Here are a few startling facts you may not know: According to The Ponemon Institute, 56% of organizations have had a breach caused by one of their vendors. And, a study by CERT’s National Insider Threat Center showed that 15% of all insider threat incidents were perpetrated by someone in the victim organization’s supply chain. A supply chain can include any third party that supports an organization’s business goals, such as technology providers, public infrastructure, physical good suppliers, or other contracted services.
Some of the most infamous security breaches were caused by third-party vendors or contractors. Many outside attackers or malicious insiders may look to exploit weaknesses within the supply chain. For example, Verizon Enterprise’s vendor Nice Systems misconfigured a cloud storage account, which exposed millions of customer records. And, Target’s costly breach involved a third-party vendor with access to a customer database. While it’s impractical to reduce reliance on the supply chain altogether, having a strong set of processes for vendor review, onboarding, and ongoing security can reduce the risk of insider threat.
Here are some ways to get started.
Create a Strong Supply Chain Vendor Evaluation
According to Carnegie Mellon University, there are many compliance frameworks you can use to evaluate the security of third-party vendors and suppliers. A few examples include ISO 28000 for general vendor evaluations, ISO/IEC 20243 for technology vendors, and several industry-specific frameworks.
Starting with these frameworks will ensure that the right risk management strategies are taken into consideration during the vendor evaluation process. During this process, consider which data and systems the vendor will regularly access, and ask pointed questions about how the vendor will protect your organization’s data. Although compliance generally leads these types of evaluations, having a security team member’s perspective could be valuable when it comes to asking the right questions about systems access and security protocol.
Another important aspect to consider are the people who will be directly managing and handling your organization’s account. Just as you would screen an employee, interview an account manager or representative thoroughly. Given the increasingly important role of supply chain vendors in the business management process, it’s important to know your third-party contractors and establish a baseline level of trust.
Develop a Secure Supply Chain Onboarding Process
During the onboarding process, there’s typically an internal point of contact responsible for the vendor relationship. Security teams should ensure that each of the internal contacts are aware of the security onboarding protocol for vendors and contractors. Standardizing this process will keep everyone in the supply chain aware of policies and operating procedures.
One way to properly train your supply chain is to provide a video training series for any new vendor or contractor. Policy and protocol review often becomes much easier and more digestible in video format, and can ease pressure on already overextended security teams. As an added bonus, for compliance purposes, working virtual signatures into the process can ensure that the videos are fully reviewed and understood.
Make Use of Third-Party Monitoring Software
Insider threat statistics show that two out of three incidents are caused by employee or contractor mistakes. Even the most diligent screening and training processes can miss some of these human errors. Not to mention, malicious insiders will always do their best to fly under the radar. For these reasons, it’s important to have ongoing third-party monitoring in place to mitigate possible risks.
However, monitoring data alone isn’t enough to prevent supply chain insider threat risks. A combination of user and data activity monitoring can equip security teams with the information they need to prevent incidents and conduct investigations to determine who did what, when, and why. Insider threat management platforms like ObserveIT can help secure the supply chain by providing the ongoing monitoring needed to prevent insider threats.