Cybersecurity in the supply chain: Ensuring digital control over outsourced services

Cybersecurity in the supply chain: Ensuring digital control over outsourced services

Matheus Jacyntho, Director of Cybersecurity, and André Cilurzo, Director of Data Privacy Solutions and LGPD Compliance, at Protiviti, tell us how to safeguard digital control in the supply chain amid rising cyber threats.

In the current scenario, it is quite common to find companies outsourcing activities in the supply chain, a decision that inevitably increases these organizations’ reliance on external services. However, as these contracts occur, there is also a rise in cyberattacks, making digital security essential to ensure smooth business operations.

According to studies by Gartner, by 2025, 60% of organizations worldwide will use cybersecurity risk as a determining factor in the supply chain. In this regard, the research highlights companies’ concerns about imminent dangers in commercial transactions, including mergers and acquisitions, as well as contracts with suppliers.

On the other hand, we still encounter some vulnerabilities in the security systems of organizations, which must be vigilant not to fall into a possible ‘cyber trap.’ In this context, for a better understanding of these cases, let’s imagine a company that has outsourced the Information Technology infrastructure.

If this service provider experiences a breach, for instance, the attacker may gain access to valuable data of the hiring company, thereby compromising security, both for remote access and the organization’s personal and sensitive data. Even if the hiring company has advanced security controls, it can still be harmed by the attack due to this vulnerable third party.

Furthermore, if the accessed data includes personal customer information, the company that outsourced this service may face sanctions under the LGPD (General Data Protection Law), as ownership and responsibility for the information lie with the hiring company. These cases demonstrate that organizations’ decisions to outsource such critical services are questioned, considering the potential loss of control over activities due to criminal actions.

In light of these events, some measures must be taken to ensure that supply chain companies do not compromise their clients. Among the most important is the periodic conduct of cybersecurity and privacy audits on these outsourced services.

This assessment will identify whether third parties implement security controls as stringent as those of the hiring company. Additionally, it is advisable for the company to ensure that contracts include clauses requiring service providers to implement information security controls and mechanisms to demonstrate compliance with LGPD. This helps the hiring company safeguard against potential misfortunes arising from cyberattacks.

It is also important to consider the vulnerabilities posed by remote access, as well as sensitive and personal data. Even if actions occur via VPN (Virtual Private Network) – considered secure due to encryption, it can still be a security concern due to password theft attacks. This allows an intruder with third-party credentials to access sensitive company information, especially if permissions are improperly configured.

In this case, to mitigate risks, Zero Trust Network Access (ZTNA) creates secure boundaries for application access. In other words, users will only have permission after identity verification, context assessment and compliance with each specific request’s policy.

In this way, instead of the third-party having access to the entire internal network via VPN, they will have a login to a portal that only allows access to the authorized environment. Amidst this control, it is essential to conduct independent and detailed assessments of cybersecurity and data privacy risks even before homologation and the commencement of service provision.

In summary, companies must be aware of the risks, responsibilities and impacts that incidents like these can bring, considering effective communication and awareness among teams and various stakeholders indispensable to ensure the success of preventive and structured actions.

Browse our latest issue

Intelligent Tech Channels LATAM

View Magazine Archive