Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers‘ security posture before establishing a partnership.
Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers‘ security posture before establishing a partnership. In this first piece of a two-part feature on ransomware, ZDNet discusses the need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data. Enterprises typically would give their third-party suppliers „the keys to their castle“ after carrying out the usual checks on the vendor’s track history and systems, according to Steve Turner, a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, Turner said, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical system suppliers. „Anyone who has the keys to the castle, we should know them in and out and have ongoing reviews,“ he said in a video interview with ZDNet. „These are folks that are helping you generate revenue and, operationally, should be held accountable [to be] on the same level as your internal security posture.“ These third-party suppliers should have the ability to deal with irregular activities in their systems and should have the appropriate security architecture in place to prevent any downstream effects, he added. Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that technical controls and policies established by third-party or supply chain partners did not always match up to their clients‘ capabilities. This created another attack surface or easy target on the client’s network and could lead to risks related to operations, compliance, and brand reputation, Siddique said in an email interview. To better mitigate such risks, he said Capgemini recommends a third-party risk management strategy that pulls best practices from NIST and ISO standards. It encompasses, amongst others, the need to perform regular audits, plan for third-party incident response, and implement restricted and limited access mechanisms. The consulting firm’s service portfolio includes helping its clients build a strategy around detection and analysis as well as containment and recovery. Turner urged the need for regular reassessments of third-party systems or, if this could not be carried out, for organisations to have in place tools and processes to safeguard themselves against any downstream attacks.
