Whilst recent events have overwhelmed a significant number of organisations, there remain underlying risks that won't go away. Firms are now under acute stress and it is against this backdrop that we urge firms to think carefully about their arrangements with third-party suppliers. Any breach of your supply chain is potentially a breach of your own business.  The 2019 eSentire survey found that 44 per cent of  firms  surveyed had experienced a significant data breach caused by one of their third-party vendors.  

The whole outsourcing landscape has changed over the last decade. The growth of ?Software as a Service? (SaaS) has led to a proliferation of providers, many of them  small and specialist, that can be signed up via a simple online process and credit card payment. We know from our experience that many internal business units are using SaaS providers without going through the company's formal onboarding process.

Many companies? methods for assessing third-party supply chain risk have not kept pace with this change. They may not be able to capture the entire risk but instead are looking at it in silos and as isolated risks. Security does not operate best in this divided fashion.

Some companies still rely on old style questionnaires completed by the suppliers themselves. What other area of security relies so heavily on the third party's honesty in identifying their own security issues to potential buyers?

Businesses must protect the most critical assets, data, services or systems behind the greatest layers of defence and that goes for third parties as well. It's worth remembering that not all vulnerabilities are created equal, and it is vital to understand and identify the actual risk and plan accordingly.

Where possible, assess your vendors for this risk before you enter a formal relationship.  Sadly, we have seen too many businesses commit to a relationship, sometimes even beginning to share critical data, before considering the security implications.

With higher-risk relationships, consider adopting more intrusive tests and even the continuous monitoring of some of their security controls.

Using these measures, a business can adopt an approach whereby they incorporate appropriate risk management clauses into vendor contracts. One suggestion would be to insist that vendors maintain a certain security rating or risk losing the contract, or introducing specific new controls within specified time periods to mitigate certain identified risks.

We see real benefit in taking a collaborative approach with vendors. Treat them as your partners, share threat intelligence that they may not be privy to and generally work closely to support them in protecting your data

Free Webinar: Cyber Security and the Board - Working with third party suppliers: A webinar on this topic will take place on Wedneday 1 April at 11am. Click here to learn more.