Physical disruptions to an organization’s supply chain have long been accounted for through metric-heavy risk management policies. A supply chain manager must juggle potential issues including product defects and shipping logistics that only further impact timeliness of deliverables if sourced at a global scale.
Communication with outside vendors is a critical component to running a lean and efficient supply chain, but it is becoming apparent that those conversations need to cover digital protections in addition to elements of physical production. A cyber-attack against an affiliated vendor may put your greater organization at risk depending on the level of access to private data they have been given.
The Bed You Lie In
As the eighth largest retailer in the United States, Target has a supply chain that includes thousands of separate vendor partners that provide goods and services for the company. When Target was hacked in 2014, the breach exposed the credit card information and personal data of more than 110 million consumers. Investigators tracked the intruder’s credentials back to an HVAC firm in Pennsylvania that had partnered with local Target stores.
One of the emergent responsibilities of corporate business in a shifting technological landscape is due diligence in vendor procurement and compliance with security standards. If a vendor or business partner is entrusted with private data, certain security criteria must be met prior to putting ink on the dotted line.
Vendors, such as software developers, also provide significant organizational risk through the disruption of a company’s digital supply chain. Technology companies increasingly rely on outsourced software to deliver their own solutions and a significant amount of faith is put into the safety of partner technologies to prevent the introduction of additional vulnerabilities.
Secure the Chain
There is an increasing awareness regarding the importance of investing to prevent third-party risk. Even inactive vendors- organizations with whom business relations were conducted on a one-time basis or have been terminated- present risk as they retain sensitive data beyond project end-dates.
Third-party risk management has seen a shift toward mirroring standards in finance wherein an outside auditor reviews a vendors’ internal controls to provide an attestation that both policies and procedures have been correctly implemented. For many SaaS (Software as a Service) companies, this means receiving a SOC 1 or SOC 2 report that they can provide to their customers and partners.
Generally accepted compliance standards for technology are in their infancy, and aside from notable exceptions like HIPAA, there are few legal ramifications for skirting standards. However, as demand for trustworthy security practices grows, it is likely that regulatory bodies will submit that certain legal requirements for technology security are necessary.
If a company commits to managing external partner relationships with the intent to commit to security standards, then there is no middle ground in terms of enforcement of policy. Relationships, once properly vetted, should be tended to ensure standards are maintained and managed. Cyber threats from the supply chain will come from the most vulnerable source, so a uniform application of policy in choosing and maintaining vendors is a critical risk management technique.
Technology Risk Consulting
Boulay’s Technology Risk Consulting practice provides a deep understanding that meets the technical needs of businesses whether in providing risk management solutions or audit reports like SOC 1 or SOC 2. With the steady adoption of technology that changes the landscape of modern business, Boulay provides the right solution tailored specifically for your enterprise.
Contact a Risk Advisory professional today to better prepare your business to meet current and future needs.
More Recent Stories
Input your search keywords and press Enter.