As information security professionals, we are comfortable addressing risks within an organization. We understand how internal processes may introduce vulnerabilities – and how best to reduce risk to an acceptable level. Competition requires companies to direct resources toward delivery of promised solutions to clients. To accomplish this, many outsource the storage, processing and transmission of information assets to third-party service providers. These practices extend the supply chain at a rapid pace – and as we all know, a chain is only as strong as its weakest link. Our task is to securely extend this chain.
Watching highly publicized supply-chain disasters unfold, we shake our heads in disbelief – but what supply chain risks are you taking today that would be difficult to defend tomorrow?
Accommodating cumulative risk often positions the supply chain for compromise. Once a third party is compromised, any data stored, processed or transmitted by that provider may be suspect. Additionally, an attacker may leverage a third party's access within the supply chain to directly compromise an organization's information assets.
Knowing you cannot completely eliminate it, how do you mitigate security risks presented by the supply chain?
Identify the critical members of your supply chain. Look to existing programs – such as business continuity and disaster recovery – as these programs often rank criticality from a business-recovery perspective. Also, identify providers entrusted with personally identifiable information and confidential company information.
Elevate the level of interaction between service providers and your risk-and-information security teams and maintain it. These are not “set it and forget it” relationships. Collaborative efforts to continuously address vulnerabilities ensures that risks, in total, remain acceptable.
Require more than the vendor's assurance. Reflect on how you scrutinize an internal system, and then request that level of detail from the provider.
Monitor the relationship. What is good today may not be good tomorrow, so regularly review your provider's security posture. Consistent oversight prevents developing issues from becoming devastating compromises.
A positive relationship between an organization and a third-party service provider is most viable when both parties focus on supply chain outcomes that support strong security and risk management. Weak links will always exist, but knowing where and how to address these weaknesses will improve your company's overall security posture.