Is it your job to improve your supplier's security?

We have all seen the recent press about third party attacks within our supply chains, we may feel that with all the recent attacks (and coverage) that this is a relatively new phenomenon. Maybe the hackers are looking for the "weakest link" within the ecosystems of their targets and looking to capitalise on their perceived lack of security.

But if you look at just a few of the recent attacks like SolarWinds and SITA both those attacks happened to companies who no doubt have invested massively in cyber security over the years and who could never be described as the "weakest link", nonetheless they were still attacked and those attacks had a huge consequence for the companies that used their services.

If you look at some of the other attacks such as the Tesla, Space X, Boeing and Lockheed who had data exposed by a 3rd party, GE who suffered a breach from what most would consider a mundane low-risk supplier with their human resources document management system where 200k Personal Identifiable Information (PII) records of both previous and current employees was exposed. Even Microsoft, who had an unnamed partner that handles licensing for their Azure customers breached. The list could go on and on..... And again, you would not consider that all of the suppliers to these companies that were attacked would have poor cyber security, or be in any way a risk to the businesses using their services or products.

What they did have in common was that they all part of the companies extended ecosystem. In today's world, business share data, networks, infrastructure, intellectual property and many forms of information with many third parties to help improve the way they work, to reduce costs and improve the overall service they provide to their customer, but with this connected ecosystem the risks to them increase significantly.

It's also not just the larger companies that are attacked, it is all business that face the onslaught from hackers. Therefore, its all of your suppliers that are under attack and could pose a threat to your business!

But you already know this, so you will already risk assess your suppliers as part of a Third Party Risk Management (#TPRM) or Supply Chain Management (#SCM) strategy. You could already be using a variety of tools or internal applications and systems to try and understand, and ultimately reduce your risks. Or maybe you are using static, point-in-time questionnaire or spreadsheet-based approach. (But that has no way of validating the information you have collected is accurate, and will also be out of date the minute you collected it ultimately giving you a false sense of security.)

Either way, the problem you now have is that you have lots of information on the cyber security and compliance risks associated with the suppliers you assessed, but what do you do with it? You could contact them and ask them to improve their security, but you would need to be specific about what the issues are, what they need to do, and what the expected outcome should be. It would be hard doing that internally in your own business, let alone dealing with a 3rd party supplier and expecting to get the improvement in security, reduction in your risks and the required results you want in a timely manner.

"Is it your job to improve your suppliers security?"

No, it should not be your responsibility to tell your supplier how to improve their security. Yes you can point out the areas you are not happy with, the areas where the risk outweighs your risk appetite or does not meet governance or regulatory requirements, but ultimately it is up to the supplier to sort their own security out.

But you could help anyway, as ultimately you benefit from their improved security.

What if you had a risk assessment platform that can be easily integrated in to your TPRM or SCM program, that not only examines the domain and infrastructure landscape of a 3rd party ‘passively’, with nothing installed or applied to their environment and will show the technical risks, compliance risk and probable financial impact to you if they are breached. The platform will also automatically generate a remediation report that can be sent to the supplier that outlines the exact steps they need to do to improve their security, and show the potential results of completing those steps. Thus saving time and effort on all parties, while simultaneously improving the supplier security and compliance, and reducing the risk they could pose to you!

We have also produced a unique program called Rapid Assessment and Monitoring Process (RAMP) where we will work with your suppliers and help them improve their compliance, security, and reduce the overall financial risk to you. This service is free of charge for any suppliers that you licence and runs for 60 days per supplier. We then provide a final report to you showing the overall reduction in your total risks across your entire supply chain.

Why not try it for yourself and risk assess one of your suppliers (or yourself) for free and see what improvements in security and reduction in risk you could achieve,