Defending Your Supply Chain Against Hackers
As organizations continue to outsource, form partnerships, and share data with third parties, a strong vendor risk management (VRM) program that stays ahead of risks in the information supply chain has to be a top priority.
Hackers stole confidential data from tens of millions of Target customers during the height of the holiday shopping season. A server breach at the U.S. Office of Personnel Management compromised the sensitive personal information of about 21.5 million people. Cybercriminals snatched the data of 15 million T-Mobile customers, including names, addresses, and drivers' license numbers.
On the Defense
In all three cases, the hackers gained access via an unsuspecting third party: a heating and air conditioning subcontractor that worked at Target locations; an OPM contractor; and, in T-Mobile's case, data collector Experian, which had been hired to perform credit checks.
The average large organization annually procures up to 100 new firms in its supply chain. Some of these third parties may have direct access to the client company's network; others may not but still hold sensitive data. Either way, each is a potential new entry point for hackers.
VRM requires two camps that haven't traditionally worked together—IT security and procurement teams—to collaborate closely as part of a multi-stakeholder drive to ensure that vendors are stringent watchdogs over cybersecurity. VRM should be a whole-organization initiative, including IT security, procurement, legal, and business units. A strong VRM program should have these elements:
Identify and assess risk. Identify all third-party vendors with any access to sensitive data. Then, collect information about the third party's security posture through remote or on-site interviews, documentation review, penetration tests, vulnerability scanning, and security ratings.
Ask about governance processes the vendor has in place around security, such as: Who is responsible for cybersecurity within the organization? How are security incidents reported? Do you outsource any IT or business functions to third parties?
Deep dive into the vendor's security sophistication: Do you have automated tools to ensure malicious software isn't deployed? Do you use encryption, access control, intrusion detection, and other mechanisms to protect data?
Add specific contractual language to protect your organization before you finalize a deal with a vendor. Once identification and assessment are complete, spell out security expectations in vendor contracts. A data breach through a third party is bad enough, but discovering that the contractual agreement with the vendor didn't clearly spell out security expectations is a terrible double whammy.
It's important to add specific and actionable language—for example, the vendor must use certain encryption technologies—to enforce protections and guard against legal scrutiny and liability.
Continuously monitor vendors to ensure they're compliant. A VRM program is feeble without assurance that third parties are following through on obligations. Solutions such as continuous, data-driven measurements of third parties' security performance offer the best way to ensure that their security posture mirrors how they've described it.
Formalized IT VRM programs help defend against hacking. Having a set of best practices around VRM, such as a comprehensive program to assess, monitor, and manage cybersecurity risk with third-party providers, helps keep your supply chain safe.