[BreachExchange] Supply chain security: Five IT strategies for choosing vendors wisely

Destry Winant destry at riskbasedsecurity.com
Mon Sep 9 09:13:42 EDT 2019


With the proliferation of SaaS solutions, API integrations and cloud
computing, virtually everything in the modern enterprise is connected
to untold number of outside entities. In fact, many business processes
depend on this connectivity, even when doing so broadens the threat
landscape and puts the organization at greater risk.

This interconnectedness means that vendor vulnerabilities become your
vulnerabilities. For proof, we need look no further than the massive
NotPetya attack that took down hundreds of companies in the summer of
2017. What began as a quasi-cyberwarfare attack on the Ukraine
crippled everything from global shipping giant Maersk to a hospital in
Pennsylvania, causing $10 billion in losses—all essentially collateral
damage. The incident brought the risk of vendor security front and
center as the ransomware spread like wildfire, even to organizations
that had absolutely no connection to the original targets.

But since then, it seems little has changed when it comes to
implementing better supply chain cybersecurity risk management. A
recent Gartner study found that 83% of organizations uncover
third-party risks after conducting due diligence, and over 70% of
business and IT executives admit to having no idea how diligent their
third-party partners are when it comes to security. Disturbingly, over
half say they rely on trust alone.

With so much at stake, it’s extremely troubling that so many
organizations fail to make supply chain security a top priority. Most
often, the problem is because IT is brought into the vendor evaluation
process after a selection has already been made. Business units are
empowered to conduct initial assessments and due diligence and bring
the vendor for IT/security review only once the contract is ready for
signature. That means IT becomes the “bad guys” when they pump the
brakes or bring the deal to a halt.

To overcome this problem, IT must take a more strategic approach to
ensuring supply chain security by equipping business units to evaluate
vendor security earlier in the process. Here’s how to prepare business
units to vet suppliers more thoroughly during due diligence and keep
IT from having to step in at the last minute to nix the deal.

1. Train everyone on cybersecurity risks. Working in IT, you live,
eat, breathe and sleep cybersecurity. But other employees likely do
not. They’re not hyper-aware of the relentless risks, and most would
be shocked to know just how large of a threat landscape organizations
face. That’s why training is critically important. Make cybersecurity
training a routine requirement so that those making vendor
decisions—and even just everyday users—understand where the risks lie
and how to mitigate them. By raising awareness, you build a more
vigilant front-line defense.

2. Establish a baseline security policy. Create a set of specific
guidelines, policies and controls requirements that vendors must meet
in order to pass muster. This should include things like security
training for internal staff, two-factor authentication, secure
development policies, lifecycle management, penetration testing, asset
management, mobile device security, change and access controls, and
even physical/environmental requirements. By putting your vendor
requirements in writing and making them non-negotiable, business units
can conduct more thorough due diligence before presenting the vendor
for security review.

3. Demand compliance verification. Make sure business units understand
the critical importance of compliance with any mandates that govern
your business or industry. In today’s environment, you are responsible
for both your own and your vendors’ compliance. That means, in the
event of a vendor breach, your company could be held equally
responsible in some cases. Insist on proper documentation of
compliance with GDPR, PCI, HIPAA, etc. And, remember, different
markets have different requirements, so make sure business units know
their vendors must show proof of compliance with mandates in the
regions or countries in which you do—or will do—business.

4. Ask to see the data flow. At a basic level, most companies rely on
cloud resources for storage or computing—virtually no one operates
their own in-house datacenter. That means your data, connected to
their systems via API, travels outside their network, potentially
exposed to numerous other vendors, contractors and other third parties
with whom they do business. You have a right—and a responsibility—to
know what that data flow looks like, and who is potentially in contact
with your data. Business units should ask to see a data flow diagram,
and if the vendor claims this is “proprietary,” consider that a red

5. Adopt a continuous, iterative approach to vendor security. Too many
organizations rely on moment-in-time verification of protocols or
certifications, but today’s business environment and threat landscape
change far too quickly for an annual audit. Gartner suggests an
iterative approach to reduce risk at the speed of modern business by
identifying and remediating third-party risks before they have an
impact. Making vendor compliance review an iterative process doubles
your capacity to remediate risks, saving your organization a
tremendous amount of time, money and frustration.

Giving business units a playbook for vendor security screening prior
to, or as part of, contract negotiation arms them with the knowledge
and capability to conduct more thorough due diligence. Ensuring that
as many security and compliance boxes as possible are checked prior to
IT review keeps IT from having to pull the plug on deals at the last
minute. This not only protects the organization, but also eliminates
the adversarial relationship between IT and the rest of the business,
replacing it with a more cooperative, collaborative one.

More information about the BreachExchange mailing list