If you haven’t already, chances are you will be required in the next year or two to submit proof to a supplier or customer that you are taking all reasonable precautions to secure their data or network when you access them.
With hackers learning that the easiest way into a large enterprise’s treasure trove of data and dollars is through a smaller supply chain partner that can’t afford 24×7 cyber security, you will find those large enterprises will expect proof that you are securing your own network when you access their network portals and handle their data.
In fact, you might consider requiring that of your partners and commercial customers yourself.
Why should you or your suppliers and customers care about each other’s cyber security practices?
Some of the largest breaches in history started with a hack of a third-party supplier or vendor and these supply chain breaches are rising.
- The Target breach that lost 40 million credit cards didn’t start with a sustained hack on Target but with an employee at one of Target’s HVAC vendors opening a bad file attachment that installed malware on that employee’s computer. Using that machine, hackers found the HVAC company’s login credentials to Target’s vendor portal and from there worked their way to Target’s cash registers. When the dust settled, Target lost all of those credit cards, its sales fell 46 percent at one point, and recovery costs exceeded $200 million.
- The Home Depot breach also resulted from a third-party breach and the home improvement giant spent more than $150 million in recovery, even after insurance paid $100 million.
- According to the 2017 Ponemon Institute Data Risk Study, 56% of respondents reported they had suffered breaches that began with intrusions at third parties — a 7 percent increase over 2016.
- Cyber criminals routinely hack email accounts to send email to all of that account’s contacts to make the email — laden with infected file attachments or links to fraudulent web sites — appear to be from a known and trusted source.
The security institute, SANS, has developed a document detailing how to establish a supply chain security program at https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252.
“Supply chain partners are just as likely to be attacked today as any organization, and if not managed properly, they may afford attackers a back door into the networks of host organizations.”
You can also assure your partners and customers that you have taken appropriate security precautions to protect your network by implementing anti-virus and firewalls, patching software, and Security Awareness Training for your employees.