A small towing company in New Jersey got a shock when its biggest client — an international bank — said the local firm had to beef up its IT security and go through an annual third-party security audit to keep the bank as a client. The incident illustrates how supply chain issues have worked their way down to the smallest businesses, according to Rahul Mahna, managing director of managed security services within EisnerAmper Digital.
“The giant bank said ‘you have license plates and VIN (vehicle identification numbers) in your system, and that could be a security concern,’” Mahna recalled. “So our client asked us to help them identify and install a vendor management platform on their system, and we were asked to annually perform an IT security audit and issue a report on it each year. It often goes back to insurance policies — originally, cyber-protection insurance was basically a one-page document, but increasingly insurers want to see proof that policyholders are actually implementing robust controls,” which drives a ripple effect that goes down the entire supply chain.
“The concern used to be limited to ensuring a company had an antivirus program,” he explained. “Then it grew to encompass security across the entire company network; and now, as digitally connected supply chains get longer, there are more entry points for hackers so insurers and others want to be sure that everyone who’s connected has appropriate security measures in place.”
Mahna’s group, along with other professional services firms, are increasingly being asked to do vulnerability scans of clients’ IT structures, including launching simulated cyberattacks to spot weak points. It means more costs for businesses but, he noted, it’s something that’s increasingly being demanded by clients’ own customers.
The need to address third-party cyber risk, is especially acute “for vendors that are providing critical services to a business,” said William Mendez, managing director of operations at CyZen, a Friedman LLP cybersecurity company. “Securing supply chains is complex, especially when dealing with multiple vendors. Companies need to identify all vendors that have access to the company’s data or infrastructure — and vendors that host or store company sensitive information or provide critical services to the company — and they have to identify software and products that are critical to business operations.”
Once that’s been done, “a company should have visibility into their vendor’s security practices and ensure that contractual verbiage addresses reporting of incidents that affect the company’s infrastructure or information,” Mendez said. “This task will depend on the type of vendor.”
An ongoing struggle for cybersafety
Technology and digital enabling strategies have helped more companies to take advantage of a global marketplace and expand their supply chains, according to Julie Tracy and Jason Spezzano, vice presidents at Withum’s Cybersecurity practice. But “[c]ontinued expansion and the automating of tasks as well as outsourcing business functions to third parties has been tied to an increase in cybercrime,” the pair noted. “Because organizations continue to digitize, they inherently increase their risk, opening themselves up to a domain where their systems lay vulnerable to attack as they have increased different points or attack vectors where an unauthorized user or attacker can try to enter or pull data such as critical IP (intellectual property), customer information from an environment, or just damage and disrupt business operations.
Their advice: “Companies need to ensure that they have a well-documented information security program which includes policies and procedures and standards to protect infrastructure and data. As part of that program, ensure a third-party risk management program is in place. As their third-party providers, they are responsible for ensuring due diligence and due care in contracting with any organization.”
Businesses should take steps to understand their risks and create a cyber risk management program that identifies and assesses internal and external cybersecurity risks that may threaten and affect their operational and reputational risks for them and their supply chain, they suggested. “This include threats and impacts upon confidentiality, integrity and availability of stored and non-public information. Most, if not all companies are aware of the non-cyber issues with supply chain in terms of the difficulties in purchasing goods and the increased costs of most items. But most small- and medium-sized companies are not fully aware of the supply chain issues. Even larger companies may struggle with truly understanding cyber risk related to supply chain. Companies need to include all vendors in these programs, not just technology vendors. Remember, the Target breach happened via their HVAC system.”
Current tools for assessing “vendor security posture” include due diligence questionnaires, he added. “These questionnaires are better than not having a process; however, they depend on a vendor’s honesty in answering the questions. They typically do not involve any type of validation that the stated security controls are in place. Companies should perform some sort of validation such as asking for third-party attestation, test results such as penetration tests, or vulnerability assessments; and should ask about incidents they have been involved in, how they resolved it, and were there any lessons learned.”
Thanks to high-profile cyber-penetration incidents at some big companies — including SolarWinds, a major information technology firm, and Kaseya, a global IT and security management provider — that spread to many high-profile clients, “more companies are paying attention to these issues,” Mendez noted. “Prior to these incidents, many organizations did not understand the true risk posed by third parties, the only exceptions are organizations under compliance regulations.”
Mendez and his team “usually try to get ahead of any third-party vendor issues by asking clients to consider cybersecurity from the start, during the acquisition phase. Prior to acquiring a new product or service we help our clients conduct a risk assessment to identify any cybersecurity impact to operations. This allows the company to make an informed decision before investing in a product or service. What we find is that, depending on the vendor, many will accommodate security requests.”
Among other services, Mendez’s organization monitors clients’ environment “for suspicious or malicious activity via monitoring technology such as Security Information Event Managers,” he said. “In these instances we can tailor the monitoring to closely watch vendor products for this type of activity. During the SolarWinds incident we were able to quickly create ‘watch lists’ to specifically watch activity associated with the client’s deployment of SolarWinds.”