Securing the supply chain: hackers may target vendors to access your network

Keep intruders out of your network with a vendor management program. PHOTO: Thinkstock

Even when your company implements appropriate cybersecurity protocols and policies, provides ongoing “cyber hygiene” training to employees, and takes out appropriate cyber insurance coverage, there’s still a significant risk posed by supply chains.

Hackers will gain access by targeting your network-connected vendors who may have weaker cybersecurity measures in place.

The best way to address risk is by having an effective vendor management program (VMP). It’s based on four simple steps: identify your most important vendors; specify the contact for each vendor; establish guidelines and controls to ensure consistent processes; and integrate with the business’s overall audit practices.

The first step is to define the most critical vendors and rank them based on their criticality day-to-day that, if breached, will have a significant impact on the revenue generation, disrupt business, or adversely affect clients. Such vendors would include important partners, financial or legal services and hard-to-replace software vendors.

Next, identify a primary contact within your business for each vendor. This individual, who serves as a liaison between the security, risk and compliance teams and the vendor, is tasked with:

• Co-ordinating due diligence on vendors and reporting to senior management using a risk-based approach.
• Maintaining knowledge of and compliance with policies and reporting requirements.
• Filing documentation and paperwork with the legal and contracting team to ensure there’s a central repository and audit trail.
• Coordinating communication with those who can add value through vendor oversight, such as conducting on-site and/or remote audits, reviewing vendor policies and procedures, and monitoring vendor-related litigation or regulatory issues.
The VMP establishes clear guidelines and controls to ensure consistent processes and sufficient oversight of key vendors are in place. At a minimum, it should include the following:
• A right to audit and test the security controls of vendors annually.
• Require vendors to adhere to security monitoring requirements.
• Require periodic reports from vendors demonstrating security service level attainment.
• Require vendors to provide timely notification of any security breaches or incidents that may impact the business.
Integrate the VMP within your business’s audit practices. It should form part of the broader audit best practices.

Vendor contract

Ensure everyone has a clear understanding of their obligations and agree to what’s included in the vendor contract. While not an exhaustive list, contracts should include the following representations and warranties:

• No recent undisclosed security incidents.
• No legal claims or regulatory action threatened or pending as a result of a security incident or vulnerability.
• No processing, storage or transmission of information by third parties not disclosed to business.
• Vendor has an information security program in place that’s regularly updated and maintained.
• Vendor employs personnel qualified to maintain the information security program (include vetting employees through appropriate background checks).

The contract should grant audit rights and outline penalties for not meeting specified audit standards (or maintaining a certain type of certification, such as ISO 27001 or NIST). It should also include cyber incident reporting requirements that specifically identify an “incident”, the timing, content and method of delivery of notice.

Supply chain partners offer attackers a potential back door into the networks of host companies. Those responsible for supply chain security need to be vigilant and aware of what is happening with vendors and keep up with the security controls in much the same manner as they monitor controls internally.

Imran Ahmad is a lawyer at Miller Thomson LLP in Toronto, where his work focuses on strategies related to cyber threats and dealing with cybersecurity incidents.