When it comes to keeping your business cyber safe, knowing who your suppliers are is critical. According to Forrester research, more than half of all cyber security incidents that occur this year will involve third parties. For business owners that means taking a closer look at your supply chain.
Henry Ward is the principal security adviser, Pacific at Trustwave. He said that while it might sound simple, many businesses don’t know who all their suppliers are.
“You can start with procurement and ask them for a list, but you’ll often have to scan IT suppliers in detail, as well as everything from financial providers to courier companies,” Mr Ward said.
“Many procurement departments vet suppliers only on service or supply charge clip levels and small dollar value suppliers don’t reach the threshold.
“Working out which suppliers matter to your business and assessing the impact that any cyber incident that they experience might have on you is the next step. Many consultants stay with group vendors by criticality, but this can be harder than it seems. Does that vendor have access to company systems, classified data or PII? Assess their criticality – how it relates to your business and how an incident would cause problems for your board, management team or business operations – if you have to pull the plug on a vendor, does your business stop, too?”
SCAMMERS TARGET PEOPLE NOT COMPUTERS
Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month.
Mr Ward suggests asking the right questions of suppliers to gather the appropriate evidence needed to mitigate risks.
“Questions range everywhere from the supplier’s ability to encrypt data, use of MFA, password policies, patching program management, architecture and segmentation, cloud usage and many more,” he said.
“Your assessment questions must be balanced. Too little and you won’t know what’s really going on; too much and you’ll be lucky to get a response from your suppliers.
“More importantly, you should be going further than assessment questionnaires. Ask for evidence – security policy, penetration test reports, certifications like ISO 27001 and SOC2 reports.”