Today’s typical enterprise is being inundated with vast volumes of confidential data and intellectual property traversing its ecosystem. Of course, understanding the flow of data moving across a supply chain has always been critical to gauging supply chain risk. But in today’s ecosystems, those data flows are becoming increasingly complex and opaque. Amid rapid advances in technology, the variety and number of threats and vulnerabilities to business data is growing, and amongst that, third party incidents are on the rise.
As challenging as it is today, identifying ecosystem risk is critical to understanding the potential threat to your organization. Clarity on the following is critical:
Your organizations place in the ecosystem. The organization must understand its internal and external environments and determine its mission-critical information assets, where they exist and how they flow across this system. This will enable a risk-based approach that’s solidly focused on protecting all critical information.
Data sharing. With threats and risks in this model being significantly different, one supplier’s impact on clients, upstream or downstream, can now mean a loss of service, integrity or data. These data supply chain dependencies mean we need to aggressively understand connectivity, data sharing and relationships with every ecosystem partner. This includes understanding the ongoing level of data sharing between businesses and suppliers. Smart ecosystem stakeholders are now having deeper conversations about fourth parties and concentration risk, for example.
Cloud security. The ongoing migration to cloud services, which has been dramatically accelerated in response to the pandemic’s disruptive impact, also increases the potential for internal and external threats. Attacks compromising business email, for example, can now more easily invade clients and suppliers. But the shift to cloud infrastructure has put businesses in an unusual position. The ability to gain assurance of major cloud providers’ security architecture remains limited, yet business users are accountable for lost or compromised data if cloud services are breached. In general, the cloud has modified the risk landscape in the supply chain and is forcing businesses to be creative in their methods to gain assurance or re-evaluate their risk appetite. Given the proliferation of cloud hyperscale providers, the issue of cloud security risk may be something that only a regulator can address at a systemic level.
Intersection of risks. In addition to cyber and data risk, organizations are looking more closely at the intersection of several different types of risks in the ecosystem. For instance, does financial resilience potentially indicate future cyber risk? Advanced analytics and machine learning models are starting to identify such potential risk scenarios and reveal significant potential issues downstream. As risk models, better access to ecosystem data, and improved technology become part of the third-party security toolkit; management will enhance their risk visibility and ability to make cyber risk-enabled decisions
The ability to innovate and collaborate in the new reality requires an ability to more easily integrate data and suppliers into the ecosystem without significant disruption. Data drives innovation in the modern economy, and open architectures and open application programmable interfaces (APIs) are at the heart of this. Acting as the bridges that connect organizations to third parties and their wider ecosystems, APIs have become crucial for the future of commerce.
While innovation and collaboration influence our ability to secure the ecosystem, consumer data’s vastly increased flow and accessibility are also creating significant new privacy challenges. Amid growing privacy, security and ethical concerns and regulatory scrutiny in the wake of the pandemic, the importance of understanding your data environment becomes a central focus. Nowhere does this play out in the privacy arena more clearly than in the area of data subject rights (DSR).
This new ecosystem driven cyber environment will likely require improved legal and regulatory frameworks that reduce agency considerations that often lead to lower visibility and increased liability. Several federal governments have started to break down silos hindering speed in cyber adoption and visibility. Building machine readability, shareability and risk-driven models into our assessments are also beginning to help.
Organizations should look to some of these models commercially and enable better ecosystem frameworks to support interoperability, reduced liability, and lower regulatory hurdles to meet security objectives.
By working together, building a risk management, regulatory, privacy, resilience, and technology framework, we can continue to evolve our ecosystems and reduce risk. We look forward to a new reality that allows much-needed innovation and progress to move at the speed of business.
The excerpt was taken from the KPMG Thought Leadership publication Securing the life sciences ecosystem.