Supplier due diligence: how to stop hackers slipping through the back door
A business of any size, needs to get their due diligence process set up from the get-go. And once it’s in place, it also needs to be continually monitored and reviewed.
Due diligence can simply describe the reasonable steps taken by a person to avoid harm. In this case though, we’re going to specifically talk about the risk of a cybersecurity breach via a third party supplier.
It’s not just about compliance and protection. Keeping on top of your supplier due diligence can enable your company to attract both customers and investors. It also gives you peace of mind, so you can focus on building and scaling upwards, knowing your foundations won’t let you down.
Big name data breaches
Ticketmaster and Volkswagen are just two examples of big name brands that have fallen victim to a third party’s vulnerability.
Hundreds of thousands of customers' personal details such as full names, email addresses and phone numbers were exposed in the huge data breaches that occurred via third party suppliers, resulting in hefty fines and a massive dent in public reputation for both vendors.
Had they done their due diligence before agreeing to work with these third party suppliers, these massive blunders could have been avoided. Though it’s not as simple as it sounds.
Large companies like Ticketmaster and VW have huge numbers of suppliers, all with their own subcontractors, making all of them hard to keep a track of. And once a cyberattacker has got in via one third party, it’s easy for them to access data in other parties without being flagged.
But these kinds of data breaches aren’t just limited to household names. Smaller businesses and entrepreneurs are also at risk of being targeted.
What businesses big and small should consider
Some organisations will barely mention their cybersecurity policy when joining a partnership, but others are more switched on.
Has a supplier completed a pen test recently? Was it completed by a tester who is CREST-certified? Some organisations will consider everything about their suppliers and partners, even down to the routers businesses are using for their WiFi.
While you’ll want some differentiation depending on the type of supplier, you’ll want a due diligence policy you can roll out to every single one. This will keep your business, your employees and your customers digitally secure – and enable you to pass the checks of those performing due diligence on your own organisation.
Four best practices for supplier due diligence
1. Security questionnaires for suppliers
First, it’s crucial to understand the ways cybersecurity is implemented into a supplier’s own best practices.
A supplier due diligence questionnaire examines risk by asking questions on data security, human resource policies, financials, and references. You can then use a supplier’s answers to set requirements the third-party supplier must uphold to meet the standards of the business relationship. If anything goes wrong, you can refer back to their answers and hold them accountable.
2. Tiering suppliers by criticality
Save time during supplier onboarding due diligence by tiering your suppliers based on the relationship they will have with your business.
For instance, you’ll want to prioritise security of an organisation that will need access to your sensitive data (e.g. a SaaS product provider) more than a business that does not have immediate access to critical information (e.g. a graphic design agency).
Instead of trying a one-size-fits-all approach to evaluating criticality, tiering helps you work out whether you need to review evidence of a clean independent pen test, or whether it's enough for a supplier to abide by GDPR.
3. Monitor your suppliers regularly
Cybersecurity due diligence needs to be kept up throughout your vendor partnerships, and isn’t something you can just forget about once the contract is signed.
Depending on your resources, you can use an automated continuous monitoring solution to keep your finger on the pulse about the varying risk profiles of your suppliers. Or you could simply require suppliers to update you on any changes in their systems or processes that have the potential to impact security.
4. Evaluate third-party cyber security risk using a pen test
If a third party is dealing with your customers’ data, they will need to present a recent penetration test report, showing either a clean result, or detailing the actions taken to rectify any vulnerabilities found, plus the related retest to ensure the remedial work has been effective.
Penetration testing (often referred to as pen testing) is a security exercise that attempts to seek out and exploit vulnerabilities in a computer system, network or web, to identify any weak spots that could be taken advantage of by a hacker.
A successful test can often reassure customers. Even if they have to address gaps in their security, businesses can wear their due diligence as a badge of honour.
By following these best practices, you can lower the risk of partnering with third parties and relieve the burden on employees. Your security, legal and compliance teams will thank you.
Datavax is a trusted, neutral cybersecurity partner with expert CREST-certified pen testers. See how you could benefit by booking a free 30-minute consultation with one of our senior testers and project managers today.