Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are going to discuss supply chains and their impacts on organizations. During this discussion we’ll touch on supply chain risk management, and supply chain cybersecurity. We’ll dip into the impact supply chains have on organizations, and we’ll also touch on why it is vital that routine assessments and audits are conducted on supply chains. So, to dive on in, what, exactly, is a supply chain? Well, the Oxford dictionary defines it as “the sequence of processes involved in the production and distribution of a commodity”. So, digging into that definition a bit deeper, the supply chain represents the entire line from start to finish with regards to goods, services, and such.

Let’s take this into a technological lens. Your organization makes computers. What does the supply chain look like? Well, think about each and every component of those computers and where they are made. That is all part of the supply chain. Each manufacturer of those components also has their own supply chain. Every vendor you deal with that has some responsibility in the end product is part of that chain. So, you can see, that is a rabbit hole that can go very, very deep, especially if the organization is a large enterprise that operates a diverse portfolio.

Organizations are required to do their due diligence with vendors or suppliers they wish to do business with in order to properly manage organizational risk. Determining whether or not suppliers are compliant with specific industry regulations or standards, for example, can drive decisions on whether or not partnerships or agreements can be completed. For example, in order to be an approved supplier or vendor to the Federal Government, a supplier or vendor needs to be what’s known as FedRAMP authorized. That is the Federal Risk Assessment Management Program; those that are on the authorized list have gone through the entire process in order to do business with the Federal Government.

What organization out there would prefer to do business with someone they cannot trust? Or, what if the supplier or vendor was ridiculously cheap? Would that take priority over whether or not the supplier or vendor was trustworthy? Granted, a lot of that comes down to individual organizations overall risk appetite, but for the purposes of this conversation cost is merely one of the factors in forming business partnerships.

An organization wants and needs to know that their supply chain poses the least amount of risk possible. They desire to maintain relationships with those suppliers they have rapport with, that have built that trust with over time. In this ever-evolving technological world we live in often that is a tough task, as businesses get spun up and ended rather routinely, forcing some organizations to find new suppliers more often than desired.

So, once you are familiar with your organizational supply chain, is that it? Does business now just churn along per the daily/weekly/monthly routine? Yes and no. Business continues to progress forward, but the supply chain needs to be audited routinely (and how often that routine takes place is dictated by the organizational policy), and any changes to the supplier need to be annotated and analyzed to ensure the risk landscape hasn’t changed for the worse.

Seems like a lot to do, and at first glance it can be overwhelming, especially if we’re again referencing a large enterprise. If nothing has been done or is being done with regards to the supply chain management, you’ve got to start somewhere. Doing something is better than nothing in this instance. We see several headlines sometimes multiple times a day that tell of an organizational data breach or compromise due to supply chain issues. Don’t wait for that to occur to start putting the necessary priority on managing the chain.

Being proactive is most certainly better than reactive in this type of scenario. Knowing ahead of time where your risks are present within your supply chain can help you address them sooner versus later. Again, a lot depends on the organizational risk appetite, but bottom line will an impact to your supply chain adversely impact your core business objectives? If that answer is a yes, then the organization should be prioritizing the transference, reduction, mitigation, or avoidance of that risk altogether.

GuardSight professionals can help you better understand your supply chain risks. Their highly qualified team can perform assessments on your infrastructure and organization to bring more awareness to the risks your organization is facing, thereby allowing you to clearly address those risks accordingly. If you have any questions, concerns, or just want to know more about supply chains, reach out to us anytime!

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!