With the level of connectedness in our world, including dependence on hosted applications and cloud computing, the IT security of your supply chain has become just as important as your own. You may have been diligent in your actions to protect your corporate network and data, but what if your vendors or partners have not? Examples of this can easily be found in the news. Of particular note was the “NotPetya” attack in the summer of 2017. This attack was first aimed at the Ukraine, but then went on to cripple hundreds of companies, including global shipping giant Maersk and all the way to a Pennsylvania hospital. There was an estimated $10 billion in losses. This is an example of a ransomware attack that quickly spread to organizations that were not directly connected to the original targets.
According to a recent Gartner study, 70% of business and IT executives say they have no idea how protected their third-party vendors or partners are when it comes to their IT security. Most say they rely on trust alone.
Getting your own house in order with respect to your IT security is a tall order in itself. Extending that to your vendors and partners, of which there may be many, can be a daunting task.
Here are some suggestions:
Effective, routine employee training programs need to be a priority and a requirement. Your people need to understand the cybersecurity risk landscape and how to mitigate those risks. They also need to understand the repercussions that can come from leaking information either accidentally or maliciously. These can be contractual penalties, legal costs, loss of reputation and loss of customers. Since employees are by far your greatest risk factor, making them as aware and vigilant as possible is a must.
Just as you need to have policies and controls in place to protect your organization, so should you require these to be in place with your vendors and partners. As an example, clear guidelines need to be in place for all users handling data and intellectual property regardless of their employment status, device being used, or location.
Ensuring your vendors and partners are complying with your required policies and controls is important. Consider the consequences if one of your vendors has a security breach, which affects your customers. Your organization could potentially be held equally responsible. Verifying this compliance should be done on a regular basis.
Your data, handled by various vendors, most likely travels beyond their network and is potentially exposed to many other vendors and third parties they do business with. Knowing what the data flow is and who might come in contact with your data is something you have a right to know. Ask to see a data flow diagram.
To summarize, in order to have an acceptable level of IT Security in your supply chain, your organization’s IT security practices and policies must extend beyond your own network. If not, one of your vendors or partners could be the weak link in the chain that brings a cybersecurity nightmare to your doorstep.
To learn more about cybersecurity best practices, contact us.