We are all hearing about increases in supply chain risk, from hacking events to chipsets that send data to foreign entities. But how do we even start to climb the mountain of evaluating vendors to ensure they’re meeting our levels of security standards?
SolarWinds, chipset surveillance, cloud services being offline for weeks on end – all parts of a cybersecurity program’s worst nightmare. As cybersecurity professionals, it is our responsibility to keep up on what’s going on in the industry, but in recent years, new challenges have arisen around supply chain risk. ISACA recently completed a supply chain survey of 1,300 security professionals in which 30 percent of these professionals said the leaders of their organizations did not have sufficient understanding of supply chain risk. While we’re always responsible for protecting our internal environments, those environments have become a mesh of activity, from internally hosted servers to cloud-hosted servers, phones, Software as a Service (SaaS), and myriad other components. With recent attacks hampering these activities, and compromises expanding from the original hack, it’s sometimes hard to determine where our responsibility ends and where the vendor’s responsibility begins.
Supply chain risk management is a challenge, but not one that is impossible to overcome. As with everything we do around cybersecurity, work must be done to ensure that the vendor being chosen for a specific task, service or item is doing their due diligence for preventing a compromise from reaching their customers. Easy ways for vendors to validate their services are to have regular SOC audits performed, be ISO-certified, or provide other certification information to a prospective client to ensure security controls are in place to a satisfactory level.
However, some companies have not adapted to these audits and will need to be questioned in other ways to show their due diligence. Recently I was tasked with creating a vendor risk management form, which all prospective vendors handling company data (including Protected Health Information and Personally Identifiable Information) will be required to fill out and provide back to our cybersecurity team. From there, a risk determination will be made for the vendor to identify if it meets our standard of care and is performing the appropriate actions to protect clients in the event of a breach.
In evaluating what to put in this form, I realized some simple things to think about when assessing a product that can be the basis for creating your own form. With the ISACA supply chain survey discovering that only one in five organizations has a cybersecurity component to their vendor assessments, this is a great way to start working these topics into the project process. This list can also be a starting point for thinking about the supply chain and how it affects your business:
- How critical is this application/product/service/software to your business? For example, if it is an application that holds all your employee’s personal data, you’re going to want to make sure they’re meeting all the requirements of security, data and privacy as required by law, and by your organization. What happens if this system goes offline for an extended period? What is their SLA?
- How critical is the data that the software/product/service/application is providing or storing? The more important the data, the greater the need for understanding the controls in place to protect it.
- Where are the vendor’s headquarters? Where do their staff reside? Do they use equipment from countries that may put malicious chipsets into the hardware of their product to collect data?
- What is the vendor’s disaster recovery plan and notification of breach plans? What is their responsibility to the client within those plans? If the answer is “none,” you may want to consider a different vendor.
- Do some research: how many breaches or incidents of a cyber nature has the company been subject to in the last five years? Was there anything of concern?
Once you have the answers to these questions, you can work to flesh out your own risk management assessment form. There are several great resources online to start from and you can add other questions related to the criticality of your data, privacy laws in your area, and more. If you already have one of these forms but want to add more automation to the mix, many vendors are available to handle the third-party/vendor risk management questionnaires. These are sent out to the client but are then processed through the assessment vendor to provide insights and reports based on the information provided.
Also remember, however, that “offensive operations, oftentimes, is the surest, if not the only means of defense.” (George Washington, 1799) Performing due diligence on the vendor is important but having plans for isolating the vendor in the case of a breach, incident response and business continuity plans, along with ensuring that data backups are available, should all be part of your cybersecurity program development.
A question I’ve been asked when discussing these assessments is, “How far down the supply chain do you go?” And the answer to that is simple: as far as the criticality requires you to. While a government agency may need to research down to the basest chipset to ensure top-secret data doesn’t fall into the wrong hands, does a small company with no PII/PHI handling need the same level of granularity in its assessment? That is the determination that the business will have to make and will also frame the assessment form you create.
As we continue to come together as a globally connected society, supply chain risks will continue to morph and become more entangled. It’s worthwhile to get a handle on your organization’s needs and begin evaluating products to be ahead of future compromises and to protect your environment as best as possible.
As Red Green says, “We’re all in this together.”