Supply chain is evolving, making managing third-party supply chain security risks a must for a strong security strategy. Where it has traditionally been about the distribution of products, it is now just as much about the collection and distribution of data. This highly complex network of systems and vendors comes with a whole new list of information security risks. The statistics are alarming: 56% of companies have had a third-party breach, but only 34% of companies keep a comprehensive list of vendors and only 35% of companies believe that they have robust third-party risk management procedures in place.
Examples of Cybercrime
Even the largest companies that profess to prioritize data security have been victims of data theft. In 2013, a third-party vendor for Target was the weak link in supply chain security for Target, affecting 41 million customers and costing Target over $200 million. The Equifax breach in 2019 was blamed on two different outside vendors. One source of the breach was a third-party software and the other was a third-party website link containing malware. In June of 2019, photos of travelers and their license plates were accessed at a vendor of the U.S. Customs and Border Protection, proving that even the government isn’t immune to data breaches from third-party vendors.
Vendors Used as Access Points
Cybercriminals are seeking specific platforms with known security vulnerabilities, using malware on websites, and targeting hardware with weak security to gain access to personal data, credit card numbers, and intellectual assets. The source of the attack, the third-parties, is a strategic move on the part of the cybercriminals. The vendor is not the actual target of the breach, it is only the conduit to the valuable data of the intended target. Professional services firms are increasingly becoming popular pathways for a data breach to reach their high-profile clients.
Cloud computing has also added additional security risks for companies. Software and even hardware are now cloud-enabled, allowing performance reports to be transmitted to the manufacturers. The unintended result of this proactive step is that it can create a backdoor to your sensitive data. A business is only as secure as the weakest link in its supply chain.
Planning for Risks
The first step in evaluating your company’s risk from third-party security is to assess the risk at every single supplier. According to a study sponsored by Opus Global, reviewing and scoring the security and privacy policies of all vendors can reduce risk by 20%. Part of that assessment must include exactly what information each vendor has access to. It is often the most innocuous source, a small business like a delivery service for example, that has the poorest IT security practices in place.
Another important step can be requiring all vendors to be compliant with data security standards. Examples could be the Cyber Essentials Scheme in the UK, HIPPA for medical suppliers, or PCI-DSS in the US. One of the most important steps is to ensure that your own company has strong security practices in place, including threat detection. Deception technology can uncover policy violations and lures that encourage those violations as well.
To learn more about third-party cyber risk and what you can do to protect your business, contact the information security leaders at Hancock & Poole Security today.