This year has gotten off to a great start… if you’re a cybercriminal. Already threats like ransomware are on the rise, with the FBI’s April blog post on the issue showing the prevalence and success of this type of malware. Of course, if you’re not a cybercriminal then this isn’t such a great start. Cyber security, which was once almost an afterthought, is now a critical part of a business strategy and a board level consideration. As our business and vendor eco-systems become ever more connected, through Internet communications and the ensuing Internet of Things, cybercrime considerations can only become even more of a focus for our businesses. This is why it is of paramount importance to extend your security thinking and strategy out into the reach of your vendor eco-system, as you can guarantee that cybercriminals will take advantage of any chink in your armor.
With this in mind, let’s look at some approaches to keeping your vendor relationships optimized for security.
Controlling vendor risk management is the key to creating secure vendor eco-systems. It results in an all-round better way to do business as it increases trust and decreases risk. If done well, it can also bring about more collaborative and productive partnerships that can be used as best practices for other relationships. The following tips are a good place to start on the road to a more secure vendor relationship management program. But the main thing to remember is that this is a process and all good processes need feedback from which to improve.
Before you set out on creating your own vendor relationship security strategy, you should get to grips with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The framework outlines a set of guidelines that give you the starting points for creating a robust security strategy. The five main areas it looks at are: Identify, Protect, Detect, Respond, and Recover. You can read more about this on the Atlas blog.
Having a well thought out security strategy in place is the starting point for creating an extended strategy for your vendor eco-system. Your security strategy must reach out to encompass all of your assets, which includes those shared across that eco-system. Setting out your stall in this way lets you have a clear view of your security needs and allows you to move onto the next part of the process of securing your vendor relationships.
Choosing which vendors can become part of your wider eco-system is part of the process of risk management. This process can also encompass security, by adding in security requirements to your vendor due diligence. Knowing how a vendor handles, for example, the sharing of sensitive documents, can give you a heads up of any issues that may occur down the line. Attending to potential vulnerabilities at the point of entry to a partner program can alleviate future breaches. Having a partner program and vendor enrolment process, which emphasizes security aspects of the relationship, creates an ethos of secure thinking. If a vendor has an issue with this at the start, then they may not be right for your organization going forward.
One of the driving forces in modern cyber security is collaboration. The U.S. government has brought in the Cyber Intelligence Sharing and Protection Act (CISPA), for the purposes of sharing information between commercial and government organizations around security threats; the idea being that a “problem shared is a problem halved”. Not everyone agrees with the tenets of the act, but the concept of collaboration around security issues is a sound one. Having inter-vendor security collaboration will help you to mitigate risks though a program of education and shared knowledge. Even setting up partner program awareness sessions, covering general security training and compliance requirements can be an important step in ensuring everyone is at the same level of security thinking.
We’ve seen from a number of high profile cyber attacks that the root cause has been poor authentication measures. For example, the Target Corp. attack was due to a third party (HVAC) vendor being phished; their username and password used for privileged access to Target’s systems being stolen. If there had been better authentication measures in place this could have been prevented, even if the original vendor had been successfully phished. There are ways authentication can be hardened against phishing attempts. Second factor authentication can be applied to many applications. This can be in the form of an SMS text code, mobile app code, or hardware token code. If user experience is a concern, then you can use adaptive authentication to ‘up the ante’ in terms of authentication requirements. For example, if you detect a login request is coming in from an internal IP address, then you can apply single sign on (SSO), but if it’s from a third-party vendor’s IP address, or other, then you can force the use of second factor, or even further login credentials, like requesting an answer to a personal question. In any extended system where you have an arms length control, strong authentication should be a serious consideration.
Don’t go it alone. Most modern enterprise organizations are dealing with tens of thousands of vendors in their supply chains. Manual spreadsheet assessments and required documentation sent and received via email worked just fine when there were only a couple of hundred outside vendors to deal with. As mentioned earlier, supply chains are only getting larger and we are growing more connected over time. To truly pinpoint risks in the supply chain, you must have an automated system on which to conduct vendor assessments and collect supporting documentation.
The world has never been smaller because of the interconnectedness of almost everything. This is being embraced by vendor platforms too, with Cloud delivery being seen as a way of increasing productivity. This takes your security thinking into a new arena of web-based threats. If you encompass the previous 1-5 tips to begin the process of securing your vendor relationships, and you use the advice from OWASP on the top ten web threats, then you will be well on your way to having a robust overall security strategy for your eco-system, protecting your own organization as well as all of those in your vendor programs.