How to evaluate and mitigate risks to the global supply chain

Enterprise security leaders face mounting pressure to protect their global IT supply chains against threat actors and an increasingly complex regulatory and geopolitical landscape. Recent events — from trade disputes to regional conflicts — have shown how quickly geopolitical tensions can disrupt access to critical technologies and expose organizations to breaches via attacks on trusted suppliers and third-party services.

In some cases, the disruptions and changes were caused by government action and in others by cyberattacks tied to military and geopolitical conflicts around the world. Examples of the former include the US government’s ban on telecommunications equipment from Huawei and ZTE and its near total ban on the use of Kaspersky’s software in 2024 over national security concerns. US organizations, especially within the federal government, suddenly restricted from using technologies from these companies had to rip and replace them in a hurry. Other instances, like the attack on SolarWinds, showed how Russia-US tensions manifested in software supply chain attacks.

Increasingly, security leaders are required to look beyond traditional cyber defenses and develop strategies that account for rapid shifts at a global level as well, says Trey Ford, CISO at Bugcrowd. “Our businesses operate, technologies are sourced, customers engage, and employees serve from all around the globe today,” he says. “The tapestry that creates our business ecosystem is very interconnected, and the dependencies are intricate.”

The new reality means security leaders need to understand everything from weather impacting regions, to socio-political shifts, to announcements in legislation or legal decisions that impact their businesses, customers, and suppliers, Ford noted. “Diversity of perspective is the CISO’s best friend. We require discussion and insight from operations, legal, privacy, and compliance to first enumerate, and only then, understand the ways regional events impact the business.”

To help cybersecurity leaders, here are four tips to mitigate some of these risks:

Understand your risks and exposure

Everything in cyber starts with an inventory, and it’s no different when it comes to understanding global supply chain risks. Knowing where your people operate from, where services are delivered from and to, where technology is hosted or sourced from, and knowing all the regions that your organization has business relationships with, is fundamental to supply chain security, according to Ford.

Also vital is the need to understand and map data flows across international boundaries, understanding changing data protection regulations in key markets, maintaining flexibility in data storage and processing locations and planning for potential restrictions on cross-border data transfers.

“A strong relationship with in-house legal, outside counsel, and either trade organizations or a legislative affairs partner will keep you apprised of change in key markets,” Ford says. “Asking legal to brief on trends would be a great way to keep these things top of mind for the security teams, and those supporting risk management at the company.”

It’s also a good idea to partner with security vendors invested in public policy and global services. It’s a good way of staying current and supporting advocacy influence on cyber-specific matters of import.

Maintain a diversified supply chain

Organizations that source from international technology suppliers need to ensure they are not overly reliant on a single vendor, single region or even a single technology. Maintaining a diversified supply chain can mitigate costly disruptions from a cyberattack or vulnerability involving a key supplier, or from disruptions tied to regulatory shifts, trade restrictions or geopolitical conflicts.

“What we’re talking about here is business resiliency or, more narrowly, supply chain risk management,” says Bruce Jenkins, CISO at Black Duck. “One must identify the likelihood and impact of supplier disruption and identify the alternatives.” Security leaders should make sure to include these risks and potential impacts in their overall enterprise business impact analysis (BIA) process—and the alternative plans for addressing them, in their business continuity plan (BCP), Jenkins recommends.

Strategically sourcing from multiple suppliers and regions where possible can enable better resilience and adaptability to emerging threats or unexpected geopolitical shifts. “If you’ve got key technology partnerships with access or delivery sourced in geographies of concern it is worth cultivating alternatives that are warm,” recommends Ford at Bugcrowd. “If you’ve got regions all served or accessed through common undersea cable connections understand what disruption could look like, and how you’d address an outage or degradation of service.”

Implement robust risk assessment and monitoring

Implement a risk assessment and monitoring program for your global IT supply chain, or review—and update where necessary—any such program you might have in place already. Organizations with suppliers in geopolitically volatile areas should consider developing an early warning capability that combines external threat intelligence feeds, news monitoring and regional business analysis. The goal should be to anticipate potential disruptions before they impact operations. “CISOs must adopt a proactive, risk-based approach when managing suppliers, especially in regions with complex regulatory or geopolitical dynamics,” says Darren Guccione, CEO and co-founder at Keeper Security. “Understanding the risks posed by suppliers in high-risk areas is critical.”

Continuous tracking and monitoring of global and regional tensions is especially crucial in regions where key suppliers operate or where critical technologies are sourced. The goal should be to understand how evolving trade policies and sanctions might affect access to security tools, updates, and services — especially when these policies target technology sectors or specific companies. One example is the US government’s 2024 ban on the use of Kaspersky’s security products in the US.

“If there is a sanction event that results in your inability to leverage your supplier’s solutions, I recommend attempting to maintain open and honest communications with your supplier,” Jenkins from Black Duck says. “Your contracting and export compliance legal teams should be leveraged for this,” he notes. If sanctions or regulatory actions directly or indirectly impact your ability to maintain communications and fulfill due diligences obligations it’s best to follow the mitigation route in your BCP, he advises.

Maintain ongoing visibility over your supplier’s compliance obligations

IT suppliers, even reputable and large ones, can sometimes fall afoul of international and export control regulations. In 2023, for instance, Microsoft had to pay a fine of $3.3 million to the US Department of Commerce’s Bureau of Industry and Security (BIS) and the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for allegedly selling its software to a Russian company on a US sanction list. In another incident, virtual currency exchange Kraken had to pay a fine of over $360,000 to settle US charges that the company had violated sanctions against Iran.

Sometimes, non-compliance by a supplier can lead to restrictions that may impact your organization’s ability to operate globally, so it’s vital to continually monitor your supply chain to ensure ethical sourcing.

Be consistent, methodical and regular with your third-party risk management (TPRM) practices. Ensure that your suppliers meet recognized security certifications such as SOC 2 Type 2 and ISO 27001, Guccione says. “Clear contractual agreements outlining cybersecurity standards and data handling protocols are essential to ensure that suppliers meet the organization’s security requirements,” he notes. Establish a strong governance framework that includes regular audits, compliance checks and continuous monitoring.

At the same time, be aware of the limits of your efforts within the context of a specific geopolitical or regulatory environment, Jenkins cautions. “Understand and work within those constraints, whatever they are, and don’t waste your time pushing back unless there is indisputable business value in doing so.”. Document your efforts for audit purposes and use the outcomes of your efforts for future risk-based decision-making around procurement and business resiliency programs, Jenkins noted.