Work with suppliers to improve cyber security and reduce supply chain risk

Firms must include supply chain security as part of their strategy to reduce the risk of data breaches, according to an expert panel at the recent Infosecurity Europe 2015 event in London.

Information security weaknesses at the supplier level have been responsible for several high-profile breaches in recent years, including phishing emails sent to an air-conditioning supplier to US retailer Target in 2013 and PA Consulting losing the details of 84,000 prisoners on an unencrypted memory stick in 2008.

The panel asserted that the information security of suppliers is just as important as that of the providers of critical infrastructure themselves, citing that many data breaches that put firms at risk occur deep down in the supply chain.

They emphasized that if the level of security and risk awareness is not consistent throughout the entire supply chain network, cyber-criminals can exploit that weakness.

Work with suppliers

The panel recommended that firms include information security in the supplier contract. When negotiating with suppliers, firms need to ensure that information security is one of the key deliverables specified in the contract.

But, that’s just the starting point. The information security requirements in the contract must be followed up by regular audits and spot checks to ensure the supplier is adhering to the contract and the specified information security policies. This can be costly and time-consuming, but it is essential.

Bottom line, be an intelligent customer. Ensure you are asking the right questions of your suppliers and ensure that you understand the services being provided. And if you think suppliers are not meeting your information security requirements, work with them to get it right. If that doesn’t work, get a new supplier.