Supply chain risk is a hot button right now and getting hotter.
It has always been an issue – it was the source of the Target breach, the Home Depot Breach, Panama Papers and thousands of others that you never heard about. According to a Ponemon study, 56% of organizations admit that they had a breach caused by one of their vendors.
According to that study, the average number of vendors a company is sharing sensitive data with is 471 and only 35 percent of the companies had a list of all of the vendors that they were sharing data with.
The problem doesn’t stop when you terminate a supplier relationship because they do not delete all of your data when you go away. They keep it.
Add to that the fact that only 18 percent had a handle on fourth party risk – the risk that comes from your third parties using their own third parties.
Regulators are starting to deal with it. New York is requiring financial service providers to actively manage it and it is not easy.
GDPR also holds companies responsible for what their vendors do with their data, so if you do business in Europe, that is another concern.
Expect regulators to add more third party risk management to their requirements over the next few years. Colorado just did that.
Supply chain risk not only includes vendors that provide services to your company, but also hardware vendors and software providers. Each purchased device, each downloaded application needs to be vetted, and monitored for potential security risks, and all patches have to be up to date.
The Magecart malware in the Magento Open Source eCommerce software has allowed hackers to steal millions of credit cards.
Supply chain risk not only puts your client’s data at risk, but also puts your own intellectual property at risk. When the hackers come, they take everything,
Cloud service providers add their own risks. Recently researchers were able to compromise at least a half dozen large web hosting providers.
And professional service providers – accountants, lawyers, analytics providers and many others add their own risk to the mix.
So what do you need to do?
Kind of like when alcohol gets out of control, the first step is admitting that you have a problem.
The biggest suppliers are likely not the biggest risk. They often have robust security programs, but even when they do, those sometimes fail . Think about Equifax.
We are seeing more CONTRACTS requiring supply chain risk management. Vendors may be asked to self assess or use third party risk vendors like CyberGRX, Vendorly or others. And there are vendors that provide security scores such as Bitsight and Security Scorecard.
Companies need to up their game when it comes supply chain risk – because the bad guys have already done that.
Information for post came from CSO Online.