• Advertise
  • Contact Us
  • About Us
  • Supplier Directory
  • SCB YouTube
  • Login
  • Subscribe
  • Logout
  • My Profile
  • LOGISTICS
    • Air Cargo
    • All Logistics
    • Express/Small Shipments
    • Facility Location Planning
    • Freight Forwarding/Customs Brokerage
    • Global Gateways
    • Global Logistics
    • Last Mile Delivery
    • Logistics Outsourcing
    • LTL/Truckload Services
    • Ocean Transportation
    • Rail & Intermodal
    • Reverse Logistics
    • Service Parts Management
    • Transportation & Distribution
  • TECHNOLOGY
    • All Technology
    • Artificial Intelligence
    • Cloud & On-Demand Systems
    • Data Management (Big Data/IoT/Blockchain)
    • ERP & Enterprise Systems
    • Forecasting & Demand Planning
    • Global Trade Management
    • Inventory Planning/ Optimization
    • Product Lifecycle Management
    • Sales & Operations Planning
    • SC Finance & Revenue Management
    • SC Planning & Optimization
    • Sourcing/Procurement/SRM
    • Supply Chain Visibility
    • Transportation Management
  • GENERAL SCM
    • Business Strategy Alignment
    • Education & Professional Development
    • Global Supply Chain Management
    • Global Trade & Economics
    • HR & Labor Management
    • Quality & Metrics
    • Regulation & Compliance
    • SC Security & Risk Mgmt
    • Supply Chains in Crisis
    • Sustainability & Corporate Social Responsibility
  • WAREHOUSING
    • All Warehouse Services
    • Conveyors & Sortation
    • Lift Trucks & AGVs
    • Order Fulfillment
    • Packaging
    • RFID, Barcode, Mobility & Voice
    • Robotics
    • Warehouse Management Systems
  • INDUSTRIES
    • Aerospace & Defense
    • Apparel
    • Automotive
    • Chemicals & Energy
    • Consumer Packaged Goods
    • E-Commerce/Omni-Channel
    • Food & Beverage
    • Healthcare
    • High-Tech/Electronics
    • Industrial Manufacturing
    • Pharmaceutical/Biotech
    • Retail
  • THINK TANK
  • WEBINARS
    • On-Demand Webinars
    • Upcoming Webinars
    • Webinar Library
  • PODCASTS
  • VIDEOS
  • WHITEPAPERS
Home » Blogs » Think Tank » Five Questions to Ask About Third-Party Vendors and Cybersecurity

Think Tank
Think Tank RSS FeedRSS

Five Questions to Ask About Third-Party Vendors and Cybersecurity

Five Questions to Ask About Third-Party Vendors and Cybersecurity
November 19, 2019
Jeremy Haas & Ryan Bergquist, SCB Contributors

From marketing consultants and supply chain partners to accountants and IT service providers, organizations today depend on all kinds of third parties for virtually every conceivable business function.

According to recent Ponemon Institute research, the unintended consequence of third-party dependencies is that 61% of organizations in the U.S. have experienced a data breach caused by a third party or vendor. Fifty-seven percent of businesses can’t determine whether their vendors’ security policies and defenses can adequately prevent a breach, and fewer than half evaluate the security and privacy practices of vendors before initiating a business agreement that requires the sharing of sensitive or confidential information.

It’s not surprising, therefore, that according to the same research only 16 percent of respondents rated their companies as “highly effective” in mitigating third-party risk. In fact, those prioritizing the management of their outsourcing risks are in the minority.

The best time to start reducing third-party risk is at the very beginning of the relationship — before entering into an agreement. That’s when you need to ask critical questions to identify the possible exposure you’re taking on, and how to best avoid a compromise. Vendors with strong security practices are usually willing to talk about them, while those that avoid such discussions might have something they’re hiding. With that in mind, here are five questions  — one internally and four for serious candidates — that you should ask when considering a third party:

What data and systems will the third party possess or access? Many third parties won’t have access to sensitive data or systems, so if they experience a breach, the threat to you is minimal. A landscaping vendor, for example, has little access to data or systems, and likely none to the interior of any facility. Perhaps the only computerized network it might access is an irrigation system, which more than likely would be isolated from internal corporate systems. Therefore, any potential breach of this hypothetical landscape vendor would be expected to have little to no impact.

An HR provider, finance system or vendor, by contrast, would be very different. For example, if you hired a consultant to develop customer analytics in support of the marketing or business strategy, that entity might have access to company data spanning customer credit card numbers and home addresses, or corporate financials. This type of consultant should be carefully vetted.

What kind of logging and monitoring does the third party do? Logging and monitoring are the primary ways that an organization records and responds to activity within its environment. But system and network activity logs are verbose. And in today’s modern computing environments, which are composed of multiple diverse systems and high bandwidth networks, the volume of log events quickly becomes overwhelming for a human to manage. To properly monitor security events, tools must be deployed to store and triage these events. By knowing the vendor’s personnel and tool choices, you will understand how seriously it takes security. After all, people + tools = money = resources = priorities. Look for partners that prioritize and invest in security.

How does the third party manage both physical and technical access controls? Access controls are one way to reduce vulnerability, and therefore risk. They take two primary forms: physical and technical. In our hyper-connected world, it’s easy to forget the importance of physical controls. You need to identity the physical locations where the third party stores, processes, and transmits data, as well as the level of physical security at those locations. If your data is to be stored on mobile devices, it’s important to understand the security controls associated with those devices, since they might not always be in a static physical location.

Technical access controls are also important for the assessment of systems and networks. Ask how many individuals will have access to your data, and for what purpose.  Understand how the third party uses multi-factor authentication, how often users in the administrator group are reviewed, how often system permissions are reviewed, and how departing employees’ access is removed. In addition, learn how network segmentation practices and tools are used. For example, what controls are in place to isolate production systems from other environments like the internet? How does the third party segment its internal network?

Many times good physical access controls can compensate for weak technical controls, and vice versa. But best practice is to limit physical and technical access to data and systems to those individuals needed to provide the service.  Lax access controls open up the attack surface and increase your risk.

What approaches does the third party take to patching systems? While unknown or undisclosed vulnerabilities are dramatic and get lots of attention, they are rare. Organizations are more at risk to known than unknown vulnerabilities. As a result, third parties must have robust programs in place to fix known vulnerabilities, by quickly applying security patches that update flaws and remove the underlying vulnerable software.

Major software vendors release updates on a regular cadence. In your review of third parties, you need to be convinced that the systems that process, store and transmit your data will receive regular and timely updates, and that expedited processes exist for immediate and critical vulnerabilities.

Does the third party undergo independent audits or testing? What security certifications has it earned? Audits keep organizations accountable. Third parties should self-audit by completing and keeping current standardized security questionnaires such as the SIG Lite or CSA CAIQ. Beyond self-assessments, independent audits give you peace of mind that the third party is following its policies and procedures. Independent audits might include penetration tests or SOC 2. Some industries have their own certifications like HITRUST in healthcare, PCI for payment processors, and FedRAMP in the U.S. federal government. In all cases, independent audits are important, and show a commitment to maintaining a validated, formal information security program.

Taken collectively, discussions around these key areas will give you a sense of a vendor’s security posture.  If the vendor’s answers are transparent and indicate strategic priority and proactive diligence, you can move forward more confidently. If the vendor’s security posture is immature, then you must either accept the risk, or consider other mitigations to control it.

Don’t let data security be an afterthought. Make it an integral part of product and services discussions. In today’s environment of voluminous and intricate attacks, cybersecurity is a business matter. You must do your due diligence to understand your risk.

Jeremy Haas is chief security officer, and Ryan Bergquist is cybersecurity analyst, with LookingGlass Cyber Solutions.

Technology Sourcing/Procurement/SRM Supply Chain Visibility Supply Chain Security & Risk Mgmt

RELATED CONTENT

RELATED VIDEOS

Subscribe to our Daily Newsletter!

Timely, incisive articles delivered directly to your inbox.

Popular Stories

  • A PAINTING IN WHICH A RED HOT AIR BALLOON IS TETHERED TO A GIANT ANCHOR

    Will FTC Succeed in Banning Non-Compete Clauses in Employment Contracts?

    HR & Labor Management
  • WORKERS INTERACT WITH VARIOUS TYPES OF CARGO MOVING EQUIPMENT ON A CROWDED DOCK

    White House Urged to Intervene in West Coast Port Labor Talks

    Global Gateways
  • A MEDLEY OF GRAPHS SHOWING ZIG-ZAG RESULTS AGAINST A MAP OF THE WORLD AND AN IMAGE OF OIL DERRICKSiStock-peshkov-1316669671(1).jpg

    Bringing the Supply Chain Closer: Nearshoring Is Here

    Sourcing/Procurement/SRM
  • A WOMAN STANDS NEXT TO A BIKE, DAPPLED BY THE SHADOWS OF BICYCLE RACKS.

    Walmart is Changing the Way Its Employees Get to Work

    Sustainability & Corporate Social Responsibility
  • A GRAPHIC SHOWING BEAMS OF BRIGHT LIGHT SHOOTING ALL OVER THE SURFACE OF THE EARTH'S GLOBEpg

    Podcast | ‘Supply Chain for Startups’: From Zero to Scale

    Supply Chain Planning & Optimization

Digital Edition

Scb q1 2023 cover

2023 Supply Chain Management Resource Guide: Packing for a Difficult Year

VIEW THE LATEST ISSUE

Case Studies

  • New Revenue for Cloud-Based TMS that Embeds Orderful’s Modern EDI Platform

  • Convenience Store Client Maximizes Profit and Improves Customer Service

  • A Digitally Native Footwear Brand Finds Rapid Fulfillment

  • Expanding Apparel Brand Scales Seamlessly with E-Commerce Technology

  • How a Global LSP Scaled its Security Program and Won More Business

Visit Our Sponsors

Orderful Yang Ming Alithya
Barcoding Blue Yonder BNSF Logistics
CoEnterprise Data Capture Deposco
E2open GAINSystems Generix
Geodis GEP GreyOrange
Here Holman Logistics Honeywell Intelligrated
IFM Infor Inmar
Keelvar Kinaxis Korber
Lean Solutions Group 2H Liberty SBF Locus Robotics
Logility LogistiVIEW Lucas Systems
MCA Connect MPO Nvidia
Old Dominion OpenText ORTEC
Overhaul Parsyl PMMI
QIMA Redwood Logistics Ryder E-commerce by Whiplash
Saddle Creek Logistics Schneider Dedicated Setlog Holding AG
Ship4WD Shipwell Shyft
Sourcemap Tecsys TGW Systems
Thomson Reuters Tive Trailer Bridge
Vecna Robotics Verity
Verusen
  • More From SCB
    • Featured Content
    • Video Library
    • Think Tank Blog
    • SupplyChainBrain Podcast
    • Whitepapers
    • On-Demand Webinars
    • Upcoming Webinars
  • Digital Offerings
    • Digital Issue
    • Subscribe
    • Manage Your Subscription
    • Newsletters
  • Resources
    • Events Calendar
    • SCB's Great Supply Chain Partners
    • Supplier Directory
    • Case Study Showcase
    • Supply Chain Innovation Awards
    • 100 Great Partners Form
  • SCB Corporate
    • Advertise on SCB.COM
    • About Us
    • Privacy Policy
    • Contact Us
    • Data Sharing Opt-Out

All content copyright ©2023 Keller International Publishing Corp All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Keller International Publishing Corp

Design, CMS, Hosting & Web Development :: ePublishing