Businesses rely on vendors for everything from productivity and collaboration tools to big data analytics, finance, and customer information. However, vendor relationships are getting more complicated when it comes to cybersecurity and data privacy. Most organizations that are aware of these challenges are working to create a cybersecurity supply chain risk management program and address third- and fourth-party risk management through a combination of enterprise risk management and strong cybersecurity practices.
Vendors have highly effective solutions and the subject matter experts to maintain and develop them. Businesses that rely on them are happy to reap the benefits of not having to staff additional skill sets, maintain complex infrastructure, and perform routine work that goes along with the systems — and they accept the risks that may be introduced.
This is not a new problem to solve, but rather to review with some additional context based upon the past few years of lessons learned from cyberattacks. Recent events have shown how possible it is for vulnerable vendors to result in business email compromise or bypass critical security controls that are designed to protect your organization. Vulnerable software could result in the compromise and unauthorized access to systems and applications that perform key functions. Software and applications could be hijacked while they are being built and then delivered to customers undetected, resulting in unauthorized access and potentially far worse consequences. Good cybersecurity supply chain risk management practices should be developed to identify and mitigate these risks and ensure a high level of preparedness when an incident does occur.
It’s critical for organizations to understand what vendors are being used and the importance of the offerings for business operations. Developing criteria and a tier for each vendor may provide some initial focus and develop the requirements for a vendor assessment program, including review cycle, security, key performance indicators, and service agreements. Combining this information with a comprehensive asset register will identify where third-party risk is present. The recent log4j vulnerability in the widely used Apache library demonstrated the need to have awareness of vendors and their software components in SaaS, software, and hardware. The log4j vulnerability introduced a persistent and pervasive risk for many organizations.
Developing an understanding of all vendor services in use is important, but it is even more important to consider how the vendor management program can reach its full potential. Ideally, third-party risk management is fully understood and championed by executive leadership while staying aligned to the objectives of the business. Risk acceptance decisions can then be made in accordance with the policies and procedures that have been developed and socialized. The organization can begin to review their maturity and seek ways to optimize process and procedure through automation and data enrichment, providing better analytics, metrics, and reporting.
The adoption of a framework or standard can be a great foundation to build upon. Most frameworks and standards have specific guidance around the management of vendors, the identification of legal and compliance requirements that need to be accounted for, and how these processes fit into the overall risk management framework for the organization. There are opportunities to leverage this information in conjunction with other best practices, such as alignment with a business impact analysis and informing the business continuity planning efforts. High-maturity organizations may even consider requesting that critical vendors attend tabletop exercises to test the vendors plan during an event and incorporate those actions into their own planning.
As processes and capabilities mature, organizations can look at automating their vendor assessment tools. Assessment questionnaires can automatically be sent at defined intervals with weighted scoring for each question, providing a streamlined experience for risk management teams to identify overall risk or unique circumstances that should be investigated. Third-party solutions for measuring the score of vendors can provide a constantly refreshed stream of information about the vendor, including data on their patch management program, security configurations of externally facing services, and other information points that speak to the efficacy of their security program.
Cybersecurity supply chain risk will continue to be a prominent topic in 2023. Events have shown that weaknesses exist, and attackers have the means to exploit them — some at massive scale, and some very targeted against specific companies and their customers. It's important for organizations to consider this risk, understand their current capabilities, and continue to develop their cybersecurity supply chain risk management programs.