You’re Only as Secure as Your Suppliers
You invest a lot in security. You pay security professionals to keep your organization safe. You spend money on the cybersecurity technologies they recommend. You diligently educate your employees about best practices for safe computing.
But what if one of your suppliers has a security breach? Worse yet, what if they get breached and don’t immediately realize it?
Well, that could adversely affect your business in two problematic ways—both of which should motivate you to start thinking about how your portfolio of business risks includes the cybersecurity of your suppliers.
Supplier risk #1: Contagion
One way that the cybersecurity of your suppliers poses a business risk to you is contagion. Businesses increasingly interact through digital channels—passing files back and forth, granting each other access to their networks, etc. So if one of your suppliers gets hit with malware or some other kind of malicious code, that code could easily wind up in your environment too.
Similarly, hackers who infiltrate one of your suppliers’ networks may be able to use whatever access privileges you’ve given that supplier to jump past your perimeter defense into your network as well.
This kind of contagion occurs over and over. In fact, one of the most widespread cyberdisasters in history—the NotPetya exploit that first infected shipping giant Maersk’s worldwide network—propagated itself globally in exactly in this manner, paralyzing large corporations and SMBs alike as it spread like wildfire across digital business connections.
And the potential for such contagion will only increase as markets become increasingly digital. It’s inevitable. You’re going to do more business with more suppliers, contractors, partners, and customers via more digital channels like email, the web, the cloud, and supply-chain management systems. And that means greater exposure to the business risks associated with cybercontagion.
Supplier risk #2: Disruption
But contagion isn’t your only potential problem if one or more of your suppliers get hit with a cyberattack. The other problem is supply-chain disruption.
After all, you depend on your suppliers every day. If you’re a manufacturer, you depend on them for parts and subassemblies. If you’re a retailer, you depend on them to keep your shelves stocked. If you’re in healthcare, you depend on them for medical supplies. And even if you’re a virtual retailer, you still depend on your web hosting provider and/or all the cloud-based applications you use to run your business.
If one of those suppliers falls victim to an attack, it could be more than just an inconvenience. You lose revenue because you can’t sell. You may permanently lose customers because you can’t meet their needs. Your brand reputation may suffer too—because no one cares that it wasn’t your fault that your supplier failed. They just know that you fumbled the ball.
So a successful cyberattack on a supplier is almost indistinguishable from a successful cyberattack on your own network. Both cost you money, customers, aggravation, and damage to your brand reputation.
A three-point strategy for addressing supplier cybersecurity risk
You can’t protect yourself from supplier cybersecurity risk by doing less business digitally. Digital expansion is a core component of all business growth in the 21st century. Instead, consider the following three stratagems for risk mitigation:
Get your own cyberhouse in order. You’ll be far less susceptible to contagion if you diligently adopt proven best practices for defense in depth. Defense in depth means that you don’t just depend on your perimeter defenses to keep you safe. You also create multiple layers of defense so that hackers can’t easily infiltrate your entire environment—and capture your company’s crown data jewels—even if they manage to compromise an individual endpoint or user account.
Set standards for supplier cybersecurity. You demand that your suppliers provide you with the reliable quality, scale, and speed you require. You push your suppliers to give you the best value for your dollar. You avoid suppliers that have a bad reputation or don’t give you the kind of personal attention you expect. Why not also require that your suppliers provide you with evidence that they are sufficiently cybersecure as well?
Require third-party security assessments. It’s one thing to ask suppliers for assurance that they’ve implemented reasonably effective cybersecurity. It’s another thing to have them prove it. But you can get proof in the form of an independent third-party assessment. And if that assessment reveals any security shortcomings, it’s a relatively simple matter for your supplier to remediate them. That way, you can both have a higher degree of confidence that you’re both appropriately protected against the diverse cyberdangers that threaten your respective businesses.
Of course, there are a few other ways to mitigate your supplier-related security risks. Cyberinsurance is one. Supplier diversification is another. But insurance companies are going to require cybersecurity assessments anyway. And diversification only increases your risk if you add more suppliers without holding them to a higher security standard.
So don’t wait until one of your key suppliers suffers an attack. Start mitigating the risks that such an attack poses to your business today.
To learn more about how a virtual CSO can help you mitigate your supplier-related business risks, reach out to vCSO Magazine’s editors or contact any of the vCSOs listed in our vCSO Directory.