Suppliers are entities (persons, organizations or countries) that
provide products and or services to other entities. Suppliers are also referred
to as vendors or service providers. Suppliers, in the context of this article
refers to vendors, service providers, contractors and subcontractors.
Supply chains have become integral part of modern business operations.
Engagements within supply chains require sharing of sensitive information and
provision of access to information systems of organizations. This gives rise to
information security (InfoSec) risks and can be very disruptive to businesses.
It is therefore incumbent on organisations to work closely with suppliers
throughout the procurement process (from onboarding to contract termination) to
manage InfoSec risks. This needs to be embedded in the procurement / vendor
management processes.
InfoSec Professionals need to be involved in the procurement process,
with focus on high risk contracts to ensure appropriate controls are put in
place to circumvent unforeseen circumstances.
Recent surveys have shown that, most data breaches are caused by third
parties. Deloitte has reported that, between 2013 and 2016, 87% of businesses
experienced disruptive incidents with third parties. According to Symantec’s
2019 internet security threat report, supply chain attacks increased by 78% in
2018. Third party vendor involvement was one of the major contributing factors
to data breaches. Data breaches caused by third parties increased the cost of
data breach by over US $370,000 (Ponemon Institute, 2019).
Recent breaches due to suppliers
Hundreds of data and InfoSec breaches have occurred globally through
suppliers. The following are some of the major breaches in 2019 and 2020.
In 2019, personally identifiable information (PIIs) of about 12 million
patients of Quest Diagnostics were exposed via its vendor named American
Medical Collection Agency. 3 terabytes of confidential information of FBI were
exposed to the public via Oklahoma Department of Securities. Cultura Colectiva
exposed over 540 million records of Facebook users’ credentials and comments.
Plaintext passwords and email addresses of over 20,000 Facebook users were
exposed via a supplier by name At the Pool. Payment card details of several
customers of Focus Brands Inc. were exposed via its point of sale (POS) device
vendor.
In early 2020, thousands of Instagram credentials were exposed through
its supplier: Social Captain. 1.7 million PIIs of Nedbank customers were
exposed through its supplier: Computer Facilities (Pty) Ltd. Also, PIIs of
General Electric employees were exposed through its supplier: Canon Business
Services.
Standards, frameworks and regulations
The need to conduct InfoSec risk assessment of suppliers is an
international best practise, adopted by several standards, frameworks and
regulations.
The 2011 Information Security Forum (ISF) Standard of Good Practice for
Information Security (CF16.1.7) states, “The information security status of
each external supplier should be assessed / validated on a regular basis, using
a consistent and approved methodology (e.g. based on an industry standard).”
The ISO/IEC 27001:2013 standard (A.15.2.1) states, “Organizations shall
regularly monitor, review and audit supplier service delivery”, of which
information security forms part.
The 2018 Bank of Ghana Cyber & Information Security Directive
(Section 88 (1c)) states, “An institution shall conduct a risk survey of a
service provider and/or business partner at least annually.”
National Institute of Standards and Technology (NIST) Cyber security
framework version 1.1 (ID.SC-4) states, “Suppliers and third-party partners are
routinely assessed using audits, test results, or other forms of evaluations to
confirm they are meeting their contractual obligations”
COBIT 2019 framework (APO10.05) states, "Periodically review
overall vendor performance, compliance to contract requirements and value for
money."
t must be noted that, contractual requirements or obligations of
suppliers also include information security obligations, stipulated in
contracts.
Procedure for conducting supplier InfoSec risk assessment
Figure 1 shows the general procedure for conducting InfoSec risk
assessment of suppliers.
Figure 1: Procedure for conducting supplier risk assessment
Such assessments can be done remotely (through questionnaires) and or on
the premises of suppliers. However, conducting the assessment via
questionnaires only, may not be very effective, although it is a good starting
point.
There are also third-party cyber risk assessment tools, which can be
utilized to complement this process. These tools automatically collate and
analyze third party cyber risk through passive scanning to provide a risk
rating.
Importance of conducting supplier InfoSec risk assessment
The importance of conducting supplier InfoSec risk assessment cannot be
overemphasized. The following are some of the importance of undertaking the
assessment:
- It enhances the ability to maintain
confidentiality, integrity and availability of organization’s information.
- It increases the reliance and confidence in
dealing with suppliers.
- It significantly reduces the exposure of
information security risks to organizations, their customers, and suppliers.
- It provides organizations with competitive
advantage.
- It ensures compliance to standards,
regulatory and contractual requirements.
- It significantly reduces financial,
reputational and operational risks to organizations.
Conclusion
Research has shown that, lots of InfoSec breaches occur through
suppliers. Despite the huge security investments and controls implemented by
organizations to safeguard themselves, they can easily be compromised through
their suppliers. It is in the utmost interest of organizations and their
stakeholders to ensure that, their suppliers are as secure as themselves.
Suppliers need to ensure that, InfoSec clauses/requirements contained in
contracts with their customers are strictly adhered to. They need to provide
full cooperation to their customers when it comes to such assessments because,
it is also in their interest to be secured.
Author:
Sherrif Issah – (IT GRC Consultant @ Digital Jewels Ltd., and Editorial Board Member of
IIPGH)
For comments, contact author mysherrif@gmail.com | Mobile: +233243835912