IT Security and the Supply Chain Act: What to Do Now
The Supply Chain Act obliges companies ( > 3,000 employees from Jan. 1, 2023, > 1,000 employees from Jan. 1, 2024) to demonstrate that they operate in a sustainable and socially just manner. This includes both the company's own organization and its shareholdings as well as suppliers and sub-suppliers. In short: the entire supply chain worldwide. From raw material extraction to product delivery.
Purchasing and compliance management are now more than ever required to continuously check the overall risks of suppliers. With LocateRisk security monitoring, this is already effortlessly possible in the area of IT security. The automated analyses continuously record, evaluate and document the external IT security situation of each organization and provide recommended actions for rapid risk mitigation. This ensures transparency in the supply chain, saves resources and contributes to trouble-free supply.
What exactly are companies expected to do under the Supply Chain Act?
Of course, companies cannot be held liable for all potential hazards in the supply chain. However, they are expected to know the risks of their suppliers and make efforts to take measures that help increase compliance standards. These efforts must be proven.
Supply Chain Act - What does it mean in terms of IT security?
Those who have not already done so should also address the issue of IT security in the supply chain in the wake of the new Supply Chain Act. Collaboration between companies, suppliers and service providers is based on the shared use of personal data. This requires all participants to open up their own networks to external access. This must be adequately secured in order to minimize cyber attacks via the access points and the resulting data loss and downtime risks.
Why are attacks via the supply chain so threatening?
If cyber criminals succeed in compromising a service provider or supplier, there is a risk of a chain reaction with incalculable effects on the supply chain. A well-known example of such a case is the attack on the American IT service provider Kaseya. By exploiting a vulnerability, the hackers managed to encrypt the data of hundreds of companies in the USA, Germany and Sweden. A few numbers smaller, but highly topical, is the attack on the IT service provider of the Darmstadt-based energy supplier Entega. The ransomware attack hit not only Entega but several customers at once, including the Frankfurter Entsorgungs- und Service-Gruppe (FES), the Mainzer Stadtwerke, Heag Holding as the group of Darmstadt municipal companies, Bauverein AG as the city's real estate company, Darmstadt's Eigenbetrieb für kommunale Aufgaben und Dienstleistungen (EAD), and several municipalities in the Odenwald region. Although critical infrastructures were not affected, homepages were no longer accessible and numerous online services were massively restricted. In addition, thousands of employees were unable to access their mail accounts.
How IT security monitoring supports risk minimization
The external IT attack surface of companies is constantly growing and changing. Complex infrastructures can no longer be monitored manually. At the same time, regulations such as IT Sig 2.0 and the EU-GDPR oblige companies to continuously improve the level of security. It is to be expected that this will also become relevant in the context of the Supply Chain Act.
Automated IT security analyses from LocateRisk already helps numerous companies and institutions in systematically minimizing risk. They consolidate data from hundreds of sources into a risk report prioritized by criticality. Those responsible can see at a glance what the IT security situation of business partners and suppliers is, assign tasks directly and make decisions. The solution can be connected to various monitoring and reporting platforms such as Jira, Splunk, etc. for central administration.
With IT security monitoring you can:
Check, evaluate and compare IT security of thousands of companies at the same time
Demonstrate adherence to industry and procurement compliance requirements
Document measures and activities to mitigate risks within the framework of the supply chain act
Accelerate the business partner risk management process
Save time and personnel resources through automated audits
IT security analyses for business partner risk management
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Learn more, book a demo, or just have a quick chat? Alex is happy to help!
Your personal consultant AlexanderFeldmann Consulting
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.
English 
Deutsch 
Français