Here is some thought provoking informatin regarding cyber supply-chain risks:
50% of data breaches are attributable to a 3rd party vendor.
83% of organizations do nothing to manage third party risk.
80% of data breaches are discovered by someone outside the breached organization.
So, what are some of the things you can do to mitigate your risk?
Assess the risk before you allow a vendor access to your network.
Understand your level of risk. Is a large company a large risk and a small company a smaller risk? Not necessarily.
Perform an independent security assessment to understand your level of risk. This assessment should include, at minimum:
Web Application Security.
Hacker Threat Analysis.
Keep in mind that doing an assessment is just the start. It’s important to have the tools and processes in place to manage the assessment results.
If you life in a regulated world, you have even more to worry about. If you take credit cards, you need to comply with PCI 12.8. If you are in healthcare, you are governed by HIPAA and if you do business in or have employees who are residents of the EU, you much comply with GDPR.
It’s not a matter of if you will be at risk, it’s a matter of when. You need to have a plan for dealing with a breach caused by a vendor. Understand your communication and reporting responsibilities and develop your plan now, not after you have an incident.