Third party and supply chain partners are often the weak link in cybersecurity programs. With weaker security measures, supply chain partners are a favorite target of attackers to gain access to larger organizations. Developing a comprehensive security roadmap and onboarding plan for supply chain partners provides a higher level of cybersecurity integrity.
According to the Ponemon Institute, 75% of IT professionals surveyed acknowledged the risk of a breach through a third party is dangerous and increasing. More specifically, 63% of all data breaches can be linked either directly or indirectly to third-party access according to Soha Systems. The average cost of these breaches for U.S. companies according to the Ponemon Institute — after adding up fines, remediation and loss of customers — was US $7,350,000.
Relying on third-party suppliers and supply chain partners to bring their security measures with varying protocols and controls often creates an approach that is prone to errors and cyber security weaknesses. According to Shawn Waldman, CEO of Secure Cyber Defense, “Patchwork cyber security programs have led to substantial breaches because companies don’t have plans and processes in place to properly managing 3rd party or vendor access to a network. Taking establishing a centralized security process for any third party vendor who has access to your network, and what exactly they have access to, will pay off heavily in the end.”
Finding and exploiting gaps in third party vendor security measures and programs are just the areas attackers seek out to gain access to corporate systems. Assessing and rating the potential impact of data security breaches by supplier is a good first step in prioritizing where to focus time and attention. Organizations need the ability to monitor, identify risk and isolate threats throughout all the systems accessing their network, concentrating on those who pose the most significant risk to highly sensitive customer and financial data. It isn’t enough to evaluate third-party suppliers once; organizations need a plan to monitor and access threats continuously to avoid these cyber security weaknesses.
With regulations like the GDPR and The National Institute of Standards and Technology (NIST) coming into effect, the potential cost is rising. The NIST just released version 1.1 of its Cybersecurity Framework, which outlines procedures and guidelines to help companies implement strong and secure programs by identifying cyber security weaknesses. The update emphasizes supply chain risk, with a focus on third parties as potential weak links that need to be addressed — a process that starts with an in-depth assessment.
Secure Cyber Defense works closely with organizations mapping out their cybersecurity programs while establishing a protocol for on-boarding suppliers and third parties who link with critical systems and databases. In the case of NIST standards, Secure Cyber Defense offers CAPE (Compliance and Planning Engine) makes developing your System Security Plan, including incident response templates, maintenance logs, media control logs, security assessments, and more, easy enough to complete in four to eight hours. By establishing vetted criteria and requirements for third party suppliers, organizations not only increase the security of their data and systems but also better manage the selection criteria for third party suppliers, supply chain partners, and contractors.
#supplychainsecurity #cybersecurityplan #GDPRcompliance #NISTcompliance #OISC19
Look for us at OISC 2019
We’ll be sharing this and other important cyber security topics at the upcoming Ohio Information Security Conference being held March 13 at Sinclair Community College’s Ponitz Center, Dayton, Ohio. Vestige and Secure Cyber Defense are co-sponsoring a booth. Look for us in the Exhibit Hall.