Vendors May Be The Weak Link In Your Supply Chain
As a post from cybersecurity vendor Halock puts it, “Your enterprise is only (as) secure as your weakest vendor” (posted 9/11/19 at https://www.halock.com/third-party-vendors-are-you-on-the -same page/). It’s not enough to have controls in place to secure your third party data if a hacker can access it through a vendor with inadequate controls.
According to a 2018 survey by the Ponemon Institute, 56% of organizations have had a breach caused by a vendor. 20% of healthcare sector breaches in 2017 were caused by third party vendors, but the problem exists in all industries. Both the EU’s GDPR and New York’s new financial regulations address company responsibility for ensuring their suppliers and vendors networks are secure.
Target is a well known example of how a major company was breached through a vendor that had access to their network. Recently they entered into an agreement with CVS that required CVS to use their own network.
Due diligence must extend to all levels of an organization’s suppliers and vendors. In 2016 Athens Orthopedic a Georgia clinic was hacked because their IT managed service provider used a cloud application vendor with unsecured VPN connections.
When selecting vendors, reviewing their cybersecurity must be part of the process. In addition to proper safeguards, they should not be given more access to your system than they need. Your contract should include indemnification and insurance requirements, and your own cyber insurance should cover acts or omissions of a supplier or vendor.