Protecting Your Supply Chain – Why Your Business Partners Are Your Biggest Threat Surface

This is a guest article written by Jay Caissie. The author’s views are entirely his own and may not reflect the views of IT Governance USA.

People and businesses alike are more connected and collaborative than they’ve ever been. There’s a problem with this, though. If you’re not careful, even the most well-meaning business partner could put your data at risk. Here’s why (and what you can do about it).

Cyber criminals are a lot like lightning – and not just because of how destructive they can be to digital data. Like an electrical current, they will inevitably gravitate towards the path of least resistance – the route that will allow them to simultaneously maximize their gains and minimize their efforts.

In some cases, that’s an unpatched system, an ignorant but well-meaning employee, or a well-crafted phishing email. In others, it’s nothing to do with your business at all.

Remember the high-profile Netflix hack back in 2017? The one where the criminal hacker released ten episodes of Season 5 of “Orange is the New Black” after the streaming studio refused to pay a ransom?

They didn’t target Netflix at all – at least not directly. They knew a major tech company would have some major security protecting its data. So instead, they searched through the supply chain until they found a weak link.

That is to say, they compromised Netflix through one of its business partners, executing something known as a supply chain attack. Even though larger organizations are investing more in cybersecurity and their employees are becoming savvier about the social engineering tactics used by criminal hackers, such attacks are becoming increasingly common. Netflix is far from the only example, either.

Target’s 2014 breach was executed through an HVAC vendor.  Equifax’s 2017 breach came at the hands of third-party software. Incidents such as the Panama Papers and the Paradise Papers were the result of law firms failing in their duty of care to protect sensitive data.

According to the Ponemon 2017 Third Party Data Risk Study, at least 56% of respondents experienced a third-party data breach.

The lesson here is clear. The vendors, partners, and merchants your organization works with are every bit as much of a threat to your cybersecurity posture as anything else. They are part of your threat surface, and if any of them aren’t secure, that means you aren’t by association.

It’s a bitter pill to swallow, and an idea that, for many, will take some getting used to.

But get used to it you must. Because the alternative – burying your head in the sand and hoping the third parties you work with care about protecting your data – is not acceptable. You need to take measures to guard yourself against supply chain attacks, just as you must protect against phishing scams, ransomware, DDoS (distributed denial-of-service) attacks, and malware.

Mind you, this is easier said than done. It’s a comparatively simple thing to address an internal security risk. External factors require a bit more legwork and finesse:

  • Assess prospective partners. Before you commit to working with a new vendor or partner, insist on seeing its cybersecurity policy, and reviewing the steps it has taken to protect its own data. This will give you a sense of whether or not they are safe to work with – you might even want to go a step further and bring in a third-party expert for an assessment.
  • Follow due diligence. Some businesses may lack the resources or clout to demand an audit – but that doesn’t mean they’re out of luck. Look at a vendor’s internal processes and policies, read through its agreements, and check online to see what other people are saying about it. A vendor with lax security practices will eventually acquire a reputation as such.
  • Sign a security agreement. As an addendum to the above, add clauses related to cybersecurity to every vendor agreement you sign. Partners that are not committed to security or refuse to sign such an agreement are partners that you shouldn’t work with.
  • Mitigate file security. You needn’t lose control of data once it passes outside your perimeter. Consider looking into a solution that allows you to monitor, track, and control access to sensitive documents. That way, if a vendor does bungle things, you can simply rescind access to the compromised files.

Criminals will always seek the path of least resistance – and that’s increasingly somewhere along your organization’s supply chain. You need to be cognizant of that fact. Be careful who you work with and who you trust with your data.

Otherwise, it won’t matter how impressive your internal security is – you won’t be safe.

Cyber health check

Need to assess your cyber risk exposure? IT Governance’s three-day Cyber Health Check combines on-site consultancy and audit, remote vulnerability assessments, and an online staff survey to assess your cyber risk exposure and identify a practical route to minimize your risks. Receive a prioritized action plan for controlling your cyber risks in line with your risk appetite.

Get a cyber health check of your business with IT Governance USA >>