Important Clues to Manage Cybersecurity Risks Related To Your Vendors
In today’s fast-paced business environment, effective enterprise risk management (ERM) is essential. Information security risks are also highly sensitive areas of concern for businesses, both small and large. However, can you be completely confident in your ability to manage security risks posed by third-party suppliers with whom you do business?
To reduce the risk and prevent cyber security threats, organisations are required to develop a risk management structure which includes defining risk strategies and implementing risk policies and procedures. Cyber attacks can cause significant damage to organisations, such as data breaches, harm to their reputation, financial losses and regulatory issues.
For a very good reason, many small and large enterprises have needed to understand the risks associated with their own business and enhance their cybersecurity maturity level by taking actions linked to their risks. However, I regret to say that third-party risks have not been thoroughly assessed by many organisations, and a new attack vector has emerged in recent years: the supply chain attack.
In this paper, I will solely address the controls that organizations should design or develop to safeguard against this attack, without delving into its specifics.
In today’s world, organisations collaborate with numerous third-party vendors to access services such as public cloud, software, maintenance, payroll and education. Ideally, they aim to adopt an integrated structure to facilitate simplified operations. However, this scenario heightens the likelihood of their risks permeating and threatening their stakeholders. In essence, their risks also pose a threat to you!
Therefore, it is crucial to establish an efficient control environment. Let’s talk about the controls :)
- Is there any data inventory you have and can you understand easily which data is important and critical for your business to protect it at all cost?
- Do you know where the critical data is located? (I’m talking about exactly where it is: which server, which database, which column, which folder, which locker, which locked drawer, which cabinet etc. It means you have to know exact location where data is to develop required controls)
- Which data is transferred to your third-party vendor and which secure channel is used for this purpose?[Maybe, you can establish a formal communication process like a specific portal developed for only this purpose between you and your critical third-party vendors.]
- Do you take consideration of applicable legistlation; such as GDPR?
- Do you sure that your employees are only sharing the information third-party vendors need to give related service? [You can manage this only with information security awareness programme have included both you and your third-party vendors.]
- Is there an up-to-date and complete list includes every third-party vendors you have worked?
- Do you have a determined and written baseline security requirements that your vendors must be complied to work with you? Is there any set of requirements list that measure the risk level of vendors before the contract or is there any tool to understand cybersecurity risk scoring of your vendors?
- Do you manage efficiently third-party access to your critical assets and critical data? Do you have vetting, authentication and authorization process for your vendor’s employees?
- Is there any agreement process between all parties to develop action plan for reducing determined risks? Do all parties agree with which actions must be taken before contract?
- Do you determine contractual requirements for secure desing, coding and testing practices in addition to lisensing, code ownership and intellectual property right? Did you think escrow agreement for the software code?
- Do you force penetration testing for critical vendors and request taking action immediately to cover serious vulnerabilities? [If third-party vendors are unable or unwilling to make penetration testing, you must think which controls must be developed. Maybe, at this point, you should not be willing to integrate systems between you and your vendor’s system.]
- Do you use static and dynamic code review tools to ensure security in applications developed by third-party vendors? Is there any process or tools to guard against the presence of known vulnerabilities?
- Do you have a clear process between the organization and your third-party suppliers about reporting and responding security incidents?
- Do you have robust communication and incident response plans in place? This includes having a clear process for reporting and responding to security incidents, as well as establishing clear lines of communication between the organization and its suppliers.
- Do you force conducting regular audits within the third-party vendors by you or external auditors or internal audit personnel of vendors? [Don’t forget the subcontractors the third-party vendors have worked or will work with;)]
These controls are fundamental controls related to like access control, awareness and training, risk assessment, and security assessment. If you require additional controls, refer to the NIST SP800–53 standard. This standard provides a list of suggested security controls that organisations can use to safeguard their information systems and data from cyber threats.
Furthermore, it is worth mentioning that operating these controls effectively demands process designs, delineation of roles and responsibilities, and buy-in from all relevant stakeholders.
Summarily, it is vital for the overall security of an organisation to manage information security risks associated with third-party suppliers. By executing controls, organisations can safeguard themselves and their customers from potential threats.
I hope you have a fantastic year where you can effectively handle your risks(:
Best regards,
Meltem Yapar
