I hadn’t noticed this until now, but we have fresh help for audit and risk managers worried about cybersecurity risks in the supply chain: CISA, the top cybersecurity regulator in the United States, has published a short guide on how small and medium-sized businesses can navigate that challenge.
CISA released the guide last week — 14 easy pages, with numerous examples of the cybersecurity predicaments that smaller businesses might face and the various ways those businesses might manage their risks.
Cybersecurity or procurement managers charged with assessing risks in your supply chain can use the guide to help frame your thinking about the types of risk you might face; auditors can use the material to understand what questions you should be asking and what recommendations you might want to offer.
Cybersecurity in the supply chain has become a top concern in recent years, thanks to high-profile incidents such as the SolarWinds attack in 2020. In that instance, Russian operatives hacked into IT management software that SolarWinds Corp. sold to corporate and government customers. The malware was implanted in a software patch SolarWinds sent to its customers, who became infected when they implemented the patch. Presto! Privacy and security breaches all over the place.
The Biden Administration then responded to that attack (and others) with an executive order in 2021 that, among other things, requires better oversight of the software supply chain. For example, technology businesses might now need to publish a “software bill of materials” that lists the components of their software, so customers can understand what they’re buying and where it came from.
So supply chain cybersecurity is both an operational risk and a compliance risk. It’s difficult for any business to manage well, let alone small and medium businesses with small IT security teams and simple risk management programs. Which brings us back to the CISA guide.
Supply Chain Examples
The guide begins by boiling down the wide range of supply chain cybersecurity risks into six basic categories:
- Cyber expertise
- Executive commitment
- Supply chain risk management
- Single-source suppliers
- Supplier disruptions
- Supplier visibility
The guide also provides a few resources (guidance, websites, frameworks, and so forth) that risk managers could read and study for each of the above six categories.
Then the guide walks through several hypothetical scenarios of cybersecurity issues that small businesses might confront. Each scenario studies the risks in play and how the hypothetical company might manage them.
For example, one scenario involves a cloud-based tech company that manages billing for rural broadband service companies, with about $25 million in annual revenue. The IT director of the tech company wants to implement a business continuity plan with a one-time cost of $100,000 and $25,000 in ongoing costs. The CEO says no. Then the tech company falls victim to a ransomware attack (using the Log4j risk we wrote about last year, no less!), which knocks out the billing system for four months, costs $500,00 to fix, and alienates the tech company’s customer base.
That’s a very plausible scenario these days. So what are the risks involved? Lack of executive commitment (CEO rejecting the business continuity plan), supplier disruption (the tech company couldn’t provide services to its customers), and supply chain risk management (the tech company failed to patch a Log4j issue in its software, and its customers didn’t ask the company whether it posed any Log4j risks to them).
The rest of the CISA guide is filled with similar scenarios, each one based on several of the six risk categories mentioned above.
For audit and risk professionals reading the guide, your best course of action might be to identify those hypothetical companies most similar to your own, operating with similar business models. Then think it through, “OK, my business wouldn’t face this exact scenario, but our version would probably look like this…” and then fill in the relevant details in your own mind.
Then you can reverse engineer the supply chain risk categories that might fit your own personal hypothetical; they’ll probably be the same as the CISA scenario, or perhaps have a few slight changes. But that exercise gives you a narrative you can present to senior management or the board, to justify whatever risk management measures you want to put in place. Even at large companies those executives might struggle to understand the business context of IT security risks; that will only be even more true at smaller businesses.
Essentially, the guide can help you frame your arguments in ways that will be relevant to the people approving your investment requests. And something tells me companies will be making many such requests for years to come.