{"id":1954,"date":"2025-02-17T07:00:00","date_gmt":"2025-02-17T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1954"},"modified":"2025-02-17T07:00:00","modified_gmt":"2025-02-17T07:00:00","slug":"how-to-evaluate-and-mitigate-risks-to-the-global-supply-chain","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1954","title":{"rendered":"How to evaluate and mitigate risks to the global supply chain"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Enterprise security leaders face mounting pressure to protect their global IT supply chains against threat actors and an increasingly complex regulatory and geopolitical landscape. Recent events \u2014 from trade disputes to regional conflicts \u2014 have shown how quickly geopolitical tensions can disrupt access to critical technologies and expose organizations to breaches via attacks on trusted suppliers and third-party services.<\/p>\n

In some cases, the disruptions and changes were caused by government action and in others by cyberattacks tied to military and geopolitical conflicts around the world. Examples of the former include the US government\u2019s ban on telecommunications equipment from Huawei<\/a> and ZTE and its near total ban on the use of Kaspersky\u2019s software<\/a> in 2024 over national security concerns<\/a>. US organizations, especially within the federal government, suddenly restricted from using technologies from these companies had to rip and replace them in a hurry. Other instances, like the attack on SolarWinds<\/a>, showed how Russia-US tensions manifested in software supply chain attacks.<\/p>\n

Increasingly, security leaders are required to look beyond traditional cyber defenses and develop strategies that account for rapid shifts at a global level as well, says Trey Ford, CISO at Bugcrowd. \u201cOur businesses operate, technologies are sourced, customers engage, and employees serve from all around the globe today,\u201d he says. \u201cThe tapestry that creates our business ecosystem is very interconnected, and the dependencies are intricate.\u201d<\/p>\n

The new reality means security leaders need to understand everything from weather impacting regions, to socio-political shifts, to announcements in legislation or legal decisions that impact their businesses, customers, and suppliers, Ford noted. \u201cDiversity of perspective is the CISO\u2019s best friend. We require discussion and insight from operations, legal, privacy, and compliance to first enumerate, and only then, understand the ways regional events impact the business.\u201d<\/p>\n

To help cybersecurity leaders, here are four tips to mitigate some of these risks:<\/p>\n

Understand your risks and exposure<\/h2>\n

Everything in cyber starts with an inventory, and it\u2019s no different when it comes to understanding global supply chain risks. Knowing where your people operate from, where services are delivered from and to, where technology is hosted or sourced from, and knowing all the regions that your organization has business relationships with, is fundamental to supply chain security, according to Ford.<\/p>\n

Also vital is the need to understand and map data flows across international boundaries, understanding changing data protection regulations in key markets, maintaining flexibility in data storage and processing locations and planning for potential restrictions on cross-border data transfers.<\/p>\n

\u201cA strong relationship with in-house legal, outside counsel, and either trade organizations or a legislative affairs partner will keep you apprised of change in key markets,\u201d Ford says. \u201cAsking legal to brief on trends would be a great way to keep these things top of mind for the security teams, and those supporting risk management at the company.\u201d<\/p>\n

It\u2019s also a good idea to partner with security vendors invested in public policy and global services. It\u2019s a good way of staying current and supporting advocacy influence on cyber-specific matters of import.<\/p>\n

Maintain a diversified supply chain<\/h2>\n

Organizations that source from international technology suppliers need to ensure they are not overly reliant on a single vendor, single region or even a single technology. Maintaining a diversified supply chain can mitigate costly disruptions from a cyberattack or vulnerability involving a key supplier, or from disruptions tied to regulatory shifts, trade restrictions or geopolitical conflicts.<\/p>\n

\u201cWhat we\u2019re talking about here is business resiliency or, more narrowly, supply chain risk management,\u201d says Bruce Jenkins, CISO at Black Duck. \u201c<\/strong>One must identify the likelihood and impact of supplier disruption and identify the alternatives.\u201d Security leaders should make sure to include these risks and potential impacts in their overall enterprise business impact analysis (BIA) process\u2014and the alternative plans for addressing them, in their business continuity plan (BCP), Jenkins recommends.<\/p>\n

Strategically sourcing from multiple suppliers and regions where possible can enable better resilience and adaptability to emerging threats or unexpected geopolitical shifts. \u201cIf you\u2019ve got key technology partnerships with access or delivery sourced in geographies of concern it is worth cultivating alternatives that are warm,\u201d recommends Ford at Bugcrowd. \u201cIf you\u2019ve got regions all served or accessed through common undersea cable connections understand what disruption could look like, and how you\u2019d address an outage or degradation of service.\u201d<\/p>\n

Implement robust risk assessment and monitoring<\/h2>\n

Implement a risk assessment and monitoring program for your global IT supply chain, or review\u2014and update where necessary\u2014any such program you might have in place already. Organizations with suppliers in geopolitically volatile areas should consider developing an early warning capability that combines external threat intelligence feeds, news monitoring and regional business analysis. The goal should be to anticipate potential disruptions before they impact operations. \u201cCISOs must adopt a proactive, risk-based approach when managing suppliers, especially in regions with complex regulatory or geopolitical dynamics,\u201d says Darren Guccione, CEO and co-founder at Keeper Security. \u201cUnderstanding the risks posed by suppliers in high-risk areas is critical.\u201d<\/p>\n

Continuous tracking and monitoring of global and regional tensions is especially crucial in regions where key suppliers operate or where critical technologies are sourced. The goal should be to understand how evolving trade policies and sanctions might affect access to security tools, updates, and services \u2014 especially when these policies target technology sectors or specific companies. One example is the US government\u2019s 2024 ban on the use of Kaspersky\u2019s security products in the US.<\/p>\n

\u201cIf there is a sanction event that results in your inability to leverage your supplier\u2019s solutions, I recommend attempting to maintain open and honest communications with your supplier,\u201d Jenkins from Black Duck says. \u201cYour contracting and export compliance legal teams should be leveraged for this,\u201d he notes. If sanctions or regulatory actions directly or indirectly impact your ability to maintain communications and fulfill due diligences obligations it\u2019s best to follow the mitigation route in your BCP, he advises.<\/p>\n

Maintain ongoing visibility over your supplier\u2019s compliance obligations<\/h2>\n

IT suppliers, even reputable and large ones, can sometimes fall afoul of international and export control regulations. In 2023, for instance, Microsoft had to pay a fine of $3.3 million<\/a> to the US Department of Commerce\u2019s Bureau of Industry and Security (BIS) and the Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) for allegedly selling its software to a Russian company on a US sanction list. In another incident, virtual currency exchange Kraken had to pay a fine of over $360,000<\/a> to settle US charges that the company had violated sanctions against Iran.<\/p>\n

Sometimes, non-compliance by a supplier can lead to restrictions that may impact your organization\u2019s ability to operate globally, so it\u2019s vital to continually monitor your supply chain to ensure ethical sourcing.<\/p>\n

Be consistent, methodical and regular with your third-party risk management (TPRM) practices. Ensure that your suppliers meet recognized security certifications such as SOC 2 Type 2 and ISO 27001, Guccione says. \u201cClear contractual agreements outlining cybersecurity standards and data handling protocols are essential to ensure that suppliers meet the organization\u2019s security requirements,\u201d he notes. Establish a strong governance framework that includes regular audits, compliance checks and continuous monitoring.<\/p>\n

At the same time, be aware of the limits of your efforts within the context of a specific geopolitical or regulatory environment, Jenkins cautions. \u201cUnderstand and work within those constraints, whatever they are, and don\u2019t waste your time pushing back unless there is indisputable business value in doing so.\u201d. Document your efforts for audit purposes and use the outcomes of your efforts for future risk-based decision-making around procurement and business resiliency programs, Jenkins noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Enterprise security leaders face mounting pressure to protect their global IT supply chains against threat actors and an increasingly complex regulatory and geopolitical landscape. Recent events \u2014 from trade disputes to regional conflicts \u2014 have shown how quickly geopolitical tensions can disrupt access to critical technologies and expose organizations to breaches via attacks on trusted […]<\/p>\n","protected":false},"author":0,"featured_media":1955,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1954","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1954"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1954"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1954\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1955"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}