Lone hackers, rogue nations and cybercrime syndicates have a big agenda in common: Alone or collectively, they can bring the global supply chain to its knees. And one of the biggest factors that should strike fear in the heart of every leader is that most hits aren’t caused by a breach in the organization itself, but are the result of vulnerability in a third-party supplier.
Research by Zac Rogers, assistant professor of supply chain management at Colorado State University, indicates that two-thirds of breaches are a result of a supplier or third-party vulnerabilities. Soha Systems, now Akamai Technologies, reported a similar finding to National Defense magazine.
Walmart, Equifax, Apple, Target, CVS, CNN and many others lead the hit parade of cyber strikes, resulting from the need to share access to IT infrastructure and data, but the risks can be huge to any size of organization. At the broadest level, the results could be catastrophic on a global scale.
Among all new and growing efforts to combat supply chain cybercrime, one of the first and most powerful points of leverage involves greater transparency and streamlining of the vendor security profiles that every organization possesses. These must be provided to partnering organizations before deals can be completed, and meaningful co-alignment of commerce and work can begin.
Why have vendors not been more proactive about unifying these efforts before now? Safely controlling access to documentation for security and compliance has been a challenging hurdle to climb. And the quality of vendors’ actual cybersecurity preparedness has been less of an issue than surmounting the logistics of compiling the information in a more uniform way and making it easy to share.
For example, most prospective buyers and sellers need to execute a non-disclosure agreement with each other before proceeding to the deeper details of the vendor’s security posture (such as a SOC 2 Type II Report). But on a third-party network, members can automatically execute an NDA as a part of the sharing process, and set controls around who should have access to their security documentation and for how long.
Cybersecurity is perhaps the area that can benefit most from this kind of correlation, but as supply chains progress, efforts like this may become more prevalent in other sectors as well.
Whistic and RiskRecon recently conducted a survey of more than 500 cyber risk and infosec practitioners, and reported their findings in a report on “The Modernization of Cybersecurity.” Their findings included the following:
Cyber risk and vendor security management are top priorities. Eighty percent of respondents have cyber risk and vendor security programs in place, and 60% report they have incorporated increasingly more technology into their programs over the past five years.
As the threat of third-party incidents continues to rise, 71% of responding practitioners report their security program metrics not only in buying and selling transactions, but to their internal leadership beyond those who directly support security business functions.
Investment in technology results in increased program maturity. Overall, 64% of respondents report cyber risk and vendor security programs that are either mature or advanced. However, when it comes to program maturity, size matters: 66% of enterprises have advanced stage programs, compared with only 6% of startup organizations, of which 64% have early-stage or non-existent programs.
Trust but verify reigns supreme. On security questionnaires, 53% of respondents trust what their vendors send them. But despite that trust, 61% still consider it vital to verify vendor responses through a trusted third-party validation tool.
"The reliance on third parties is only increasing,” says RiskRecon founder Kelly White. “Organizations must understand the threats coming from their vendor ecosystem. Your organization is only as secure as the vendors you work with."
In all, the importance of validation and correlation with security protocols among suppliers and vendors will only increase as cybersecurity risks continue to climb. Now is the time to streamline and strengthen reinforcements as supply chain providers align.
Jake Bernardes is vice president of security and compliance for Whistic.
Timely, incisive articles delivered directly to your inbox.