Suppliers are entities (persons, organisations or countries) that provide products and/or services to other entities. Suppliers are also referred to as vendors or service providers. Suppliers, in the context of this article, refers to vendors, service providers, contractors and subcontractors.
Supply chains have become integral part of modern business operations. Engagements within supply chains require sharing sensitive information and providing access to information systems of organisations. This gives rise to information security (InfoSec) risks and can be very disruptive to businesses. It is therefore incumbent on organisations to work closely with suppliers throughout the procurement process (from onboarding to contract termination) to manage InfoSec risks. This needs to be embedded in the procurement/vendor management processes.
InfoSec Professionals need to be involved in the procurement process, with focus on high risk contracts to ensure appropriate controls are put in place to circumvent unforeseen circumstances.
Recent surveys have shown that most data breaches are caused by third parties. Deloitte has reported that between 2013 and 2016, 87% of businesses experienced disruptive incidents with third parties. According to Symantec’s 2019 Internet security threat report, supply chain attacks increased by 78% in 2018. Third party vendor involvement was one of the major contributing factors to data breaches. Data breaches caused by third parties increased the cost of data breaches by over US$370,000 (Ponemon Institute, 2019).
Recent breaches due to suppliers
Hundreds of data and InfoSec breaches have occurred globally through suppliers. The following are some of the major breaches in 2019 and 2020.
In 2019, personally identifiable information (PIIs) of about 12 million patients of Quest Diagnostics were exposed via its vendor named American Medical Collection Agency. 3 terabytes of confidential FBI information were exposed to the public via Oklahoma Department of Securities. Cultura Colectiva exposed over 540 million records of Facebook-users’ credentials and comments. Plaintext passwords and email addresses of over 20,000 Facebook users were exposed via a supplier by name At the Pool. Payment card details of several customers of Focus Brands Inc. were exposed via its point of sale (POS) device vendor.
In early 2020, thousands of Instagram credentials were exposed through its supplier, Social Captain. 1.7 million PIIs of Nedbank customers were exposed through its supplier, Computer Facilities (Pty) Ltd. Also, PIIs of General Electric employees were exposed through its supplier, Canon Business Services.
Standards, frameworks and regulations
The need to conduct InfoSec risk assessment of suppliers is an international best practice adopted by several standards, frameworks and regulations.
The 2011 Information Security Forum (ISF) Standard of Good Practice for Information Security (CF16.1.7) states: “The information security status of each external supplier should be assessed /validated on a regular basis, using a consistent and approved methodology (e.g. based on an industry standard)”.
The ISO/IEC 27001:2013 standard (A.15.2.1) states: “Organisations shall regularly monitor, review and audit supplier service delivery”, of which information security forms a part.
The 2018 Bank of Ghana Cyber & Information Security Directive (Section 88 (1c)) states: “An institution shall conduct a risk survey of a service provider and/or business partner at least annually”.
The National Institute of Standards and Technology (NIST) Cyber security framework version 1.1 (ID.SC-4) states: “Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations”.
COBIT 2019 framework (APO10.05) states: “Periodically review overall vendor performance, compliance to contract requirements and value for money”.
It must be noted that contractual requirements or obligations of suppliers also include information security obligations stipulated in contracts.
Procedure for conducting supplier InfoSec risk assessment
Figure-1 shows the general procedure for conducting InfoSec risk assessment of suppliers.
Figure-1: Procedure for conducting supplier risk assessment
Such assessments can be done remotely (through questionnaires) and/or on the premises of suppliers. However, conducting the assessment via questionnaires only may not be very effective, although it is a good starting point.
There are also third-party cyber-risk assessment tools which can be utilised to complement this process. These tools automatically collate and analyse third-party cyber-risk through passive scanning to provide a risk rating.
Importance of conducting a supplier InfoSec risk assessment
The importance of conducting supplier InfoSec risk assessments cannot be overemphasised. The following are some of the important aspects of undertaking the assessment:
- It enhances the ability to maintain confidentiality, integrity and availability of an organisation’s information.
- It increases reliance and confidence in dealing with suppliers.
- It significantly reduces the exposure of information security risks to organisations, their customers, and suppliers.
- It provides organisations with competitive advantage.
- It ensures compliance with standards, regulatory and contractual requirements.
- It significantly reduces financial, reputational and operational risks to organisations.
Research has shown that lots of InfoSec breaches occur through suppliers. Despite the huge security investments and controls implemented by organisations to safeguard themselves, they can easily be compromised through their suppliers. It is in the utmost interest of organisations and their stakeholders to ensure that their suppliers are as secure as themselves.
Suppliers need to ensure that InfoSec clauses/requirements contained in contracts with their customers are strictly adhered to. They need to provide full cooperation to their customers when it comes to such assessments, because it is also in their interest to be secured.
The author is an IT GRC Consultant @ Digital Jewels Ltd., and Editorial Board Member of IIPGH)
For comments, contact author [email protected] | Mobile: +233243835912