Take a chance on me

Even small, home-spun businesses have a handful of third-party vendors with which they must connect to keep the lights on and the money flowing. Larger organizations might have hundreds or thousands of partners in the supply chain. 

If the business has a centralized procurement department and processes, someone, somewhere has list of every supplier. This means it’s potentially viable to track each vendor tied into the corporate network at some level, be it read-write access to a database, the ability to view financial transactions, or just one person with login credentials that, if compromised, could be used by an attacker to pivot through an organization or drop malware on the system.

Just tracking every partner is challenging enough. Now add in applying a risk assessment and score to all of these vendors—monumental. Nonetheless, it’s becoming clearer with each passing day that businesses need to have a baseline understanding of partners’/vendors’/suppliers’ attention to information security governance and controls. The effects of a supplier or supplier’s supplier breach can be costly from financial, time, reputation, and resources standpoints.

Regardless, the most rigorous third-party risk assessment program can’t account for every supplier’s supplier, so it’s important for organizations to make sure instituted or potential suppliers don’t only have their own (currently) thorough security program; the supplier must also maintain an iterative assessment program for its own suppliers. Did the supplier check the box on its supplier’s contract saying it will, in turn, implement leading security practices? Good start, but it doesn’t end there. If a supplier, downstream or otherwise, isn’t regularly asking its vendors to account for the security of systems, things could flow downhill quickly. Recall the TSA audit, during which the auditor found nearly 13,000 vulnerabilities, many of which were due to a failure to patch. Security at implementation does now always reflect security five years down the road, so vet contracts before signing and ensure they allow for revisiting the supplier’s security posture at any given time (this can be accomplished through a third-party pen test, not necessarily your org poking around in the vendor’s org, making them somewhat uneasy).

If you need me, let me know, gonna be around

If a contract is already in place and security details can’t be worked into it, use the renewal date as a way to make sure security is part of the criteria next time. Waiting for a later date is OK for non-critical systems, but finance, HR, and legal applications are among those that need to be regularly assessed and monitored. If a high risk vendor agreement is active but your organization didn’t include the right to audit in the contract and the vendor is unwilling to allow testing, it’s time to bring the executive team together, explain the risks associated with continuing to do business, and then decide collectively if it makes sense to pull the provider ASAP. Easier said than done, for sure, but one big breach of a major system and your company could face serious trouble for years to come.

In this regard, it makes sense—once all vendors have been identified—to organize vendors into risk categories. Maybe “high, medium, low” works; more sophisticated organizations might want to assign a risk score based on some of the popular frameworks (FAIR, COBIT, TARA, OCTAVE, NIST) or a home grown assessment method. Again, the scores or categories will change over time, but a baseline and risk level should be determined for each partner.

If you put me to the test, if you let me try

One size does not fit all when it comes to securing the supply chain, and each organization must commit to a due diligence process that may seem overwhelming, especially for organizations with a large number of partners but a small security and/or risk team. As businesses’ supply chains expand, so too must oversight. Jerod Brennen, IT Risk Management Consultant, offers that organizations should focus on three critical areas to get their supply chain risk under control: Access management, vulnerability management, and third-party attestation. Vendor risk assessment checklists could include hundreds of questions, but start with these three, Brennen advises, and your company can build a repeatable, lightweight process for assessing ongoing risk.