With the rise of digital and cloud technologies, business models have evolved greatly. In recent years, we’ve seen an increasing number of businesses that are essentially “born in the cloud,” with infrastructure that is fully supported by cloud services. For example, Amazon Web Services (AWS) makes it affordable and easy to start an online company that can scale to compete with larger, well-funded rivals. Similarly, YouTube makes it easy to create and distribute promotional videos, while other social media channels, such as Facebook and Twitter, enable company messaging and marketing campaigns to reach millions around the world. The internet and the cloud are the great equalizers – allowing startups to effectively compete with established companies of any size.
But even brick and mortar companies are increasingly leveraging the internet and cloud services to expand their business. As traditional business models have changed to incorporate these resources, the security risks presented have evolved as well. In today’s world of digital business, the security risks faced by the majority of companies have largely shifted into the cyber realm.
In addition, businesses today now have a much larger dependency on third-party providers and suppliers than they’ve ever had in the past. While suppliers can allow companies to be more innovative, create new products, and further level the playing field against larger competitors, there are also many new dangers and risks that can arise in such distributed ecosystems.
These risks are not hypothetical. Over the past few years, two of the more memorable cases of third-party partners causing security breaches involve The Home Depot and Target. In November 2014, Home Depot disclosed a breach perpetrated by hackers who broke into corporate systems using credentials stolen from a third-party vendor. In December 2013, Target suffered a huge data breach that resulted in 70 million stolen credit card records. The attackers were able to breach Target’s system via a third-party HVAC provider. And other data breaches and security vulnerabilities seem to make it into news headlines on a regular basis.
Protecting Against Supply Chain Risks in the Digital Era
Third-party partners and suppliers remain essential requirements for any business, but for cloud-based companies, this dependency is significantly elevated. It is critical that companies understand and take appropriate steps to manage the risks in their supply chain.
Here are seven best practices that can help all organizations – whether cloud-based or traditional, large or small – protect against third-party threats.
- Implement a Business Impact Assessment: Conduct a business impact assessment to understand the level of dependency on each third-party partner. Typically, third parties that play a more critical role in supporting the business will present greater security risks.
- Know Your Partners: Keep an up-to-date and accurate record of all business partners and the role that each plays. Relationships evolve over time, and it is important that any changes are captured as they happen.
- Document Security Policies: Have a security policy documented for third parties that explains what is expected, how data should be handled, and what needs to happen in the event of an incident. Legal counsel should also be sought to ensure that the terms of such documents are legally binding and enforceable.
- Prioritize Communication and Education: Communicate security needs to all partners. Some third parties may not yet appreciate the need for security. If awareness is lacking in the partner ecosystem, an element of education should also be considered.
- Provide Technical Assurance: Implement technical controls, especially when a third party has direct access to corporate systems. The existence of certifications and audits can help provide this assurance. However, additional technical assurance can be gained via penetration testing and vulnerability scanning, or by deploying monitoring controls in the partner environment. These strategies can provide a much-needed additional layer of protection.
- Leverage Threat Intelligence: Use threat intelligence to understand attack vectors and identify vulnerability points where a third party may have been breached. Threat intelligence provides actionable information about emerging security threats, helping organizations better detect and respond to them.
- Create an Incident Response Plan: Create and document a joint incident response plan that clearly maps out roles and responsibilities in the event of an incident at a third party. Plans should include technical controls, such as isolating critical environments; PR and media communication strategies; and ways to end or replace the third-party service temporarily, or even permanently if a serious breach occurs.
Partners and suppliers are a critical part of a company’s success in the digital era. However, it’s important that organizations understand the risks that lie within the supply chain and take appropriate steps to protect themselves. By implementing the aforementioned best practices into third-party security strategies, organizations can go a long way toward enhancing their ability to detect threats, and respond in a fast and efficient manner if a security breach occurs.