With the proliferation of SaaS solutions, API integrations and cloud computing, virtually everything in the modern enterprise is connected to untold number of outside entities. In fact, many business processes depend on this connectivity, even when doing so broadens the threat landscape and puts the organization at greater risk.
This interconnectedness means that vendor vulnerabilities become your vulnerabilities. For proof, we need look no further than the massive NotPetya attack that took down hundreds of companies in the summer of 2017. What began as a quasi-cyberwarfare attack on the Ukraine crippled everything from global shipping giant Maersk to a hospital in Pennsylvania, causing $10 billion in losses—all essentially collateral damage. The incident brought the risk of vendor security front and center as the ransomware spread like wildfire, even to organizations that had absolutely no connection to the original targets.
But since then, it seems little has changed when it comes to implementing better supply chain cybersecurity risk management. A recent Gartner study found that 83% of organizations uncover third-party risks after conducting due diligence, and over 70% of business and IT executives admit to having no idea how diligent their third-party partners are when it comes to security. Disturbingly, over half say they rely on trust alone.
With so much at stake, it’s extremely troubling that so many organizations fail to make supply chain security a top priority. Most often, the problem is because IT is brought into the vendor evaluation process after a selection has already been made. Business units are empowered to conduct initial assessments and due diligence and bring the vendor for IT/security review only once the contract is ready for signature. That means IT becomes the “bad guys” when they pump the brakes or bring the deal to a halt.
To overcome this problem, IT must take a more strategic approach to ensuring supply chain security by equipping business units to evaluate vendor security earlier in the process. Here’s how to prepare business units to vet suppliers more thoroughly during due diligence and keep IT from having to step in at the last minute to nix the deal.
1. Train everyone on cybersecurity risks. Working in IT, you live, eat, breathe and sleep cybersecurity. But other employees likely do not. They’re not hyper-aware of the relentless risks, and most would be shocked to know just how large of a threat landscape organizations face. That’s why training is critically important. Make cybersecurity training a routine requirement so that those making vendor decisions—and even just everyday users—understand where the risks lie and how to mitigate them. By raising awareness, you build a more vigilant front-line defense.
2. Establish a baseline security policy. Create a set of specific guidelines, policies and controls requirements that vendors must meet in order to pass muster. This should include things like security training for internal staff, two-factor authentication, secure development policies, lifecycle management, penetration testing, asset management, mobile device security, change and access controls, and even physical/environmental requirements. By putting your vendor requirements in writing and making them non-negotiable, business units can conduct more thorough due diligence before presenting the vendor for security review.
3. Demand compliance verification. Make sure business units understand the critical importance of compliance with any mandates that govern your business or industry. In today’s environment, you are responsible for both your own and your vendors’ compliance. That means, in the event of a vendor breach, your company could be held equally responsible in some cases. Insist on proper documentation of compliance with GDPR, PCI, HIPAA, etc. And, remember, different markets have different requirements, so make sure business units know their vendors must show proof of compliance with mandates in the regions or countries in which you do—or will do—business.
4. Ask to see the data flow. At a basic level, most companies rely on cloud resources for storage or computing—virtually no one operates their own in-house datacenter. That means your data, connected to their systems via API, travels outside their network, potentially exposed to numerous other vendors, contractors and other third parties with whom they do business. You have a right—and a responsibility—to know what that data flow looks like, and who is potentially in contact with your data. Business units should ask to see a data flow diagram, and if the vendor claims this is “proprietary,” consider that a red flag.
5. Adopt a continuous, iterative approach to vendor security. Too many organizations rely on moment-in-time verification of protocols or certifications, but today’s business environment and threat landscape change far too quickly for an annual audit. Gartner suggests an iterative approach to reduce risk at the speed of modern business by identifying and remediating third-party risks before they have an impact. Making vendor compliance review an iterative process doubles your capacity to remediate risks, saving your organization a tremendous amount of time, money and frustration.
Giving business units a playbook for vendor security screening prior to, or as part of, contract negotiation arms them with the knowledge and capability to conduct more thorough due diligence. Ensuring that as many security and compliance boxes as possible are checked prior to IT review keeps IT from having to pull the plug on deals at the last minute. This not only protects the organization, but also eliminates the adversarial relationship between IT and the rest of the business, replacing it with a more cooperative, collaborative one.