Hopefully your company enjoys some long-standing supplier relationships and a network of business partners who consistently over-deliver. While these allies can be a tremendous resource, the ease of your relationship may also lull you into a false sense of security. After all, some of the largest threats to cybersecurity happen as information flows both in and out of your internal network to others.
When someone hacks your system through a link established with an outside partner, it’s called a supply chain, value-chain or third-party attack. As more and more data has moved online and business has gone digital, these types of attacks have only increased, and the news is rife with these incidents. It was lax security at an HVAC vendor that led to the high profile Target breach in 2014. When Equifax data was compromised in 2017, the company first blamed the software of an outside supplier and then a malicious download link from another. But do the consumers who lost data in either of those breaches blame the vendors? Of course not; they blame Target and Equifax.
According to a recent survey by the Ponemon Institute, 56 percent of organizations say they’ve suffered a breach caused by a vendor. That’s not necessarily a surprising statistic when you also consider that organizations have an average of 471 third-party connections that put sensitive information at risk–that’s a lot of potential breach points. The risk is compounded further by the survey finding that only 35 percent of companies even have a comprehensive list of all vendors with access to their internal data.
If you’re simply giving business partners your technology trust, that’s a dangerous approach to a very real threat. Instead, start with these basic principles of third-party cybersecurity:
- Identify and regularly update the list of suppliers who have access to corporate and customer information.
- Include security in your supplier service agreements and request a written review of all security and privacy policies. Not only does this oversight help with compliance rules and regulations, you can also reduce breach incidents by 20 percentage points, according to Dov Goldman, VP for innovation and alliances at Opus Global, Inc.
- Realize that your biggest supplier relationships might not present the biggest risk. Don’t overlook your smallest partnerships.
- Consider asking vendors to perform self-assessments, allow customer visits or audits, or purchase cyber insurance. If they balk, it may be an indication of lax policies.
- Because cybersecurity is ever evolving, you’ll also need ongoing monitoring, such as third-party monitoring software.
We understand that the thought of third party access to your data can be overwhelming—as if it’s not intimidating enough to manage your own internal threats to cyber security. Yet the threat from outside vendors demands your attention. If you’d appreciate a sounding board for ideas, want a quick review of your current policies, would like some recommendations or simply have some questions, don’t hesitate to contact your MJ consultant directly or call us at 317-805-7500.