risk to Others?
Organizations are aware of the risks their supply chain partners may pose to their own cyber posture, but most do not fully appreciate the risk in reverse, according to the 2019 Global Cyber Risk Perception Survey from Marsh and Microsoft. There is a marked discrepancy in many organizations’ views of the cyber risks they face from supply chain partners, compared to the level of risk their organization poses to its counterparties.
Thirty-nine percent of organizations perceive risk from their supply chain partners, but only 16% perceive risk they present to their supply chain partners. This pattern appears consistently across industry sectors and geographic regions.
And this gap increased significantly with revenue size, with 61% of companies of $5 billion revenues or more saying they faced high risks from their supply chain — and only 19% saying they posed a risk to it.
This is a dangerous perception gap that many organizations, especially large ones, need to address to effectively protect their supply chain ecosystem.
Responsibility to Suppliers
There was also a disparity between the cybersecurity measures and standards that organizations apply to themselves, versus those they expect from suppliers. On balance, respondents were more likely to set a higher bar for their own organization’s cyber risk management measures than they do for their suppliers.
For example, 56% of organizations said they expect suppliers in their digital supply chains to implement awareness training for their employees; yet 71% said that their organization has implemented such a requirement for itself.
Such disparities could lead organizations to think their suppliers are less prepared to manage cyber risk than they are, thus diminishing the organization’s trust in its supply chain.
The disconnect may also be driven by organizations’ low confidence in their abilities to prevent or mitigate cyber risks posed by commercial partners. The proportion of organizations stating they are “not at all confident” that they could mitigate cyber threats from supply chain partners ranged from 13% to 30%, generally twice as high as those who reported being highly confident.
Overall, 43% reported “no confidence” in their ability to prevent cyber threats from at least one of their third-party partners.
Appetite for Government’s Role Draws Mixed Views
In recent years, regulators globally have enacted numerous measures to hold corporations and executives more directly accountable for ensuring effective cybersecurity and for keeping customers’ data safe. Many of these regulations and legal frameworks require a greater degree of transparency from organizations at all levels of their data-handling activities and in their cyber risk management readiness.
The growth in such laws and regulations complement a body of well-established cyber and information security standards from industry authorities, such as the National Institute of Standards and Technology and the International Organization for Standardization.
Only 28% of respondent organizations identified government regulations and laws as being “very effective” in improving cybersecurity.
This held across all major regions, despite considerable variance in local laws and regulations. Highly regulated industries, such as aviation, financial institutions and communications were more likely to see value in government regulation of cyber risk.
Nation-State Attacks Are Different
The major area of difference in the attitude toward cyber regulation related to cyberattacks by nation-state actors. A majority (54%) of respondents said they are highly concerned about the impact of nation-state cyberattacks.
And 55% of organizations said there is a need for governments to do more to protect private enterprise from nation-state cyberattacks. This call for action resounds consistently across regions, with the highest positive response among financial institutions and professional services organizations.
These results show that while firms generally prefer a non-prescriptive approach to managing their cybersecurity and cyber risk affairs, nation-state activity is a clear exception.
As cyber risks become increasingly complex and challenging, there are encouraging signs in our 2019 Global Cyber Risk Perception Survey that enterprises are, slowly but surely, starting to implement best practices in cyber risk management. Nearly all recognize the magnitude of cyber risk, many are shifting aspects of their approach to match the threat and most are doing a good job in traditional cybersecurity — protecting the perimeter.
Managing Supply Chain Risk As a Collective Issue
The most savvy organizations are building cyber resilience through comprehensive, balanced cyber risk management strategies, rather than concentrating solely on prevention. These more complex approaches account for the need to build capabilities in understanding, assessing and quantifying cyber risks in the first place, as well as adding the tools and the resources to respond to and recover from cyber incidents when they inevitably occur.
At a practical level, this year’s survey points to several best practices that the most cyber-resilient firms employ and that all firms should consider adopting. Notably, this includes managing supply chain risk as a collective issue and recognizing the need for trust and shared security standards across an entire network, including the organization’s cyber impact on its partners.
Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.