Increasingly, businesses have two supply chains. There’s the familiar physical supply chain, along which physical goods flow—and then, in parallel, there’s an information supply chain, along which data flows.
But not always just data. Because connecting a business’s IT systems to those of its customers and suppliers can expose the business to threats, as well.
And as direct connections between buyers and sellers become more commonplace—supplanting connections traditionally made through intermediaries such as e-marketplaces and Electronic Data Interchange providers—the risk of being exposed to threats through supply chain connectivity is increasing.
No way back
The danger is very real. As recently as December 2021, for instance, retailer Sainsbury’s lost a week’s worth of payroll data, when its payroll processor Kronos was hit by a ransomware attack. American supermarket chain Wholefoods, and carmaker Honda North America were similarly affected by the same attack.
In short, seriously disturbing and potentially terminal for businesses linked to the IT systems of suppliers.
What to do? How can supply chain connectivity be made more secure? Because make no mistake, cutting back on supply chain connectivity isn’t an option: supply chain connectivity eliminates paper, increases efficiencies, provides instant insight into the whereabouts of orders and physical goods, accelerates supply chains, and helps to eliminate surplus inventory.
No one wants to go back to purchase orders sent through the mail, or hark back to the days of often-illegible fax transmissions which required typing into IT systems on receipt.
Technology-led assurance
The good news is that there is a way to increase the security of supply chain connectivity. A way delivered by the arrival of a new, technology-led approach to IT security, known as Continuous Controls Monitoring.
Deployed within an organisation, Continuous Controls Monitoring gathers—continuously, and in real time—all the data and evidence required in order to audit IT security, by continually monitoring all of the organisation’s risk management systems and internal controls, via automated telemetry.
It’s fast, it’s efficient, and it’s a far more robust approach to IT security than—say—questionnaire-based approaches focusing on qualitative data. If a part of the IT security apparatus isn’t activated, or isn’t operating within specified parameters, then Continuous Controls Monitoring finds it and reports it. In real time.
But here’s the interesting thing: it doesn’t have to be restricted to use-cases inside the organisation. Because it’s a technology-led approach, it can piggyback on supply chain connections in order to assess the status of the IT security apparatus at the other end of the connection. Suppliers’ IT security status, in other words.
An easy sell to the supply base
Would a business’s trading partners agree to such a thing?
Well, let’s turn that question on its head. Why would they not agree to such a thing?
Remember, the right to audit and assess suppliers’ IT security is written into many supply contracts.
If Continuous Controls Monitoring provides suppliers with a clean bill of health, then those suppliers receive a useful confirmation of the status of their IT security. And receive it without the disruption and inconvenience of a real, in-person audit.
And if Continuous Controls Monitoring doesn’t deliver a clean bill of health, then for the supplier in question, that’s vitally important information—for which they should be grateful.
Of course, if suppliers don’t agree to an audit but remain a critical supplier, at the very least the greater appreciation of the risk that they pose means the company can manage that risk with accurate facts and figures in order to make an informed risk‑based decision on the next steps. They could for example add in a layer of additional control, such as two-factor identification so as to ensure that they are the actual supplier and not a hacker. It’s a small step, but one that significantly reduces the risk.
But, as we say, why would suppliers not agree to Continuous Controls Monitoring?
A better way
Rightly, Continuous Controls Monitoring is being considered a gamechanger in IT security circles. And that’s when it is simply being deployed inside the organisation.
Deployed within the supply chain, though, and ‘gamechanger’ becomes something of an understatement.
A better way of assuring the IT security of supply chain connectivity? We think so.
To learn more, please get in touch or book a meeting at a time that suits you.