Supply Chain Vendors May Be Your Company’s Weakest Cyber Link

Last week, my brother Joe shared with me that his company’s key supplier was hacked. The hackers brought the vendor’s entire system completely down and demanded ransomware in the millions. This became a major inconvenience for my brother’s organization as they had to print and deliver thousands of shipping labels to the supplier, who is several hours away from them, via a rented van. Fortunately, Joe’s company was not directly impacted; but it has certainly given them pause. They spent $250,000 to upgrade their own network and are in the process of developing stricter security measures for their vendors.

The question you may be asking “How do you manage third-party risk with potentially hundreds of suppliers tied to your network?” The answer is: very carefully! Truthfully, there are a few common-sense approaches, as well as, more complicated and costly ones. However, with the number of vendors tied to your network, you cannot afford to keep your head in the sand any longer regarding your supply chain.

Let’s take a hard look at what the research says and recommendations about ways to proceed with a workable plan.

The Cold Hard Facts

Per the 2016 survey of 608 CIO/CISOs via Bomgar:

• 89% of third-party suppliers access their customer’s website weekly
• 69% stated their company had possibly or definitely suffered a data security breach from vendors that accessed their network
• 44% stated they take a “no or yes” approach to vendor access, meaning a vendor either has no or complete access to their network

The Ponemon Institute surveyed 598 individuals and found:

• 87% do not conduct an audit of their vendors actual security and privacy practices
• 60% stated they do not monitor, on a real-time basis, the security practices of suppliers
• 49% experienced a data breach caused by a vendor that resulted in loss or misuse of sensitive data
• 33% believed their primary third-party vendor would NOT notify them if a data breach involving sensitive or confidential information occurred
• 21% stated there is no one person responsible for their organization’s vendor risk management program

According to Gartner:

• 55% of an enterprises IT budget is now spent externally
• By 2019, the demand for vendor security will grow by 30% as compared to 2016 initiatives

8 Common Sense Approaches to Supply Chain Management

1. Put mechanisms in place to limit access to your network and data.
   As it was stated in our June 23^rd blog post, 95% of all cyber breaches are unintended and accidental because a person had access to data they did not need to complete their work assignments. This may also be the case with your vendors. Find out what they truly need and limit their access to those applications.
2. Hire an outside firm to conduct a risk assessment of all your suppliers.
   This will authenticate a vendor’s true security picture and allow you to:
   1. Terminate the agreement if their vulnerabilities are too great
   2. Give a vendor with some weaknesses an allotted time to upgrade their process with no access to your system until the process is complete
   3. For future partnerships, mandate a pre-assessment as a requirement for doing business
3. Hold each vendor to the same security standards as your company.
4. Make sure your suppliers know they will need to meet your industry’s regulatory compliance standards (i.e. PCI-DSS, HIPAA, ITAR).
   If you company has certain state and federal regulations they must meet for data security, make certain your vendors are following the same standards.
5. Create an incident response plan where both parties must notify each other immediately if their system has been compromised.
   Make sure your vendors know if they do not follow this plan, it is grounds for immediate termination of your business arrangement.
6. Amend your business agreements to include items #2, #3, #4 and #5.
7. Hire an outside firm to continuously monitor and track activities of all vendors while they are on your network.
   This sort of monitoring will provide you with real-time alerts to potential problems, quarantine issues and keep certain traffic off your network all together. You will also know if certain companies that were once compliant, have started slipping in their cybersecurity efforts.
8. Assign one company IT professional to manage the vendor risk management program.
   By having one person responsible for all the items listed above, cybersecurity issues are less likely to fall through the cracks or the consummate “he said/she said” is unlikely to occur.

Shellproof Security Helps SMB Clients to Succeed

With over 15 years in Information Technology, we have found one thing to be consistently true: the small and mid-sized business has been neglected. Let us be your outside firm to manage vendor relations and make sure your network is completely protected! Please give us a call today at 212-887-1600 to learn more!