Is Your Supply Chain Putting Your Company at Significant Risk?

When it comes to consequences, it does not matter much if a data breach was caused by weaknesses in your own cybersecurity or that of a third-party service provider. Whether it is your mistake or theirs, you will be hit with fines, seriously bad publicity, and a devastating loss of clients. As the world nearly completed the transition to digital commerce over the past year, supply chain attacks have jumped 430%. Vendor security is more important now than ever. Do you know which data your vendors have access to and whether their cybersecurity is adequate? Most compliance programs include vendor risk management and due diligence, but if you don’t plan on securing the benefits of ISO 27001 or SOC2, you should consider your vendor and service provider security carefully.

Here are just three of many examples:

Target Corporation 2013

Target was ordered to pay an $18.5 million settlement for putting 41 million customer payment accounts at risk. Attackers hacked the retail giant’s computer gateway server with credentials stolen from a third-party service provider and installed malware to capture names, contact information, credit card information, and other sensitive data.

Ticketmaster 2018

Ticketmaster was accused of failing to assess the risks of a third-party chatbot on its payment page, as was required by PCI-DSS standards, even though the chatbot was not meant to process payments. The event ticket company found malware within a customer function that had access to names, contact info, and payment info. They were fined roughly $1.7 million in just the UK, but the malware was found on Ticketmaster sites around the world.

SolarWinds 2020

SolarWinds is a software development company that was using a third-party service provider to update its Orion product. Hackers used password guessing, password spraying, and unsecured admin credentials to sneak malware into an update and gain access to the sensitive data of not only several Fortune 500 companies, but also various institutions of the United States government, including the Pentagon, the Department of Homeland Security, the National Nuclear Security Administration, the Department of Energy, and the State Department. Private companies that were affected included Microsoft, Intel, Cisco, and Deloitte. The attack went undetected for months until a cybersecurity firm detected their own hacking tools had been accessed and stolen, presenting another cause for concern. Though investigations are ongoing, Russia has been blamed for the attack and SolarWinds’ shares have plummeted.

How to Determine and Reduce Vendor Risk

Once you become aware of the potential threat posed by inadequacies in your vendor and service provider security, you will probably be anxious to identify and resolve weaknesses in your supply chain. You can outsource your supply chain risk management and security due diligence to experienced professionals, or you can take the following steps on your own.

Mapping

You might be surprised by the number of service providers and vendors you use but are not aware of. Create a complete map of them all by inquiring with each division and team. Document your list in a database where you can store additional details about each one as you obtain them. Consider using one of the platforms out there that can assist and automate the due diligence process for you. These platforms will provide great visibility, dashboards, and reporting capabilities.

Risk Assessment

Some of your vendors might not have any access to sensitive data, but some could have direct access to your environment. The risk they present to your business depends on the data they receive and how they receive it. Determining the risk of each vendor will help you determine which controls you should implement.

Implementation

One method of ensuring implementation of the appropriate cybersecurity measures is to send out a questionnaire for the vendor to complete. This method is appropriate for vendors who present lower risk and who do not require a significant control level. Another method is to send an auditor to collect information and evidence of the existing controls and security measures. This method is appropriate for vendors who require higher levels of security because they pose a greater potential risk to your business. After you assess the existing cybersecurity, discuss any gaps you discover and follow-up with your vendors as needed with questionnaires and evidence collection.

Part of taking care of your own cybersecurity is verifying that of your vendors and service providers. Begin by mapping them, then determine the severity of the risk they present, and ensure the implementation of appropriate cybersecurity controls using questionnaires and auditors. If you do not have the necessary resources to map, assess, and ensure implementation of your vendor security, consider outsourcing your supply chain security risk management and due diligence to GRSee Consulting for a turnkey solution based on your business needs and risk appetite.