According to Booz Allen Hamilton, third parties were the number-one security risk to financial services firms in 2015.
Despite this, the PWC 2015 US State of Cybercrime Survey found that:
- 19% of CIOs are not concerned about supply-chain risks
- Only 42% of respondents consider supplier risks
- 23% do not evaluate third parties at all
- Most companies do not have a process for assessing third-parties’ security capabilities before they do business with them
The focus on stealing personally identifiable information via third-party systems continues to plague companies and these systems are a key way in for cyber criminals.
Perhaps the most infamous of these incidents was the Target data breach in 2013. The attackers compromised Target’s HVAC contractor to gain entry to their point-of-sale (POS) environment, from which they stole 110 million customer credit card details.
Third-party security: An emerging problem
While most companies are still grappling with securing their own networks, data, and users, preventing against attacks that target business partners or incorporate previously stolen information adds a new layer of complexity to the equation.
Smaller organizations are often the bigger risk
Increasingly, smaller organizations are becoming targets as a way to reach the sensitive data of larger businesses.
Many small businesses do not have the budget, resources, or internal knowledge to implement effective cybersecurity measures, hence they’re victimized.
It’s important for any organization to document their supplier management security policy so that both sides know the score.
Writing a supplier management security policy
Your suppliers should be treated as an extension of your ISMS (information security management system).
You need to document your relationship to include the information assets within your own scope. It must cover the storage, transmission, and processing of information, even where the information is encrypted. You must also decide who is responsible for the relationship and who will oversee the supplier implementing and maintaining the security controls.
Supplier management security policy sample
Taken from the ISO 27001 ISMS Documentation Toolkit, this sample template will help you write your cybersecurity policy for managing supplier relationships.
This template can be tailored to your business, taking away the hassle of writing the policy from scratch.
The full ISO 27001 ISMS Documentation Toolkit contains all the necessary documents to implement your own ISO 27001-aligned ISMS.
ISO 27001 is the internationally recognized cybersecurity standard against which organizations can achieve certification, proving their commitment to information security to stakeholders and customers.
Take a free trial of the ISO 27001 toolkit now >>
Find out more about the ISO 27001 toolkit here >>