Suppliers Could Be Your Weakest Security Link
The TV game show “The Weakest Link” could have earned a contestant up to $1 million, but the weakest link in your cyber network could net a hacker millions and potentially cost you your business. Your suppliers can be a big profit source for you as they boost your offerings and provide services you need, yet they can also put your business at risk.
The networks of businesses and their suppliers are often connected. However this “togetherness” presents the possibility that your suppliers could become an accomplice in the compromise of your network.
No matter how many cyber security devices you have in place, a supplier’s access to your network could be the entry point for attackers to access your network and ultimately your most prized intellectual property. In short, you are only as safe as the weakest link in your online supply chain.
We have come a long way in securing our own infrastructures and networks. But the new game in town is ensuring every vendor in your supply chain has security measures in place that are equal to or better than that of your business. The security guidelines of the Gramm-Leach-Bliley Act mandate that financial institutions must contractually require their affiliated and non-affiliated third-party service providers that have access to a financial institution’s customer information to protect that information.
According to the Ponemon Institute 2013 Securing Outsourced Consumer Data Report, 65% of organizations surveyed had a network security breach involving consumer data outsourced to a vendor, and 64% say it has happened more than once. In recent months, several high-profile breaches were found to be caused by their vendors.
For example, the New York Times website was defaced and experienced sporadic downtime because one of its resellers responded to a spear phishing attack, which allowed hackers to steal the reseller’s login credentials to the Times’ network. No matter how strong your security posture is, if you are breached due to a partner’s vulnerabilities, you will be seen as the weak one as it is up to you to properly manage your risk.
Read more: It's complicated ...
Your credit union may have relationships with mortgage and insurance companies, independent sales organizations like Visa that solicit your customers, and companies that store, process or transmit cardholder data.
While you can’t stop outsourcing services to third parties, you can have agreements with them that state what type of security precautions they are responsible for. No matter what it states in the contract that vendors request you sign, it is up to you to add text that ensures their security practices and policies are up to par.
When considering doing business with third-party vendors, you need to know their current network security practices and the security precautions they regularly implement. Your vendors’ security standards should be just as robust as your own. An outside security company can assess a prospective vendor’s risk and provide a report recommending ways to mitigate the risk.
During the RFP stage, define what security measures proposals should include. In your Service Level Agreements, make sure vendors list the processes they will take to protect your network, and ensure that you can review their regular security test reports.
It’s not just an organization’s hardware and software that needs to be checked. You also need to state in the contract the security training the supplier will provide for all its employees. If one of your suppliers’ employees divulges information to the wrong person or loses a mobile device with your information on it, your network could be breached.
If you are breached due to a vendor and customer data may be at stake, you will need to report it to regulators and customers. If your suppliers won’t meet the demands you want stated in their SLAs, use another vendor. Their carelessness could cause you to lose time, money and customers.
Tips for Securing Your Supply Chain
- Conduct a thorough due-diligence security infrastructure and environment assessment by leveraging open-source intelligence. Partner with an outside security firm if you need help.
- Insist that your suppliers provide proof of a recent penetration test and/or vulnerability scan of their network.
- Be sure your vendors only have access to the information on your networks they need.
- State which party will be responsible for remediation costs and notifying customers in case of a breach caused by the vendor.
- Ensure that your vendor provides an employee security education training program that new and current employees must partake in annually.
- Include a clause in your contract that states if the vendor fails to perform stated security practices or does not rectify any vulnerabilities found within 30 days, you may terminate the contract.
Jeff Multz is director of North America Midmarket Sales at Dell SecureWorks in Atlanta.