4.12.23 > Michelle Greeley

As outsourced business models continue to rise in popularity, cybersecurity threats facing organization supply chains are growing unprecedentedly, requiring stringent third-party risk mitigation and the utmost awareness of management teams alike.

Throughout 2022, companies spent over $700 billion on establishing or expanding outsource capabilities. Breaking this down by segment, IT outsource spending is expected to reach $519 billion in 2023, a 22% increase over 2019’s numbers. Similarly, business process outsource spending is forecasted to total $212 billion in 2023, an increase of 19% over 2019 .

The threat landscape of malware, ransomware, phishing attacks, and viruses is ever-expanding. In the first half of 2022, there were around 236 million ransomware attacks globally .

A Security Third-Party Risk Management program helps ensure that the use of service providers and suppliers does not create a potential for business disruption or a negative impact on business performance due to data breaches, data leaks, or cyber-attacks.

Supply Chain Management administers the flow of goods, data, and finances related to a product or service, from the procurement of raw materials to the delivery of the product at its destination.

Third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain. Such parties may include vendors, suppliers, partners, contractors, or service providers, who have access to internal company or customer data, systems, processes, or other privileged information.

According to Accenture’s State of Cybersecurity report, indirect attacks against weak links in the supply chain now account for 40 percent of security breaches. And the weak links here are third parties .

Bring awareness to supply chain security risks

Senior leaders need to help increase their organization’s understanding that all suppliers are part of the company’s security posture, even including raw material suppliers and maintenance service providers. Companies also need contingency plans to include backup providers to critical and niche third parties, and ensure adequate third-party contractual language is in place.

Mitigating supply chain security risks

Recognize security as shared responsibility among all teams and an essential part of business operations. Educate employees on the importance of security operations and impact of cyber risks. The entire organization, including executives, board of directors, and senior leadership not involved with cybersecurity, must understand that third-party security risks are a critical business aspect to supply chains.

Provide broad visibility into the extended supply chain ecosystem through a comprehensive approach, including initiative-taking outreach to the supply chain to collaborate with suppliers and prepare them to address cyber risks.

Focus on software supply chain security and enhancing software transparency via new government mandates such as President Biden’s Executive Order on improving the nation’s cybersecurity, which highlights the importance of a software bill of materials (SBOM) and software supply chain security.

Designate security champions within development teams to facilitate tighter cross-functional collaboration.

Recognize Security Third-Party Risk Management as a key strategy to identify, monitor, assess, and improve the critical risks that come with working with an increasingly global supply chain.

Conduct supply chain security management ongoing / initiative-taking self-assessments including continuous monitoring and risk mitigation by having direct contact with suppliers. Self-assessments are vital for staying up to date with all risks that can threaten a supply chain.

Know all your third parties and determine how to best stratify self-assessments throughout your supply chain ecosystem.

Communicate to all third-party partners the importance of establishing substantial security work from home protocols for their workforces to protect vulnerable endpoints.

Update senior leadership routinely of third-party security monitoring which can help a company stay ahead of security issues in their supply chains before bad actors exploit them.

[1] 47 New Outsourcing Statistics (2023-2026) (explodingtopics.com)

[2] The Latest Ransomware Statistics (updated March 2023) | AAG IT Support (aag-it.com)

[3] Third-Party Risk in the Supply Chain | Supply & Demand Chain Executive (sdcexec.com)


Michelle Greeley, IT Security & Risk Management Program Leader, 3M

Michelle is an accomplished leader with over 20 years of experience in Information Security, Security Compliance, Information Technology, Data Privacy, Risk Management, Business Continuity, Disaster Recovery, Business Technology Planning, Process Engineering, Project Management, Contract Coordination, Finance, and Accounting.

Michelle holds an MBA in Finance and has various industry certifications: CDPSE, CRISC, CGEIT, CISM, CISA, ITIL IT Service Management, Six Sigma Green Belt.

You can connect with Michelle here at the Summit https://www.cybersecuritysummit.org/speakers/michelle-greeley/ 

And on LinkedIn at https://www.linkedin.com/in/n-michelle-greeley/