Why asking your supply chain for information security credentials is important

Media reports have warned that a whole range of suppliers – from vendors to law and accounting firms – are often used by cyber criminals looking for an easy way into a company’s databases. In reality, even if your own organisation is secure, individuals with malicious intentions can enter your networks through your suppliers, or even your suppliers’ suppliers, especially where important functions have been outsourced to the Cloud or to smaller providers.

iStock_000020143408SmallVetting suppliers is critical

Suppliers have become an attractive target for hackers as they can be an easier way to target companies, especially large organisations. Hackers are aware that smaller companies often spend less on sophisticated cyber security, making it difficult for them to keep up with evolving threats.

This year, US hardware chain Lowe’s suffered a data breach following a supplier’s error. The third-party company unintentionally backed up Lowe’s data to an unsecured computer server that was accessible from the Internet. This affected employee information, including social security numbers and other records.

Also this year, the confidential account information of more than 22,000 small business customers of Montreal-based telecommunications company Bell was compromised following a cyber attack on a third-party supplier.

Target’s breach is likely to have been initiated through a supplier. Fazio Mechanical Services (FSM), a heating, ventilation and air conditioning (HVAC) contractor, was connected to Target’s systems to provide electronic billing services, contract submissions and project management services. Computer Weekly reported that “FSM itself was the subject of an attack in which hackers stole the credentials required to breach Target. By allowing FSM to connect to its internal networks, Target introduced another means by which it could itself be attacked.”

Home Depot recently disclosed that that a stolen vendor password was used to gain access into Home Depot’s systems which led to the theft of 53 million email addresses and 56 million credit and debit card details.

The above breaches are only a few examples of what can go wrong if suppliers are given access to a company’s data when they shouldn’t be.

There is hardly an organisation that does not rely on suppliers, so it is vital that senior executives become more rigorous with their suppliers and trading partners when it comes to information risk assurance. If suppliers are going to have access to a company’s data, then it is essential that they are subject to at least the same level of security as the company procuring their services.

Customers demand cyber security credentials

55% of the respondents to the IT Governance Boardroom Cyber Watch Survey 2014 stated that their customers had inquired about their information security credentials.

Suppliers will only benefit from improving their cyber security posture. Not only will they achieve better protection for their own information, but they will also gain a competitive advantage. For example, certification to ISO 27001 or evidence of compliance with the PCI DSS (for merchants and service providers) is often a tender or contractual requirement because it proves that an organisation has been independently audited against internationally recognised security standards.

Gain information security credentials today

Achieving certification to ISO 27001 can be easy with IT Governance’s fixed-price ISO 27001 packaged solutions. IT Governance has led more than 140 successful certifications to ISO 27001 around the world, and now this expertise is available for online delivery and can be accessed by any company anywhere in the world. Click on the links below to find out more.

Do It Yourself Get A Little Help Get A Lot Of Help We’ll Do It For You