Why should businesses audit their supply chain cyber security?

Outsourcing operations, data, or information to a third-party supplier does not pass on accountability or legal liabilities for data protection. Contracts and Service Level Agreements may be rendered useless if a third-party supplier suffers a cyber security breach or loss of your customer data.

Fines, reputational harm, and expensive lawsuits, to name a few, can be devastating to an organisation if they are triggered by a third-party security failure. In fact, many businesses are unaware of the cyber security risks associated with outsourcing and it’s often an area left out of the auditing process when onboarding – this is a fatal mistake.

These risks can be avoided or at least decreased, by performing information security and compliance audits on the third-party company or data processor to ensure that the information is managed in accordance with your own strict information security policies. Organisations must accept no less than the data security policies and procedures they themselves operate under. Full supplier security audits will offer protection, as they help to identify whether the customer understands the consequences of a supplier breach and whether there are adequate controls in place to reduce the impact and likelihood of a breach.

It’s clear that in 2022 and beyond, having a contract in place saying “you must keep our data secure” is no longer good enough.  Proper, detailed, constant due diligence needs to be in place.

 

Supply chain auditing mitigates the impact of their information security breach on your data and reduces risk through the application of industry best practices

A variety of cyber security frameworks are available to assist CISOs in managing supply chain data compliance and vulnerability. The National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) are two of the most common (ISO). ISO 27001 includes risk management, with controls for third-party suppliers defined in ISO 27002 and ISO 27701. These standards, including NIST 800-53, can assist Information Security Managers in developing controls and policies for recognising and managing third-party risks in their supply chains.

Both frameworks discussed above are applicable to numerous industries, but a company’s individual demands may necessitate a custom-built framework, which can be developed from existing processes as well as recommendations from other frameworks.

Here at Aston Information Security, we advise our clients to periodically check suppliers have up-to-date certifications like Cyber Essentials Plus and ISO 27001, and to request proof from suppliers and partners of their information assurance practices.  It’s vital to make sure the certificates are from a recognised accreditation body, and not from a service provider who is offering certification and consultancy services at the same time – a clear conflict of interests. Any certifications lasting more than 3 years is a warning sign and should be investigated.

Another area that must be addressed by Information Security Managers is the potential false statements or claims that imply a greater level of cyber security than vendors actually have. For instance, a number of suppliers say that their “data is housed in an ISO27001 environment,” creating the appearance that they are IS0 27001 certified, but in reality, they are simply piggybacking on AWS or Google Cloud’s ISO 27001 certifications. The supply chain in this instance is not ISO 27001-certified. Another expression that is frequently used is “we are compliant with ISO 27001,” which is understood by businesses evaluating potential suppliers as them holding ISO 27001. This is considerably different from being “compliant” with the standard and unquestionably reveals a gap that needs to be investigated further. We have written a blog about this here.

 

Regular third-party auditing provides assurances that the supplier is taking expected steps to meet organisational and regulatory information security requirements on an ongoing basis 

Managing the supply chain is not a one-time “tick box” assessment. It’s a relationship that must be managed throughout the third-party management lifecycle, from screening, onboarding, assessment, risk mitigation to monitoring and off-boarding.

Supplier Due Diligence assessments are a reliable approach for understanding the supplier risk when the contract begins. However, as these threats evolve and boundaries shift, they will necessitate ongoing monitoring. Changes in the environment, situation, and organisation can all have an impact on the levels of information security in place to protect your sensitive data. Contracts evolve, and the provider who initially supplied a limited service may now be providing a more pivotal service, and the impact levels increase without undertaking further in-depth assurances.

The advantages of continuous and regular monitoring of your supply chain’s information security then, are obvious. It enables businesses to detect real-time information security, privacy, and compliance threats, as well as analyse ongoing information system and common control standards. Reliable and comparable cyber security ratings assist Senior Management in understanding risk exposure and encourages the adoption of constructive openness and accountability for risk management processes and policies into the larger organisation. It also helps build the business case for further budget and resource investment in cyber security procedures.

A considerable portion of recent information security incidents and data privacy breaches have been triggered by vulnerabilities in the data security practises of suppliers and third parties, making the case for continuous monitoring, and supply chain auditing, even more persuasive.

How can we help? 

Find out more about our Third-Party Risk Management auditing and monitoring services.