Why Vendor Risk Should be Seen as a BCDR Necessity

by | Sep 21, 2021 | Risk Management

In agribusiness, each organization is part of a chain where one business relies heavily on another to meet market needs and customer expectations. However, to some degree, all businesses rely on a supply chain to meet customer demands and should look closely at how interruptions can affect the timing of deliveries. Breaks in the supply chain can cause damage to not only the process and flow but to brand reputation and trust.

Supply chain vendor risk should be seen as a necessary part of not only your organization’s business continuity (BC) or incident response (IR) plans, but also disaster recovery (DR) planning, which can be started by asking the following questions:

  • Who are my vendors?
  • Which vendors are critical?
  • How are vendors selected?
  • Which vendors are “peripheral,” or secondary to the operation?
  • Do my vendors have a business continuity plan in place?
  • Do I have alternative vendors in place for critical supplies?
  • What do I do if my vendor’s operations are disrupted?

Whether your organization is looking at conducting a supply chain assessment or engaging in risk management across your vendors, it’s critical to implement your findings in your BCDR planning.

Ransomware risk, the C-suite, and the supply chain

Beyond cybersecurity attacks broadly, executives and boards are placing increased focus on the impact of ransomware. Questions around what to do when your business is attacked, how to resume business operations in a timely manner, and whether you should pay the ransom or not. At the heart of the conversation more recently is the focus on agriculture as one of the nation’s critical infrastructure sectors.

Large-scale attacks on the nation’s food supply would have a detrimental effect on its citizens, but also on businesses tasked with delivering such goods. By now, the prevalence of attacks on the supply chain has caught the attention of the C-suite and Boards of Directors, who call on IT managers and departments to ensure security protocols are being met.

One of the risks associated with ransomware, in particular, is the personal risk assumed by company directors, which are addressing this risk by diving deeper into the security of an organization.

An article from Cybersecurity Dive recently said:

“In prior years, corporate boards usually pushed issues like ransomware preparation down to top executives, so the chief executive and general counsel would talk to CIOs and CISOs directly, but the rise in ransomware has changed that equation.”

IT leaders must be prepared to answer more nuanced questions from leadership about the preparation around ransomware attacks and the steps being taken to ensure business continuity and incident response. And part of this response should encompass what’s being done to protect the supply chain for the organization.

It isn’t only corporations that are focusing more on what happens when a ransomware attack hits the supply chain. The federal government is getting more vocal about private enterprises and the steps they need to take to protect themselves. Following high-profile supply chain attacks, the White House released guidance measures such as the implementation of the following:

  • Multi-factor Authentication (MFA)
  • Endpoint detection and response
  • Encryption
  • A solid security team
  • Backup strategy
  • Patch management
  • Incident response plan
  • Network segmentation
  • An overall risk-based security program, informed by cyber threat intelligence and validated through penetration testing

But the argument stands that supply chain risk responses should be a central part of BC, IR, and DR planning given the rise in attacks that affect the delivery of goods downstream.

Ready to dive deeper into the security of your supply chain? Learn more about our security assessments and supply chain risk management.

Related Content