Supply chains are increasing, both in terms of size and complexity, and more and more third-parties now have access to company data than ever before.
With added complexity comes an increased vulnerability, and 2017 saw a 200% increase in supply chain attacks. It’s a trend that looks set to continue and hackers will always look to attack the weakest link, which can often be a company's supply chain.
But with GDPR in full force, companies are now ultimately responsible for the security of their data, whether that be held within their own company, or held with a third-party supplier. Security, therefore, needs to be at the forefront of every supplier relationship and it’s now essential that due diligence is carried out before any supplier relationship is entered into.
So, what questions should you be asking your suppliers?
- Do you have dedicated cybersecurity resource?
Large, established companies tend to be more security mature, and often have the budgets to implement complex security measures. However, these aren’t fool proof signs that a company is operating securely.
A more effective way is to ask whether the company has a dedicated cybersecurity team, how many are on that team and who is ultimately responsible for security?
Any dedicated cybersecurity role shows that there is a security focus, and whilst again it’s never a sure measure, it does show that security is being taken seriously within your supplier organisation, no matter what size, age or budget.
It must be said that not every company can afford a dedicated security team, and responsibility may sit within another job function, such as the CTO or IT Director, it’s important to understand if this is the case and you’ll need to consider if this situation meets with your individual security requirements.
- What cybersecurity tests are you undertaking and how often?
No company is ever fully secure and as part of technical security assurance, many organisations carry out timely security testing to identify vulnerabilities, protect critical assets and to evaluate the effectiveness of the security measures they have put in place.
Essentially, there are three broad types of cybersecurity test a company can undertake:Vulnerability scan - Basic automated scanning tools can help protect you from the simplest forms of attack, scanning against a list of known vulnerabilities and alerting you to any weaknesses.
Penetration test - this is a practical assessment used to demonstrate how potential attackers can exploit weaknesses within specific IT systems, apps, websites or devices. It’s a deeper review, capable of identifying issues that would not be found by an automated solution
Red team - this is the most advanced security test a company can employ and simulates a full-scale attack. As such, it’s only undertaken by companies with big budgets, critical information and those who have been conducting regular penetration tests.
So, what should you look for in a supplier? It really depends on the type of relationship and the sensitivity of the data being shared.
Red teaming is usually far too advanced and therefore would be unrealistic to require in most supplier relationships. However, as a rule, we would say an annual penetration test and several scans a year would be a decent level for your average supplier relationship with access to sensitive data.
- Do you comply with any cybersecurity standards?
Security standards can demonstrate that suppliers have reached a minimum level in terms of specific and overall security requirements. The two main ones to look out for when it comes to cybersecurity are Cyber Essentials and ISO 27001.
- What disaster management processes do you have in place?
Disasters come in two forms; human-induced, such as infrastructure failure, cyber-attack and conflicts, and natural disasters, such as floods, fires, and earthquakes.
Preventing such disasters may be impossible, however, companies need to be putting in place the requisite plans to mitigate the risks and to continue providing service even when the worst does happen.
Take the example of a hosting provider, for many companies their website is key, but what would happen if power supplies were cut to a data centre? Does the hosting provider have a plan in place that ensures customer businesses remain online? It’s these sorts of plans that you might want to see before signing on the dotted line.
- Where will my data be stored and how will this be protected?
Data, even cloud-based, relies on physical servers to store and distribute information. But where are these servers located and who has access to them?
Physical security, as well as digital security, needs to be of concern here and you need to ensure your suppliers have put in place robust measures concerning access to server rooms and data centres. Meaning your data is safe from malicious threat actors.
- Will anyone else have access to my data?
In a recent survey, it was found that only 18% of companies said they knew if their vendors were, in turn, sharing sensitive information with others and who’s to say a third-party vendor isn’t giving access to a further third-party without your knowledge.
It’s also worth asking who would have access to your data from within the supplier organisation, is it restricted to certain privilege levels or does everyone have access?
The fewer people have access, the less chance there is of something going wrong.
- How will my data be encrypted and how often will it be backed up?
Encryption is vital when storing and transferring any type of sensitive data and by doing so it means that if data was to-be stolen it will be virtually unusable by attackers.
With this question, you don’t really need to understand much about the type of encryption used, just that this measure is in place and that it is safeguarding your sensitive information.
Back-ups are another aspect you need to consider and, depending on the type of relationship, you may want to understand how often backups are taken, where the backups are stored, the security surrounding this data and whether you have access to it.
- What happens to my data when/if I leave?
Just because your relationship with a supplier ends doesn’t mean your data disappears, in fact, suppliers are able to carry on storing data for the ‘shortest possible time’ under GDPR.
“That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).
Your company/organisation should establish time limits to erase or review the data stored.” - EU Commission
This storage could pose a security issue and clear instructions need to be outlined in the contracts regarding what happens to the date upon termination of the relationship.