One of the major themes in cyber security in 2018 was supply chain attacks. Forbes recently reported that attackers have been looking for new ways to compromise their targets because many companies have implemented better internal security controls. Attacking suppliers and partners has proved to be very effective. Many companies have been successfully attacked through their POS payment systems. Others have had sensitive employee data stolen from their payroll and benefits suppliers. Sadly, there are numerous other examples.
If we want to reduce our supply chain risk, we need to pay significant attention to our suppliers and partners. But let’s be realistic — most businesses don’t have the resources to fully vet all of their suppliers. To have the biggest possible impact with available resources, we need to take a risk-based approach. We need to prioritize the vendors that have the most potential impact on our businesses.
Which Vendors Matter Most?
Make a list of your vendors and partners, and consider each vendor against these questions:
- Does the vendor have access to sensitive data like payroll, regulated personal information about customers, financial or trade secrets, etc.?
- Does the vendor have unescorted physical access to your facilities? Vendors such as building managers, HVAC contractors, burglar alarm vendors, and outsourced IT partners may have physical access.
- Is the vendor’s product or service essential to a critical business process?
- Does the product or service affect a high-risk or highly-regulated business function?
- Do other vendors provide the same (or similar) products and services, or is this firm’s product truly unique?
If you answered “yes” to one or more of these questions, then you should look carefully at the firm’s security.
What Should Businesses Do to Protect Their Supply Chains?
Here are a few ideas for reducing the risk of supply chain attacks on your business:
- Ask your suppliers how they will protect your data or your facilities. Many vendors will be happy to give you a high-level overview of their security and compliance programs.
- Ask your suppliers for evidence of any third party audits of their security and compliance programs. Many vendors hire auditors to review their compliance, and will provide you with a summary audit report upon request. Not only can these reports give you confidence in the supplier’s security, they often contain a list of controls that customers need to have in place when working with the supplier.
- Limit your vendor’s access as much as possible. Only give them access to the data, systems, and facilities that they absolutely must access to perform their roles.
- Ask your legal advisor to review your contracts to make sure they have appropriate security-related terms and conditions. For example, a contract might require the vendor to notify you promptly when they have a relevant security incident. Similarly, the contract might address liability for security breaches.
- When purchasing sensitive products (e.g., POS payment systems) or services (e.g., outsourced payroll), consider hiring a security consultant to help you evaluate the available products from a security perspective prior to making your purchase.
After a tough year of supply chain attacks in 2018, let’s make 2019 the year of supply chain security!
Attackers who have motivation, money, and skills are also creative and persistent. They might try the easy way in at first, but they are prepared to work harder to find a way inside your network if necessary. For example, the attackers who breached Target in 2013 did not directly breach one of the company’s systems; instead, 
Identify: know what systems, data, people, and partners are a part of your network.