Last month, the supply chain company Asus revealed hackers had broken into their servers and malicious code had been pushed out to its customers as part of a supposedly safe routine software update. Kaspersky Labs, who detected the attack, estimated 57,000 people received this update. This recent supply chain compromise is an example of how sophisticated and relentless hackers can be, even when protocols and firewalls are implemented to protect against such an event.
How common are vendor related supply chain cybersecurity attacks?
This incident is just one of many examples of vendors being susceptible to hackers and causing supply chain risk for their customers. According to the Opus and Ponemon study of more than 1,000 CISOs and other security and risk professionals across the United States and the United Kingdom, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. The percentage is even higher in the U.S. at 61 percent. What is even more surprising is that 22 percent of respondents admitted they didn’t know they’d had a third-party data breach in the past 12 months.
Although your business has worked hard to effectively safeguard your own IT infrastructure, if your supply chain is not properly protected, outside vendors represent a disproportionate level of risk to your organization. Vendors and suppliers can have direct connections to your company’s networks or systems, including ordering, billing, process management systems, and more. Knowing this, it’s important to understand what precautions your vendors take to protect your information. Here are questions to ask your current and prospective vendors about safeguarding your data from cyber-attacks.
Key Questions to Ask your Vendors
1. Does your organization have policies and procedures which clearly define how to prevent and detect security incidents should they happen?
The first step should be identifying if the vendor is taking active steps to prevent, detect, and contain security incidents when they happen. To prove this, they could provide the policies and procedures that they follow to keep your data safe. Ask about the details of their cybersecurity programs and methods that are used to prevent and detect security breaches.
2. Does your company have a dedicated security team?
Large vendors typically have dedicated cybersecurity teams and have complex security measures, but this might not be the case if it’s a small company. Some companies cannot afford in-house security teams, so it’s important to see if they have outsourced to a third-party vendor. If they are using a third-party vendor, ask for details and references. Additionally, it’s important to know your point of contact in the event of a cybersecurity breach to efficiently obtain updates and a course of action.
3. What security standards and/or frameworks do you follow?
There are multiple standards companies must adhere to depending on their industry. Some examples are HIPAA, GDPR, PCI, SOX, and DFARs. Depending on the type of service they are providing, the vendor may have to follow similar standards as your company. For example, HIPAA compliance contains standards that must be applied to safeguard and protect electronic Protected Health Information (ePHI) when it is at rest and in transit. These rules apply to anybody or any system that has access to this information. If the vendor is dealing with ePHI they will also need to make sure they are meeting the technical, physical and administrative safeguards that come with HIPAA compliance. For non-regulated industries, it’s still important to understand if the vendor has a systematic approach to security, and what framework they are using, such as NIST, CIS, or ISO, to name a few. Ask the vendor what risk framework they adhere to. Finally, don’t be afraid to ask for proof or documentation of their ongoing security endeavors as they relate to this framework.
4. Do you have security/cyber liability insurance?
According to Statista, The estimated value of cyber insurance premiums worldwide in 2020 could be 7.5 billion.
Having cyber liability insurance shows the vendor is taking a proactive approach to security and safeguarding your information. This type of insurance covers property losses and liability that might occur when an organization participates in tech-facilitated activities, such as collecting data or selling things online. The coverage typically includes but is not limited to liability for a data breach in which sensitive information gets exposed or stolen by cybercriminals.
Cyber liability insurance can cover expenses related to the following:
- Data recovery
• Helping clients remedy personal identity theft
• Notifying customers about the breach
• Repairing damaged computer systems
• Legal fees and expenses
5. Do you regularly perform vulnerability tests and/or security monitoring?
Companies should perform security testing to identify vulnerabilities within their systems. At the very least, the company should perform an automated scan to help protect the simplest forms of attack which would alert them of any weaknesses. A deeper review, such as a penetration test, can also be done to demonstrate how potential attackers can exploit weaknesses within specific systems, apps, websites or devices.
6. What security development and testing do your teams receive?
In addition to testing its systems, the company could also invest in training its employees to protect their own environments. Security awareness training not only informs and educates employees about the best IT security practices but also carries out in-house phishing attacks to test their knowledge.
7. Where are you storing my data?
You should have a general idea of the security controls in your vendor’s environment and you should insist that they include control around isolation and protection.
8. Is data encrypted, including data that is backed up?
Encryption is the best way to protect data, especially when storing and transferring data. Backups are also an important element to ask about. You might want to understand how often, where backups are stored and the security that is taken to protect it.
9. Do you have a business continuity and disaster recovery plan in place?
Comparable to cyber liability insurance, a backup continuity and disaster recovery plan shows how prepared a company is in the event of a cyber-attack or a disaster. An active information security team can make a huge difference when it comes to sharing relevant threat data and detailing exact plans to minimize financial loss. Being vigilant pays off, the Poneman Institute found an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148.
A third-party data breach could come at a high cost for your business that could have short-term and long-term impacts. Don’t wait until it’s too late to protect your company. Our IT security experts are available to assist you and meet your business’s need to achieve the highest possible level of cybersecurity protection. Contact us today by calling (877) 598-3999 or emailing firstname.lastname@example.org.