The use of third-party tools to manage or store your organisation’s sensitive or mission-critical data carries significant risks. As such, it is important to carry out a supplier risk assessment to ensure that critical suppliers or vendors within your supply chain are assessed appropriately. An effective supplier security assessment can help organisations to gain a better understanding of what risks are associated with the third-party product or service.

The following measures can help organisations gain a full understanding and clarity on the risks associated with their supply chain.

Conduct due diligence

Due diligence should be carried out before any information is shared with the supplier or any contract agreements drawn up. This process ensures that the suppliers’ existing security controls are evaluated. This can be conducted through a supplier security evaluations questionnaire.  This questionnaire can provide clarity into the supplier’s security controls, risks involved and processes in place to prevent data breaches.

Request for security assurance or evidence of security status

It is important to request security assurance to ensure that security expectations are being fulfilled. Organisations can request certifications as an independent assurance that the supplier’s security controls are effective. For example, the Cyber Essentials Plus or international security certifications such as ISO27001.

Include security requirement in supplier agreements or contracts

The organisation should have a defined level of security controls that all suppliers are required to have in place. For example, ensuring that all devices within an organisation are encrypted or that all suppliers are Cyber Essentials certified.  The results of the supplier security evaluations questionnaire should be able to show if the supplier can meet this requirement. Any supplier contracts should include information security clauses to further enforce this.

Classify suppliers and continuously monitor high-risk suppliers

Once onboarded, it is important to classify your suppliers to ensure that the appropriate level of risk management is applied to each supplier. Critical suppliers are those that are crucial to business operations and should be closely monitored. These suppliers should be assessed on a regular basis to ensure their information security practices continue to align with the organisation’s requirements.

Actively communicate and share lessons learned

The root cause analysis of any security incidents should provide lessons learned. These can be used to continuously improve the organisation’s security posture. Any relevant lessons learned should be shared with suppliers to ensure that they also remain secure and any ‘known’ vulnerabilities are resolved in a timely manner. Open communication of sharing best practices implemented within your organisation can encourage suppliers to take a proactive approach to their security. Developing a partnership with suppliers can be a more effective approach to ensuring supply chain security, rather than mandating compliance.

As we have seen with the recent GoDaddy data breach, suppliers are potential attack vectors into an organisation’s system or network. It is important to ensure that high-risk suppliers are monitored on a regular basis to ensure that any potential threats are addressed immediately. After all, the organisation’s cybersecurity controls can only remain as effective as the weakest link across its supply chain.

Author: Mae Patlong,  Information Security Consultant, Smarttech247