Following the recent high profile security incidents we sat down with Adam Strange, a Data Classification Specialist from HelpSystems and asked for his opinions on third party/supply chain risks and means of mitigating them. Please see his comments below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Recent high profile security incidents in the press have once more highlighted the need for organisations to tighten up their security posture, both internally and through the supply chain. With companies finding themselves increasingly compromised through suppliers who unknowingly deliver the attacks vector for hackers, it’s an important time for organisations to bolster their cybersecurity efforts with trusted vendors and security platforms within the supply chain.</p> <p> </p> <p>To this point organisations need to proactively drive supplier risk-reduction activity by building constructive support for suppliers into their cyber and data security programmes. This will require organisations to regularly review and overhaul existing technology investments and prioritise cyber and data security governance.</p> <p> </p> <p>Additionally, they should carry out essential due diligence to ensure that their suppliers have the basic controls in place coupled with good data management processes. Organisations need to thoroughly vet and monitor supply chain partners through audits, questionnaires, security ratings and other means. They need to understand what data partners will need access to and why, and ultimately what level of risk this poses. Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats. This needs to be monitored, logged, and regularly reviewed and a baseline of normal activities between the organisation and the supplier should be established. Moreover, they should invest in cybersecurity training for employees and use technology such as data classification, DLP and secure data management and file transfer to secure and defend.</p> <p> </p> <p>To this point, we recommend that any technology be applied in line with other defensive processes and is aligned with training for employees to recognise cyber and data loss threats, to fully minimise the risk.</p>