Vendor and Supply Chain Risk

Businesses have always outsourced work.  It used to be plumbers and what were referred to as “the trades”.  Now it is programmers and manufacturing.

What is different now is the degree of connectedness that those suppliers have.

A couple of examples:

Target uses HVAC contractors to maintain the refrigeration in their stores. It used to be if the cooler broke or if you were installing a new one, you picked up the phone and told the contractor what you wanted.  Now there is a portal and the portal is connected to your accounting system and your document management system … and, and, and.

In Target’s case, maybe a little too connected because this contractor was the ignition point of Target’s 2013 breach which exposed information on over a hundred million customers.

In the OPM breach, it was also a contractor that was the ignition point of a breach that released very sensitive information on over 20 million people who hold government security clearances.

The recent T-Mobile breach happened 100% at their credit decisioning vendor, Experian.  T-Mobile’s systems were not even touched.

Given these stories and scores of others, you would think that businesses would be checking out the security of their vendors and making sure their contracts had really tight reps and warrants.

On the other hand, here are some real statistics:

  • 92% of businesses do not have any supply chain risk management abilities in place
  • 70% of enterprises enter into contracts with external vendors without having conducted any security checks
  • 60% of organizations grant vendors remote access to their internal network


63% of data breaches are caused security vulnerabilities introduced by third parties.

Just like every study, we could argue about each of those statistics, but I really don’t care a lot about the specific value of any of those statistics.  If 92% is wrong, is 80% right?  Would you agree to 65%?  Those are still very big numbers.  You get the idea.

So, just maybe, putting a supply chain risk management process in place might be a good idea.

The challenge for businesses, of course, is that it takes time and money and slows down the business process.

Of course, so do security breaches.

You can create a supply chain risk management process.  The article linked below gives some ideas and there are many more things that you can do.

The financial industry is the best at this, but even they have room for improvement.

What it takes is a comittment to create a process, staffing and some money.  AND, being willing to deal with the griping on the part of employees and vendors.  Interestingly, bank employees and vendors don’t seem to gripe much about it.  They know it is just part of the deal.

Next breach that you hear about.  See if a vendor was involved.  Likely, it will be.



Information for this post came from Infotech.

Leave a Reply

Your email address will not be published.