For industries ranging from manufacturing to health care, reliance on third-party vendors is not a choice. And for vendors to actually service clients, they often need to partner with various companies in a single supply chain. And with every supply chain vendor comes another opening for cyberattackers to compromise an organizations' operations.

At the “Mitigating Cybersecurity Vulnerabilities in Your Supply Chain” session at ALM's cyberSecure conference in New York, cybersecurity and in-house experts explained the most complex and troublesome challenges of managing vendor risk.

1. Clouds, All the Way Down

Transferring corporate or proprietary data to a supply chain vendor used to be a simple affair. The data stayed with the vendor, and the security controls they had could be reviewed and changed to meet certain standards.

But with the advent of the cloud, vendors faced a whole new risk situation. “Anytime you are outsourcing to a vendor who uses a cloud provider, make sure that you understand the chain of custody of your data,” said Nicole Eagan, CEO at Darktrace.

Should an unsecured cloud vendor or malicious user have access to a company's data, for example, it could expose the entire organization to legal and cyber risk. Such risks became painfully clear in many recent data breaches, including those at Verizon and Uber Technologies Inc..

“It seems that not a week goes by that we don't see a headline about an insecure Amazon Web service [exploit],” said Holly Brady, senior counsel at Altria Client Services.

The problem, she explained, is that organizations will take cloud security for granted and ease up on their responsibilities to manage their data security. “You have this false sense of security when we're using a cloud service provider that they are going to be thinking about security, and oftentimes that is not how it works.”

Eagan agreed, adding, “If any of your IT operations are managed by an outside service provider, oftentimes they don't specify the service they are using, or oftentimes it's below the standards you have.”

2. The Limits of Questionnaires

To manage vendor risk, organizations are increasingly requiring their partners complete cybersecurity questionnaires and surveys during the application process.

But Eagan noted that while many of these questionnaires and surveys can be extensive, in the face of fast evolving cyberthreats, they are far from foolproof.

“If you're just filling out a vendor survey once a year, it's not enough, threats change hourly, they change daily,” she said.  “The person answering that survey likely doesn't know the answer, and they are doing the best to answer. But they lack visibility into what their own threats are.”

What is needed to supplement such initial risk management, Eagan added, is technology. Artificial intelligence-based cybersecurity programs “can actually help answer some of those questions better than a human can, because then you can see the inside [of] their network and detect what is going on.”

Actually reviewing a vendor's network for potential vulnerabilities or intrusions, she explained, is a much-needed verification in today's world, where many struggle to stay on top of, or even understand, the threats they are under.

3. Unavoidable Liability

Corporations often seek to have airtight contracts with their supply chain vendors to protect themselves from liability in the case of breaches or cyberincidents. But what happens when a vendor essential to the supply chain refuses to comply with an organization's standards?

“What if the vendor makes a critical component for what you're selling?”asked Buck de Wolf, vice president, chief intellectual property counsel and general counsel at GE Global Research. “Do you stop selling that product because the vendor says we cannot comply with your contractual security requirements?”

In such situations, de Wolf said, the in-house legal department and other key stakeholders must decide whether the organization is willing or able to shoulder the risk of keeping the vendor on. Most times, “it very much depends on the terms of the arrangement you have with your vendor and your customer” and who is liable should there be a cyberincident.

But even if the vendor agrees to comply and is completely liable for any cyberincident that emanates from its IT infrastructure or operations, that still may not be enough. After all, vendors may lack the financial means to cover their client's losses.

“If you are a big company and have a little vendor” and the cyberincident is the vendor's fault, any liability protections “are sort of empty, because the vendor is not going to have deep pockets,” de Wolf said.

He added that most small vendors are aggressively trying to get business and will “sign anything that says, 'Sure we'll take all liability.'” But oftentimes, they will be unable to shoulder that liability when the time comes. “So it's like inviting a Trojan horse in.”

 

For industries ranging from manufacturing to health care, reliance on third-party vendors is not a choice. And for vendors to actually service clients, they often need to partner with various companies in a single supply chain. And with every supply chain vendor comes another opening for cyberattackers to compromise an organizations' operations.

At the “Mitigating Cybersecurity Vulnerabilities in Your Supply Chain” session at ALM's cyberSecure conference in New York, cybersecurity and in-house experts explained the most complex and troublesome challenges of managing vendor risk.

1. Clouds, All the Way Down

Transferring corporate or proprietary data to a supply chain vendor used to be a simple affair. The data stayed with the vendor, and the security controls they had could be reviewed and changed to meet certain standards.

But with the advent of the cloud, vendors faced a whole new risk situation. “Anytime you are outsourcing to a vendor who uses a cloud provider, make sure that you understand the chain of custody of your data,” said Nicole Eagan, CEO at Darktrace.

Should an unsecured cloud vendor or malicious user have access to a company's data, for example, it could expose the entire organization to legal and cyber risk. Such risks became painfully clear in many recent data breaches, including those at Verizon and Uber Technologies Inc..

“It seems that not a week goes by that we don't see a headline about an insecure Amazon Web service [exploit],” said Holly Brady, senior counsel at Altria Client Services.

The problem, she explained, is that organizations will take cloud security for granted and ease up on their responsibilities to manage their data security. “You have this false sense of security when we're using a cloud service provider that they are going to be thinking about security, and oftentimes that is not how it works.”

Eagan agreed, adding, “If any of your IT operations are managed by an outside service provider, oftentimes they don't specify the service they are using, or oftentimes it's below the standards you have.”

2. The Limits of Questionnaires

To manage vendor risk, organizations are increasingly requiring their partners complete cybersecurity questionnaires and surveys during the application process.

But Eagan noted that while many of these questionnaires and surveys can be extensive, in the face of fast evolving cyberthreats, they are far from foolproof.

“If you're just filling out a vendor survey once a year, it's not enough, threats change hourly, they change daily,” she said.  “The person answering that survey likely doesn't know the answer, and they are doing the best to answer. But they lack visibility into what their own threats are.”

What is needed to supplement such initial risk management, Eagan added, is technology. Artificial intelligence-based cybersecurity programs “can actually help answer some of those questions better than a human can, because then you can see the inside [of] their network and detect what is going on.”

Actually reviewing a vendor's network for potential vulnerabilities or intrusions, she explained, is a much-needed verification in today's world, where many struggle to stay on top of, or even understand, the threats they are under.

3. Unavoidable Liability

Corporations often seek to have airtight contracts with their supply chain vendors to protect themselves from liability in the case of breaches or cyberincidents. But what happens when a vendor essential to the supply chain refuses to comply with an organization's standards?

“What if the vendor makes a critical component for what you're selling?”asked Buck de Wolf, vice president, chief intellectual property counsel and general counsel at GE Global Research. “Do you stop selling that product because the vendor says we cannot comply with your contractual security requirements?”

In such situations, de Wolf said, the in-house legal department and other key stakeholders must decide whether the organization is willing or able to shoulder the risk of keeping the vendor on. Most times, “it very much depends on the terms of the arrangement you have with your vendor and your customer” and who is liable should there be a cyberincident.

But even if the vendor agrees to comply and is completely liable for any cyberincident that emanates from its IT infrastructure or operations, that still may not be enough. After all, vendors may lack the financial means to cover their client's losses.

“If you are a big company and have a little vendor” and the cyberincident is the vendor's fault, any liability protections “are sort of empty, because the vendor is not going to have deep pockets,” de Wolf said.

He added that most small vendors are aggressively trying to get business and will “sign anything that says, 'Sure we'll take all liability.'” But oftentimes, they will be unable to shoulder that liability when the time comes. “So it's like inviting a Trojan horse in.”