Illustration by iStock; Security Management
Changing tariffs and geopolitical tensions have forced manufacturers to adapt quickly, often changing suppliers and partners. While these shifts are typically implemented to help ensure future prosperity, they often neglect a crucial risk: cybersecurity.
Cybersecurity management plays a critical role many organizations’ risk mitigation strategy, with companies recognizing the vast impacts a cyber incident can have. This process is essential, but it is often overlooked or deprioritized during times of organizational change. Shifts in third-party relationships may introduce new cyber vulnerabilities and operational risks that must be addressed.
Third-Party Risk
More threat vectors are created for cyber incidents as companies increasingly digitize their data and practices. Today’s cybersecurity ecosystem is more complex than ever, consisting of an interconnected network of service providers with a global reach. It goes without saying that the more providers manufacturers rely on, the greater their cyber risk exposure. This is further compounded by rapid shifts in suppliers and partners, which could be necessitated by tariffs or geopolitical disruptions.
Mitigating third-party risk—also known as vendor risk—has become a key prerequisite for any entity that wants a safe, secure, and resilient cyber posture. Given the vast scale of third-party ecosystems, especially for manufacturing companies reliant on suppliers and logistical support, many organizations fail to grasp the entirety of their network. This causes third-party connections to be overlooked and risks to be discovered too late.
An organization’s vendor network extends even further than third parties. Increasingly, fourth parties—the vendors of your vendors—are an additional key component of cyber risk management strategy. Too many companies completely overlook this aspect of their cyber exposure, opting for a reactive approach instead of proactive mitigation.
Cybersecurity network risk management becomes more difficult as vendors are switched and onboarded quickly, leaving little time for proper assessment of vulnerabilities. As manufacturers across the global supply chain may need to rapidly re-evaluate and alter their vendors due to tariffs and other geopolitical concerns, gaps in cybersecurity practices may cause dangerous vulnerabilities.
Addressing Vendor Management
While quick adjustments and shifts in vendor choices may be unavoidable for manufacturers, cybersecurity management must remain at the center of these processes.
There are three main steps manufacturers should take to help ensure security during vendor transitional periods:
- Conduct cybersecurity due diligence. It is crucial that companies conduct cybersecurity due diligence on any new vendors or suppliers. Doing so enables your organization to thoroughly understand the nature of the providers in your network and identify any vulnerabilities. This information enables proactive cyber risk management with the implementation of important safeguards during the onboarding process.
- Enhance business continuity plans. Business continuity planning, a process focused on maintaining operations during and after a cybersecurity incident, should include specific contingencies for vendor-related incidents. These plans should reflect your dependency on more volatile or newly onboarded vendors that may pose a larger risk to your organization. Manufacturers may even consider coordinating continuity plans with their suppliers and partners to help ensure a more resilient supply chain.
- Continue monitoring for cyber risks. It is essential that organizations monitor cyber risks associated with new digital tools or integrations brought in hastily to mitigate supply gaps. Proactively conducting regular audits and risk assessments of vendors throughout operations and embedding cybersecurity monitoring into daily processes can identify potential risks before they materialize and minimize the impact of disruptions.
Takeaways and Future Planning
Cybersecurity risk management should be an ongoing process for manufacturers, especially during vendor changes or times of other operational pressures. Organizations must remain security-minded and update operations as their processes and vendors evolve.
Vendor changes should be viewed not just as procurement decisions, but as potential cybersecurity inflection points. While such shifts may help address a financial or operational concern, they can also dramatically change your organization’s risk profile and cyber exposure. Organizations must be cognizant of their cyber posture through business shifts.
Additionally, organizations should validate incident response plans against real-world disruption scenarios. Your incident response plan, which guides how your organization detects and responds to cybersecurity incidents, should be updated to account for macroeconomic developments and potential pitfalls.
Finally, cybersecurity should be embedded into all operational reconfigurations triggered by trade changes. Cybersecurity leaders should have a seat at the table during times of organizational change, helping to ensure security in processes and the safeguarding of important data for the organization.
Jeff Krull is principal and practice leader in Baker Tilly’s cybersecurity practice. His expertise includes cybersecurity, IT controls, system and organization controls, examinations, and internal auditing. With more than 25 years of industry experience, Krull has provided services to clients ranging from small family-owned enterprises to Fortune 500 multinational organizations.
© Jeff Krull
