Supply Chain Risk:
The importance of vetting 3rd party vendors and their data protection tools
Modern organizations are increasingly interconnected, with complex supply chains extending across continents and categories. While this brings a range of business benefits, it also brings risks. Cyber-criminals understand how data is shared between links in the chain, and use that knowledge to access networks that would otherwise be well-protected.
The potential for breach makes third-party suppliers a significant source of cyber vulnerability. Because the business at the top of the chain can’t always control the security measures taken by vendors, criminals probe the smaller, less-well protected organizations in the chain and breach their weaker defences.
Suppliers often aren’t as aware of potential security threats and may not have the resources to manage cyber at the same level as the contractor. Hackers are patient and willing to start small, sometimes lurking in breached systems for weeks and months before accessing and exfiltrating data assets.
It’s essential that businesses and their supply chain partners be aware of this risk, and work to protect one another’s systems and data.
Supply chain attacks are on the rise
In the last 10 years, a number of organizations have been hit by unexpected breaches and system disruptions caused by third party suppliers, leading to reputational damage and recalls costing hundreds of millions of dollars. Affected industries include consumer products and pharma, automotive and electronics and automotive.
Both private and public sector organizations have struggled to stop or contain cyber breaches, losing critical data and proprietary info thanks to vulnerabilities in the supplier ecosystem.
In 2017 Equifax blamed its massive data breach to a flaw in third-party software. Later a malicious download link on its website was blamed on yet another vendor. In 2014 the breach at Target was caused by weak security measures at an HVAC vendor.
Two of the highest profile breaches in recent memory – the Paradise and Panama Papers, where tens of millions of files relating offshore tax avoidance by major corporations, politicians, and celebrities were made public – were both enabled by weak security measures at law firms supplying the tax consultancies.
An expanding attack surface
According to a study by the Ponemon Institute, 56 percent of organizations have had a breach caused by a supply chain partner. The average number of vendors with access to sensitive information at larger organizations, meanwhile, is growing.
Only 18 percent of companies knew if their vendors were sharing that information with other suppliers. That's worrying. Even if a breach at Company X is enabled by a contractor or sub-contractor, customers will blame Company X, and potentially take their business elsewhere.
In an era of heightened regulatory demands, third party breaches can also irritate compliance. Privacy regimes like the EU’s GDPR put all the responsibility on companies when it comes to who they trust to handle their data. In healthcare, HIPAA’s data requirements apply to any contractor or sub-contractor with access to patients’ personal data.
The coming California Consumer Privacy Act will also require organizations to protect the personal information they hold on individuals – regardless of the business reasons they have for sharing it. CCPA’s protections will cover things even GDPR doesn’t, including biometric information or interactions with a company website or app. Companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
Mitigating supply chain risk
In today’s interconnected world of seamless digital buyer-seller relationships, the range of vulnerabilities to cyberattacks are increasing. Businesses may have best-in-class protections in place but need to know if contractors, sub-contractors, and smaller supplier further along the value chain are maintaining the same standards.
Whether it is on their own networks, shared with partners, or managed via outsourcing, enterprises need to take control of their sensitive data.
That means ever closer scrutiny of their supply chains important questions like security standards for personnel data, current investments in data loss protection, and the contractor’s processes for ensuring data compliance.
Setting the standards of cyber security for contractors is the only way businesses can safely share personal, business, or customer data with third party suppliers.
Cyber-criminals will look for every vulnerability to attack an organization. It’s essential to close every gap, down to the last link in the supply chain.