If your vendors get hacked, you’re in trouble.
If your vendor’s vendor gets hacked - you’re still in trouble.
Cyber security across your supply chain should be a priority. Cyber security protects internet-connected systems such as hardware, software and data, from cyber attacks. It involves preventing unauthorised access, destruction, or manipulation of computer systems and networks.
Yet, procurement teams are struggling with the cyber security of their vendors.
Only 41% of organisations believe their vendors have robust enough data safeguards, security policies and procedures should there be a data breach. - Ponemon Institute LLC
This lack of robustness is apparent, with 98% of companies having had one of their vendors breached in the last two years, according to a report by Security Scorecard and the Cyentia Institute.
I wonder how many organisations genuinely know what is happening across the supply chain.
That worries me.
I used to oversee hundreds of vendors and their contracts for a London-based FinTech. We prioritised cyber security, as well as a broader risk review, of every vendor.
Our most strategic vendors had more attention, based on the vendor segmentation model provided.
But I know this isn’t the story everywhere.
Especially with stories like Target, which had a vendor install malware-ridden devices across 1800 stores, costing them $252 million as a consequence.
The cost of poor compliance and control of your vendors’ cyber security could break your business.
I’ve got you covered here.
The following methods are best used in your business with a joined-up approach from:
Or some combination of individuals experienced in these areas if you don’t yet have dedicated team members.
3 easy ways to assess your Vendor Cyber Security
1. Market IQ Cyber Assessments and Continuous Monitoring
Market IQ Cyber assessments are a great way to assess vendor cyber security.
Not to mention that when you pair this with Market IQ Finance solution, our risk capabilities to track vendor risks, and the Workflow Engine, which can start a cyber risk mitigation process whilst you’re in bed - you’re covered nicely.
Market IQ Cyber is Gatekeeper's integration with SecurityScorecard, one of the best for reporting on cyber security. Not to mention that they’verated over 11 MILLION organisations.
Let that number sink in.
This is how it works.
Each vendor you assess with Market IQ Cyber is assigned a grade between A-F like this.
A means the vendor is in good shape.
We know that any vendor that scores between a C-F is 5.4 times more likely to suffer a consequential breach than A-B-rated companies.
Behind each grade is a scoring system.
SecurityScoreCard Grades and Scores
Behind the scores is a weighting aligned to a specific risk factor.
If you’ve got a vendor that scores 100, no cyber security issues were detected.
I particularly like the historical performance that provides an insight into how they’ve treated cyber over a more extended period.
But what happens if a vendor’s cyber score declines?
This is where the integration between Gatekeeper and SecurityScorecard comes to life.
We’ll use our Workflow Engine to create a Best Practice Cyber Risk Mitigation Workflow if a Vendor’s score has a downward trend.
From here, we can send out questions to the vendor for them to come back to us on these (and hopefully, Procurement and Legal have built in the response times required for this in the contract).
You can then assess the responses from the vendor whilst also reviewing more details with your SecurityScorecard account.
You’d have a phase where the relevant experts in your business review the response. I’d also suggest you catalogue any risks in the Gatekeeper Risk Register.
If the cyber risk is no longer a concern, you can move the card through to completion without further action. If this vendor is of concern, that’s when you can further manage their performance and even ensure that the vendor’s RAG status is marked as Red on their vendor record.
All of this gives you the following:
- Visibility as to your vendors’ cyber health.
- Control over your supply chain to prevent cyber risks from emerging, and if they do emerge - you’ve got a process that acts even when you’re sleeping.
- You can demonstrate compliance to assessing your vendors’ cyber health to any data subjects, auditors and/or investors.
But there is more to look at, and I like to review certifications with my InfoSec and Risk colleagues.
2. Security Assessment and Certification
Look for certifications such as ISO 27001, SOC 2 and PCI DSS (depending on your industry). These certifications are a good indication that the vendor has the required security posture and processes in place to protect your data.
Additionally, ask the vendor if they have completed any third-party security assessments and if they have any additional certifications, such as ISO 27002 or NIST 800-53.
By assessing a vendor’s cyber security posture, you can ensure that the vendor you are working with is taking the necessary steps to protect your data.
We must go beyond the certificates and understand the vendor’s policies and processes.
It would be best if you asked about their incident response plans, data backups, and regular security audits.
Finally, check to see if the vendor has participated in any vulnerability assessments or penetration tests.
You can always ensure a penetration test is carried out before you engage the vendor for added protection.
3. Due Diligence Questions on Cyber Security
I’ve always been a fan of sending out carefully selected questions that require the vendor to provide assurances. From the answers to these questions, you and your team - combined with Market IQ Cyber and the vendor’s certification - should get a good reading about their cyber security stance.
Q: Have you implemented appropriate information security policies which have been approved, published, and communicated to your employees and relevant external parties?
Objective: This question seeks to understand your vendor’s policies. You could then review each individually or hand-pick specific policies to focus on.
Q: What are your security policies and processes related to remote access?
Objective: What is the approach to employees, vendors, contractors etc., accessing parts of your business online from any location in the world.
Q: (Specifically for a Software Vendor) Explain how your software can produce reports of all registered users as to their location, log-in history, password expirations, and any changes they make.
Objective: Most organisations have a requirement for compliance with regulations requiring them to understand how their employees use customer data. You need to ensure that your employees, when using this new software platform, are doing so in a compliant way, e.g. they aren’t changing or moving customer data from the platform (except for reports).
You could ask many more questions to check your Vendors’ attitude toward cyber security.
I’ve included a list of additional questions you could ask to inspire you when creating your own due diligence questions.
- Does the vendor have a dedicated cyber security team and/or a chief information security officer?
- Does the vendor have a written cyber security policy that is regularly updated and reviewed?
- Does the vendor have a response plan in place in the event of a breach?
- Does the vendor regularly conduct security audits and vulnerability assessments?
- Does the vendor have a backup plan in place in the event of a system outage or data loss?
- Does the vendor have a data protection strategy in place?
- Does the vendor use encryption to protect data in transit and at rest?
- Does the vendor have a policy for monitoring and managing user access?
- Does the vendor have a patch management system to ensure the software is up to date?
- Does the vendor have a policy in place for securely disposing of data?
- Does the vendor have a policy in place for securely storing data?
You can build each of these questions into Gatekeeper and automate follow-up questions depending on the responses you receive.
We have a form feature that allows you to build out questions, and you’ll have an audit log of the activities around these questions.
This would include a visual that they’ve been submitted, reviewed and approved in Gatekeeper.
I’m telling you that this is an auditor’s, customer’s and investor’s dream.
Procurement professionals can assess vendor cyber security by evaluating their security policies, conducting a risk assessment, and verifying their compliance with industry standards.
By doing this you’re going to reduce the likelihood of a vendor being hacked, be alerted to any cyber issues in your vendor base and mitigate the impact of the hack.
- Market IQ Cyber Assessments & Continuous Monitoring, with SecurityScorecard, assess vendor cyber security. Grades are A-F, with A indicating good shape & 5.4x more likely to suffer a breach than A-B-rated companies.
- Assess vendor cyber security by looking for certifications (ISO 27001, SOC 2, PCI DSS), asking about third-party security assessments, understanding vendor policies/processes (incident response plans, data backups, security audits), and conducting a penetration test for added protection.
- Create due diligence questions to ask vendors to assess their approach to cyber security. Utilise the form feature within Gatekeeper to handle this and create an audit trail of your due diligence review.
If you want to take your due diligence approach up to a new level, let’s set up a meeting to discuss how Gatekeeper can help you with this.