It’s an unfortunate fact that your organisation’s security doesn’t solely depend on your own organisation’s efforts. An organisation can have the most robust security measures but it could all be made redundant if a supplier’s measures are not as robust.
Target is a prime example of what can happen if a supplier’s security fails. Target network credentials were stolen from a refrigeration, heating and air conditioning subcontractor that had worked at a number of locations at Target.
The usual questions
While the supplier selection process is different for every organisation, there are a few common criteria: cost, expertise and reliability.
It can be safely assumed that these three criteria have been common in supplier selection processes for hundreds, if not thousands of years. So I guess it’s a big ask that it’s time these three turned into four.
Cyber security – yea or nay?
Questioning possible suppliers about their security is likely to cause one of two things to happen:
- *While scratching head* “Well, err, Jerry, who’s pretty good on computers, installed AVG free on all the PCs…”
- “Our organisation takes security seriously. We have a sophisticated spam filter, all of our passwords are changed regularly, patches are applied and users are aware of security threats thanks to our regular security awareness training. Penetration tests are regularly conducted and any discovered vulnerabilities are quickly resolved. We value our customers, so it’s only fair that we do our best to protect their data.”
Scenario two seems to be a hopeful response, but there’s something missing.
Where’s their proof?
It’s okay to be sceptical
An organisation that does its best to secure customer data can be, and should be, proud of it. Unless a third party has audited their security, however, and has agreed it’s at an acceptable level, then it’s all hollow platitudes.
Remember Cloud hosting platform Code Spaces?
This was on their website – “Backing up data is one thing, but it is meaningless without a recovery plan, not only that [but also] a recovery plan—and one that is well-practiced and proven to work time and time again,” a cache of their website stated. “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”
It took 12 hours for a hacker to break in, delete all the data, and for Code Spaces to permanently close down its business. This caused the end for many projects that the company was hosting.
Instances such as this are why it’s perfectly acceptable to be sceptical when searching for a cyber secure supplier.
Look for certifications
As stated above, you need to search for suppliers that have had their security audited by a third party, and this is a common process in many certification schemes.
Certification to ISO 27001, the international standard that describes best practice for an information security management system, is an example of a certification you should look out for when conducting your search. ISO 27001 actually has an entire section about supplier management processes.
In the UK you can also look for the Cyber Essentials scheme badge. The Cyber Essentials scheme isn’t as detailed as ISO 27001 but, if maintained correctly, it will stop 80% of cyber attacks.
Lead by example
To acquire the services of the best suppliers, you need to be the best. Before you start vetting current and possible suppliers about their security, ensure that your own security is at an acceptable level.
As I’ve mentioned earlier, ISO 27001 has an entire section dedicated to handling suppliers, so perhaps ISO 27001 certification is where you should be headed.
I invite you to download our free and highly informative green paper ‘Information Security & ISO 27001: An introduction’. This free download will provide you with an understanding of ISO 27001 certification and will explore the benefits of achieving certification to the Standard.