{"id":6390,"date":"2021-03-05T19:36:30","date_gmt":"2021-03-05T17:36:30","guid":{"rendered":"https:\/\/tekmart.co.za\/t-blog\/?p=6390"},"modified":"2021-03-05T19:36:32","modified_gmt":"2021-03-05T17:36:32","slug":"how-to-manage-third-party-risk-in-the-supply-chain","status":"publish","type":"post","link":"https:\/\/tekmart.co.za\/t-blog\/how-to-manage-third-party-risk-in-the-supply-chain\/","title":{"rendered":"How to manage third-party risk in the supply chain"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time-approximately:<\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<h2 class=\"wp-block-heading\"><strong>From third-party risk assessments to multifactor authentication, follow these steps to ensure suppliers don&#8217;t end up being your enterprise cybersecurity strategy&#8217;s weakest link.<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/Cobb_Michael.PNG\" alt=\"Michael Cobb\"\/><\/figure>\n\n\n\n<p>By <a href=\"https:\/\/www.techtarget.com\/contributor\/Michael-Cobb\">Michael Cobb<\/a><\/p>\n\n\n\n<p>The recent SolarWinds supply chain hack has affected public and private organizations worldwide, but this type of attack is not new. The Target, Home Depot, Boston Medical Center and PNI Digital Media data breaches are all instances where malicious actors took advantage of security weaknesses in the supply chain to compromise more heavily defended or more valuable networks.<\/p>\n\n\n\n<figure class=\"wp-block-pullquote\"><blockquote><p>Stolen login credentials, certificates and keys are often at the root of these attacks, enabling hackers to open the door to their smaller or less security-aware targets&#8217; internal networks.<\/p><\/blockquote><\/figure>\n\n\n\n<p>The\u00a0SolarWinds incident\u00a0shows, however, that even highly secure providers can be used as a steppingstone when extremely skilled hackers are involved. To mitigate this potent threat and other threats like it, every organization needs to learn how to manage third-party risk.<\/p>\n\n\n\n<p>Here, learn what to expect and require from any third party connecting to enterprise systems to create a vetted and trusted security-aware supply chain.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Verify partners&#8217; controls and certifications<\/strong><\/h3>\n\n\n\n<p>Organizations must require subcontractors, vendors and supply chain partners to meet the certification requirements of appropriate compliance standards, such as ISO 27001, PCI DSS, HIPAA and ITAR. This will demonstrate that at least a certain level of IT security is being met.<\/p>\n\n\n\n<p>Note, however, that gaining these accreditations may be too costly for smaller companies. In this case, their policies and practices should be contractually obliged to meet the organization&#8217;s own security standards. Asking for a\u00a0System and Organization Controls 2 report\u00a0is a good place to start, as it covers how a business oversees security, availability, processing integrity, confidentiality and privacy of a system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><br><strong>Perform third-party risk assessments<\/strong><\/h3>\n\n\n\n<p>Even with certifications and compliance standards assurances in place, a\u00a0third-party risk assessment\u00a0should be performed on each supplier to identify exactly which types of security controls and monitoring are required. An annual third-party audit should be conducted to ensure these controls are in place and working correctly. Where this is not possible, agree on a mechanism capable of monitoring compliance.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security-supply_chain_attack-h.png\" alt=\"\"\/><figcaption><strong>A sample supply chain attack.<\/strong><\/figcaption><\/figure>\n\n\n\n<p>Be sure to make risk assessments information-driven rather than supplier-centric. This approach makes assessments easier to repeat across different vendors. Assign an assurance level to each application handling data. <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>To determine the security controls required before access can be granted, base those assurances on business risk factors, such as sensitive information disclosure, personal safety, reputation damage, financial loss, operational risk and legal violations.<\/p><\/blockquote>\n\n\n\n<p>As stolen credentials are often used to gain a foothold in a network,\u00a0multifactor authentication\u00a0should be mandatory for access to any shared resources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Map flow of traffic and critical data<\/strong><\/h3>\n\n\n\n<p>Security teams must agree on a well-defined strategy that governs access to the organization&#8217;s internal resources. This should be based on the\u00a0principle of least privilege\u00a0and strictly map the flow of traffic and critical data to enable efficient monitoring of supplier access.<\/p>\n\n\n\n<p>This monitoring should &#8212; at a minimum &#8212; be able to detect threats, unusual activity and data exfiltration. <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Network segmentation and compartmentalization, or the use of parallel networks to run supply chain applications, will also help to build a more resilient environment able to detect, deny and disrupt an attack.<\/p><\/blockquote>\n\n\n\n<p>With regard to data sharing, it is important to contractually agree on what information can be shared and with whom, as well as\u00a0who maintains ownership\u00a0of the data and what is considered acceptable use. In addition, all members of the supply chain should be required to encrypt data at rest and data in transit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Additional steps<\/strong><\/h3>\n\n\n\n<p>Beyond certifications, risk assessments and data management,\u00a0security awareness training\u00a0and social engineering assessments are also important to ensure all personnel in the supply chain have received appropriate training.<\/p>\n\n\n\n<p>To be prepared for the worst, organizations can also periodically test off-site data backups and disaster recovery plans; this should include test scenarios with suppliers. Both parties must have a plan to notify the other if their network, systems or data have been compromised or if a breach is suspected so there can be a coordinated response.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Security is only as strong as the weakest link. While securing your supply chain may seem rather onerous, failure to do so could prove far more costly. Marriott&#8217;s\u00a0failure to perform due diligence\u00a0on its subsidiary Starwood&#8217;s IT infrastructure has been specifically singled out in litigation following a data breach that affected up to 500 million guests.<\/p><\/blockquote>\n\n\n\n<p>Supply chain and third-party risk management must be embedded within procurement and vendor management processes with clear metrics and service-level agreements governing application and data security. Although these steps will not guarantee complete security of sensitive data, they will make the supply chain stronger and the organization less likely to become the victim of a supply chain-based attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time-approximately:<\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>From third-party risk assessments to multifactor authentication, follow these steps to ensure suppliers don&#8217;t end up being your enterprise cybersecurity strategy&#8217;s weakest link. By Michael Cobb The recent SolarWinds supply chain hack has affected public and private organizations worldwide, but this type of attack is not new. The Target, Home Depot, Boston Medical Center and PNI Digital Media data breaches<\/p>\n<p><a class=\"more-link\" href=\"https:\/\/tekmart.co.za\/t-blog\/how-to-manage-third-party-risk-in-the-supply-chain\/\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[219,35,4,30,3,167,11],"tags":[],"class_list":["post-6390","post","type-post","status-publish","format-standard","hentry","category-ctos-quick-reads","category-data-center-facilities","category-datacenter-news","category-expert-advise-and-opinion","category-industry-news-and-expert-advise","category-information-security-threats","category-it-management"],"_links":{"self":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/6390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/comments?post=6390"}],"version-history":[{"count":1,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/6390\/revisions"}],"predecessor-version":[{"id":6391,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/6390\/revisions\/6391"}],"wp:attachment":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/media?parent=6390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/categories?post=6390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/tags?post=6390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}