HelpSystems comments on SC risks

​

Following the recent high profile security incidents, we asked Adam Strange, Data Classification Specialist at HelpSystems (www.helpsystems.com) for his opinions on third party/supply chain risks and means of mitigating them.

“Recent high profile security incidents in the press have once more highlighted the need for organizations to tighten up their security posture, both internally and through the supply chain.  With companies finding themselves increasingly compromised through suppliers who unknowingly deliver the attacks vector for hackers, it’s an important time for organisations to bolster their cybersecurity efforts with trusted vendors and security platforms within the supply chain.”

“To this point organizations need to proactively drive supplier risk-reduction activity by building constructive support for suppliers into their cyber and data security programmes.  This will require organisations to regularly review and overhaul existing technology investments and prioritise cyber and data security governance.”

“Additionally, they should carry out essential due diligence to ensure that their suppliers have the basic controls in place coupled with good data management processes.  Organizations need to thoroughly vet and monitor supply chain partners through audits, questionnaires, security ratings and other means.  They need to understand what data partners will need access to and why, and ultimately what level of risk this poses.  Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats.  This needs to be monitored, logged, and regularly reviewed and a baseline of normal activities between the organization and the supplier should be established.  Moreover, they should invest in cybersecurity training for employees and use technology such as data classification, DLP and secure data management and file transfer to secure and defend.”

“To this point, we recommend that any technology be applied in line with other defensive processes and is aligned with training for employees to recognise cyber and data loss threats, to fully minimize the risk.”