Who are you doing business with? I mean you know your customers sure. You know your suppliers but do you really know anything about them? But you are doing business with a lot of people. How do you know if there are not others you are doing business with by proxy? Third party attacks are some of the most insidious attacks a company can experience.
For instance, the headline-grabbing Target breach was done via a third party to the retail giant. The hackers got in via the stores HVAC vendor, which eventually led to their Target card program, and that led to their internal corporate network. Just last year the IRS announced that there was a malware attack on them were 101,000 fraudulent requests for filing pins was discovered using social security numbers that came from another attack elsewhere on the internet. The issue here is that these attacks are coming from somewhere other than a direct attack on the corporate network.
So it used to be you entered into a relationship with a supplier or a vendor and they may be provided you with a letter of credit. Or an introduction via your common bank, then you would start doing business with them and create a history together. Eventually, over time you may become closer and do more business together. You will build trust together and both grow your businesses.
But now it is a little different. The same scenario may play like above. But instead over time, you begin to automate your systems. There are greater synergies, orders can be processed more quickly, you experience an increase in sales. You are sharing data, in order to streamline even more. It is great for business, and trust. It is also great for the bad guys.
Now You Have A Problem
You get breached. You are not sure where or why but you have been compromised. The problems are serious, really serious. You have carefully vetted your security team. You use security audits and penetration testing to verify your data security your employees are trained on cyber security procedures. Why is this happening?
The supplier you have been doing business with for 10 years is the culprit, and most likely they don’t even know. The bad guys got in through your supplier and now are in your network. I encounter clients all of the time who enter into contractual agreements with other companies and nowhere in the contract does it say anything about cyber security. Trust is assumed from the beginning. That is the way business has always been done. The problem is your trust should not translate to your supply chain’s IT infrastructure without the proper vetting.
You should, first of all, establish from the beginning that you reserve the right to disconnect if proper security procedures are not followed. This should include security audits, and the free and fair exchange of their findings both ways. In fact, this should be compulsory on both sides of the fence. It will not only make you more secure it will engender more trust and could further the business relationship. An equal and fair understanding is always good for a business relationship. Also, make sure that any dealings with the supply chain via your employees are covered in your security policies and procedures. These employees are your eyes and ears to keep your company protected.