Supply chain attacks are on the rise, and many organizations seem unsure on how to respond to the threat, but I’m here to tell you that there are several steps you can take to minimize your risk of being involved in a supply chain breach.
These are the top five areas to consider:
Carry out a full IT review of your tech stack
You can’t protect what you can’t see. To minimize any unknowns, start with a full audit of your IT environment, including any unapproved shadow IT. You need to understand exactly what hardware, software and SaaS products are being used, where the security gaps lie, and which vendors and partners your business relies on – including the nature of those interactions, from the types of data they process to system interfaces and various levels of integration.
Next, assess how critical each supplier is to the business. If there are redundancies or unnecessary relationships, address them. Every vendor coming in or going out should be accounted for in a system of record, based on the type of service they deliver. Keeping an up-to-date inventory of vendors and centrally managing those relationships is the starting point for identifying and minimizing any inherent risks. Tiering partnerships also allows you to fast-track procurement for low-risk vendors.
Ask the right questions
When having security conversations, prioritize those vendors that matter the most. Focus on those partners whose compromise could cause the greatest damage and disruption to your business operations.
How strong is your suppliers’ security posture, what is their understanding of vulnerable areas and how are they bolstering their defenses? Being specific with tailored questions will yield better results. No matter how small your organization, come armed with a list of clearly defined requirements and be prepared to ask some uncomfortable questions.
Evaluate what risks your partners might be exposing you to, and what they are doing to close those gaps. Each vendor in your portfolio should be able to explain how they are protecting themselves and their customers against attacks, including how they restrict access to systems and how they encrypt data. Do they – as a minimum – follow industry standards? Can they demonstrate that they are safeguarding the confidentiality, integrity, and availability of their client’s data in the same way you would? Vendors should also be able to show independent audits of their security performance when asked.
Set expectations for business continuity
When it comes to business continuity and disaster recovery (BCDR), it’s important to set clear expectations. If availability is a concern, firm SLAs must be built into the contract and your partner should have an adequate and well-documented incident response plan. If they don’t have a formalized and tested BCDR strategy to review, be prepared to work together to put one in place. It’s a good idea to file the answers in preparation for the next security review, too.
Build a culture of cyber security
It has been said many times, but users remain the weakest link. To mitigate this risk, organizations need to establish a strong security culture that is built on extensive staff training, supported by appropriate threat prevention and monitoring tools. Users must know how to spot suspicious activity – such as phishing emails – and they should always be strongly encouraged to report anything unusual, no matter how trivial it seems.
Continue to hold suppliers accountable
Once the initial risk assessment is complete, don’t forget to follow up on the findings. Now that the criteria for identifying your most critical vendors have been established, develop a proper way to evaluate them on a continuous basis. Measure vendors in a way that mirrors your organization’s internal requirements. In most cases, tier 1 vendors should be treated as an extension of the business, and thus should have similar or better policies, procedures, processes, and capabilities than those you have set for your own organization.
Managing vendors is an ongoing process, not a one-off tick box exercise, so persevere and keep relationships transparent. Your partners’ security program should be moving in the right direction, and they should be able to demonstrate that they can adapt to changing threats.
In addition, as vendor relationships grow, so must the level of diligence and security expectations. Every contractual relationship comes with a level of accountability. Contractual security language will not only protect your organization by having vendors abide by best practices – it will set the cadence for the entire relationship. It will bind both parties to standards that should be met in the event of an incident. Incident response, data retrieval, data ownership, and rights to an assessment should all be agreed upon beforehand.
Businesses can and must demand quality security outcomes from their vendors. After all, the status of a trusted supplier is earned not through the length of a relationship, but from greater transparency around security. Work with your suppliers to identify possible weak points and continue to review your and their defenses on a regular basis. Building this trust will ultimately help you counter risks from supply chain attacks.