Many organizations fail to evaluate the security of their supply chain and properly identify the risks they face that could cause mass interruption to their operations. We consider this a major oversight as recent news articles support. If one of your suppliers suffers an unfortunate cyber event, it could result in a direct impact on your operations, leaving you scrambling to clean up or recover. Furthermore, some cases could cause a breach within your overall business.
I try not to use this BLOG to cover the latest security news. However, I do that hope everyone is keeping current on the stories and news surrounding who and what has been breached. Never take any of those stories for granted and make sure that you are diving deep into the details of the news and the resulting impact so that you can effectively apply it to your overall operations.
A business or organizations supply chain is vast, even in a small company. Take into consideration some of the following high-level vendors the average business uses and the data that they posses -
HR/Payroll Vendors: These include but are not limited to your health/dental insurance provider, 401k/403b provider, payroll processing vendor, outside HR provider, and anyone that has information on your employees. Any data breach at one of these services could disrupt making sure people are paid on time, identity theft, and other financial losses.
Financial Partners: These include your banks, credit card processing firms, investment firms, creditors, or anyone that you depend on to keep money flowing and your operations running. Any disruption there could mean all wheels come to a stop until it is resolved or your funds are recovered.
CPA/Accounting/Audit Vendors: These include any outside firm that has access to your financials, vendors, and company details. If they are breached it is very likely your financials could be disclosed and money stolen.
IT/Cyber Security/Technology Vendors: These include anyone you depend on for outside assistance to maintain the technology in your organization. Make sure to think about printer/copier firms, phone providers, ISP’s, cyber security consultants, MSP’s, MSSP’s, consultants, cloud providers, or equipment suppliers. These companies need to meet or exceed your security standard.
Building Maintenance/Operations: Think about anyone that has access to your building through a network. It is very common to see this. Think about HVAC, physical security, flow monitors, elevator/lift services, and anything else that is mechanical in nature but connected to a network.
Logistics: Any vendor that is responsible for the delivery or maintenance of your materials/fleet. It is possible they have a connection to your main business platforms.
Support Services: These are very common in medical, but also other verticals. These include imaging, technicians, third parties, transcription services, filing, storage, etc. If you cannot process your workflow as normal without someone it should be included in your list.
Once you get a good handle on who does what and how it could affect you, you can start to build the walls around yourself to protect your operations. You need a plan in place as to how you can continue operations in spite of these disruptions to the supply chain. Work to establish a vetting process of every current and future vendor by considering the development of a questionnaire. A questionnaire that requires vendors to give out the details on what they are doing to protect your data can prove to be very beneficial. If they refuse to complete the questionnaire, consider finding an alternative partner that is more open to the idea. The point is to not ask for too many details, but to ensure that security is properly built into their operations
Take a look at this page to get you started: https://www.halkynconsulting.co.uk/security-resources/downloads/SupplierSecurityAssessmentQuestionnaire.pdf
For strategic and key vendors, I would ask for a copy of their latest security audit and make sure it is updated annually.
I believe these steps for vendor onboarding will be the standard in the future and one of the best things we can do to mitigate risk for all. Call it “Herd Immunity for Vendors”. Think about it, what if we all required all of our vendors to use MFA, get security assessments, and remediate results? The progress we could make in beating back the attackers would be tremendous. The attackers would just focus on the organizations not bringing their A Game to the world.
Get your supply chain cleaned up and make sure they are protecting your organization, your employees, your clients, and your ability to do what you do. If we work to hold the people we pay to a higher standard, then they would be forced to figure it out. Many in the supply chain are neglecting proper security advice in favor for profits.