Are Your Supply Chain Partners Increasing Your Security Risks?

In today’s global economy, virtually every organization depends upon a network of supply chain partners. The providers can range from cleaning personnel to fully outsourced IT operations.  They all pose different concerns from a security perspective.

One of the biggest threats stems from the interconnected nature of today’s supply chains. Many organizations give business partners access to their network, applications and data, increasing the risk of insider threats. Supply chain partners may not have robust security controls or follow best practices for protecting your systems and sensitive information. Attackers may find their way into an organization’s systems by stealing a third-party user’s credentials or hacking into a business partner’s network.

According to a recent study by Spiceworks, 44 percent of organizations have suffered a major data breach caused by a vendor or business partner. A study by the Cyentia Institute found that security incidents involving multiple parties are increasing 20 percent annually. These “ripple effect” data breaches involve 10 organizations, on average, and result in financial losses that are 13 times larger than incidents involving a single entity.

What’s Your Policy?

To avoid becoming a victim, you should carefully vet the security and regulatory compliance practices of your supply chain partners. This can be accomplished by requiring third parties to complete a security self-assessment or to provide written policies and procedures for review. Evidence of security certifications and references from other organizations that do business with the supply chain partner can also be helpful.

You should also develop detailed security policies for any third party that accesses your network or handles your data. The policies should define baseline security standards that apply not only to your business partner but to other entities upstream and downstream. It’s also critical to establish procedures for reporting security incidents. In the Spiceworks study, just 15 percent of organizations that suffered a third-party data breach were notified when the breach occurred.

Enforcing security policies consistently throughout the supply chain is essential. More than half (51 percent) of respondents to the Spiceworks study said they enforce security policies through contractual provisions, and nearly 80 percent said their supply chain agreements include financial or legal consequences in the event of a data breach. However, only half said they discontinued their relationship with a vendor that failed to follow security policies.

Making It Stick

What’s more, only 39 percent audit their supply chain partners’ security practices at least annually. This could leave significant gaps as new security threats proliferate and government and industry regulations become more stringent.

SageNet’s cybersecurity team has the experience and expertise to review your policies, procedures and security environment and make recommendations for improvement. We can also help you evaluate the cybersecurity practices of your business partners and vendors against standard frameworks such as PCI DSS, ISO 27001/27002 and NIST 800-53. Also, our penetration testing services can help identify vulnerabilities that could put your sensitive data at risk.

Your supply chain partners play a vital role in the successful operation of your business. If they don’t follow security best practices, however, you could suffer a security incident or data breach that brings devastating downtime and enormous financial costs. Given the significant threat of a third-party data breach, it makes good business sense to scrutinize supply chain cybersecurity. Give us a call if we can help.