Between SolarWinds, Microsoft Exchange, Kaseya and a number of other supply chain attacks, businesses are lucky if a third-party compromise has not breached their systems.
Malicious actors target vendors to maximize damage. Malware, ransomware or other infections spread through vendors and trickle into the networks of businesses buying the services, too.
It poses a challenge for security leadership: How can the business defend against the risk associated with vendors while still accessing their services?
“If you can’t validate that your vendors take security as seriously as you do, continue looking.”
Steve Tcherchian
CPO, CISO of XYPRO Technology
In the wake of high-profile vendor attacks, Cybersecurity Dive asked security executives how they screen third parties to keep their networks secure.
At a minimum, your vendors should be in lock step with the same security standard and controls you have in place for your own organization. They are an extension of your company and represent you.
Therefore, vetting the security of your vendors is critical.
Be ready with a standard security questionnaire/assessment that is similar to your company’s security program. Make that part of due diligence of onboarding any new vendor. Just like you would do your due diligence in any other business transaction, security must be considered part of any vendor onboarding.
Unfortunately, it’s too often an afterthought because it gets in the way of doing business. It can’t be treated this way because vendors are most targeted, and if something happens to them, it happens to you, as risk can no longer be deflected to third-parties without consequence.