Making a vendor risk assessment for supply chain attacks

Because of how sophisticated cybercriminals have become, to protect your company’s money and data, it may be wise to make risk assessments of your vendors’ security protocols. This is especially true for new business relationships you may have entered because of a supply chain crunch.

Hackers launch supply chain attacks by exploiting vulnerabilities in a third-party vendor’s network or software. One example of this is the SolarWinds attack that impacted thousands of companies’ networks.

Because vendors often need access to sensitive data to integrate with their customers’ payment systems, if that data gets compromised, multiple organizations in the vendor’s network could then be open to attack – including your firm.

And even if you aren’t directly targeted by a cyberattack, you could still financially be impacted by a supply chain attack.

Another reason to create vendor risk assessments: Unless it’s spelled out in a contract, it’s possible you could share the liability if a data breach occurs. While it’s important that your suppliers feel like you trust them, there’s no harm in checking that they’re keeping their systems secure and that they have a plan for addressing any security gaps.

To ensure there isn’t any undue risk to your network, here’s a checklist of items to watch for suggested by experts.

Conducting a vendor risk assessment

To protect your business (and your suppliers, too), you’ll want to know if your vendors:

• have a written network security policy
• have a process for keeping security patches up to date
• have a process for identifying, evaluating and reporting security vulnerabilities in their network, systems or applications
• use a VPN
• use encryption during storage and transmission of sensitive data
• have controls to prevent and detect unauthorized network access
• log and limit access to systems, applications and data
• have controls for preventing email spoofing, along with ransomware and malware attacks
• backup their data (find out how it’s stored), and
• have a written incident response plan for data breaches, including a plan for recovery of operations.

Based on these criteria, if a vendor seems lax about cybersecurity or if it refuses to provide information about security controls, it may be time to start exploring alternative vendors.