Cybercrime has evolved exponentially in recent decades.
The world witnessed an explosion of viruses and malware in the 1990s, with annual incidents rising from thousands early in the decade to several millions by the mid-2000s.
Driven by technological advances, societal changes and the increasing value of digital assets, that trajectory has only continued to rise, with cyber threats increasing both in volume and sophistication.
Statista estimates the current global cost of cybercrime at $8.15 trillion. In other words, if cybercrime were a country, it would be the world’s third-largest economy, trailing only the U.S. ($27 trillion) and China ($18 trillion).
Cybersecurity has had to evolve at speed to stem the growing threat of cybercriminals, who are becoming increasingly clever and creative, as they conjure new ways of overcoming stronger defenses. Recent new branches of cybercrime include distributed denial of service (DDoS) attacks, phishing and crypto-jacking.
Supply chain attacks are becoming more widespread, with cybercriminals infiltrating or compromising the least-secure aspects of a company’s increasingly broad digital ecosystem. Critically, they focus on exploiting the interdependencies between enterprises and their digital service providers, making them particularly challenging to defend against.
Recent examples of supply chain attacks include the Okta, Change Healthcare and Home Depot breaches. But how prevalent are these threats for the average business?
To understand the extent of the issue, ISMS.online conducted a survey of 1,526 security professionals. In the case of U.S. businesses specifically, more than four in 10 (43%) have been subjected to a partner data compromise in the last year, with as many as 84% having experienced at least one security incident originating from their supply chain or third-party vendors in the previous 12 months.
Considering the sheer volume of cases, it’s no surprise that managing vendor and third-party risk has emerged as the top challenge among U.S. information security professionals, cited by 37% of respondents. Indeed, the impacts of supply chain attacks can be severe, ranging from data breaches and reputational damage to operational disruptions, financial losses and regulatory penalties.
Supply chain threats are not only more widespread and complicated than other vulnerabilities, but they’re also increasingly being exploited by cybercriminals.
For those feeling the pressure, the message is clear: As supply chain threats grow, firms must recognize that their security is only as strong as the weakest link in their networks of suppliers and partners.
Best-Practices Frameworks
Strengthening that chain is critical. Yet many organizations struggle in pinpointing where and how to focus their efforts. Aiding them in that exercise are some best-practice frameworks that can help companies manage the growing risks posed by expanding third-party engagements.
ISO 27001 is an international information-security management standard that provides a structured approach to safeguarding information assets. According to the International Organization for Standardization, ISO 27001 “helps organizations become risk-aware and proactively identify and address weaknesses,” and “promotes a holistic approach to information security: vetting people, policies and technology.”
For that reason, ISO 27001 is especially well-suited to managing third-party risk. Critically, it can be used to ensure that third-party vendors meet the rigorous security standards necessary for safeguarding sensitive information.
ISO 27001 lays out specific guidelines to make sure everyone in the supply chain is on the same page about security. Controls such as Annex A 5.19 and 5.20 tell organizations to set up clear policies and procedures for dealing with suppliers.
ISO 27001 also requires third parties to stick to the same security standards as the main organization, as per Annex A 5.21. This keeps the entire information security management system (ISMS) consistent and strong.
The standard goes beyond just technical controls. It covers physical and organizational aspects too, outlined in Annex A 5.19 to 5.22. By following these controls, companies can protect data both within their own operations and when working with external partners.
Advocating best practices is one thing. Translating them into actual guidance is another. In the case of ISO 27001, an effective third-party risk-management program centers on three key components:
- Risk-assessment procedures: Conducting regular and thorough evaluations of third-party vendors to identify potential security risks.
- Due-diligence processes: Implementing rigorous vetting procedures before onboarding new suppliers to ensure compliance with ISO 27001 standards.
- Regular audits: Performing ongoing audits of third-party vendors to verify and maintain continuous compliance with established security standards.
These components are integral to a successful third-party risk management strategy, ensuring proactive management of all potential security risks. However, it is also essential to understand how these components should be effectively managed in practice.
Embracing a Well-Equipped ISMS
Here, the adoption of an ISMS is paramount. Such platforms integrate third-party risk management by methodically identifying, evaluating and addressing security risks linked to external suppliers.
With ISO 27001 making it mandatory that third-party service providers implement security measures that are regularly monitored and reviewed, an ISMS can play a key role, enabling the setting of pre-defined security criteria and conducting of periodic assessments.
Equally, effective documentation is crucial for compliance and audit purposes, with an ISMS platform enabling maintenance of records of all third-party interactions, including risk assessments, security requirements stipulated in contracts, and ongoing performance monitoring.
Maintaining detailed records in this way is also important from a compliance and auditing perspective. ISMS platforms can help to lay the foundation for enhanced internal security measures, rigorous partner and supplier vetting, strong partnership agreements, and a culture of continuous improvement.
Given the growing threat of supply chain attacks, it’s imperative that companies embrace cybersecurity best practices both internally and among suppliers, service providers and other partners.
Now is not the time to stand still. It’s critical to take the necessary steps to protect your organization from continually evolving supply chain threats. Indeed, today, more than ever before, it must be made a priority.
Sam Peters is chief product officer at ISMS.online.