Supply Chain Risks: What Companies Should be Considering
Written by Marla Ovenden-Cooper
Companies are increasingly aware of information security. Protecting their data and reputation has become such an important consideration that many see the CISO role as one that should have a seat at the boardroom table and be given more support by the company overall. However, when companies are thinking about information security, there is still a primary focus on their own company and their information security processes and plans. More and more supply-chain threats are becoming risks that companies need to address. Third-party breaches can result in data leaks, denial of service, disruption of business operations, and malware attacks.
High Profile Attacks
In March of 2020, one of the largest supply chain attacks occurred. SolarWinds sent out software updates for their Orion software unaware that it contained malicious code. The attack, which may well be known as the most sophisticated and large-scale attacks, utilized many supply chain layers to gain data from both the public and private sector. Just 2 years prior Ticketmaster fell victim to hackers as a result of a third party Javascript code used on their payment page. The code was part of the support chat tool that was customized by a third party supplier, Inbenta. Inbenta was attacked and access to the code and the ability to manipulate it resulted in a Ticketmaster hack that cost them 10 million dollars in fines.
What Should You Do?
With such high-profile cases, businesses are now asking what they should be doing to avoid supply chain attacks. One of the primary steps in protecting your company is to ask potential and current business partners to provide security policies and practices to review prior to partnering. Consider what your third parties have in place. Do they have a security framework? Are they following international standards such as the ISO 27001, are they IS0 27001 certified? Do they have staff that have taken ISO 27001 Lead Implementer training?
It is well documented that cyber breaches are often a result of human error. How does the potential partner/vendor provide training? Do they ensure that all staff are receiving training and coaching on information security, not just annually, but regularly? Do they have mandatory cybersecurity training? Is information security ingrained in the culture? Do they conduct internal PenTests done by professionals you have undergone PenTest+ training and use them as teaching moments?
Consider questions related to incident response. What is their method for dealing with a breach? Do they have a response plan? Where do partners and providers like yourself fall into their plan? How will you be notified? Will you have adequate time to address your own PR concerns as a result of a breach?
Next Steps
Once you have made the decision to move forward with a partner/vendor there are some specific considerations when setting up access. Third party access should always restrict access and authorization to the absolute minimum required. Creating an inventory and mapping of all third party access should occur. Since not all vendors have access to all data, knowing which vendors have access to specific data will be key to successful incident response in the case of a breach. Continuously monitoring access requests and recording changes to access is an important part of maintenance.
Finally, conducting regular vendor risk assessments to identify if companies are continuing to meet established cybersecurity agreements and auditing the supply chain will contribute to ongoing cybersecurity success. Remember, it is no longer a question of if you will experience a cyber event, but when and how prepared you and your supply chain are to act quickly and collaboratively to mitigate risk.
Disclaimer
The information contained in this post is considered true and accurate as of the publication date. However, the accuracy of this information may be impacted by changes in circumstances that occur after the time of publication. TechnoEdge Learning assumes no liability for any error or omissions in the information contained in this post or any other post in our blog.