Skip to main content

What to Know About Suppliers, Due Diligence and Cybersecurity

Supply chain executives operate in a risky business where cybersecurity threats are a daily reality.

In its State of Cyber Security in the Supply Chain report, supply chain risk management platform Risk Ledger revealed that third-party suppliers must rectify their blind spots if they want to mitigate losses from a potential cyberattack.

As many as 25 percent of more than 2,500 suppliers surveyed say they don’t conduct an annual independent information security review and act upon the findings, according to the report.

Twenty-three percent of suppliers don’t have formal agreements in place with their own suppliers that have appropriate security clauses, including a right to audit and mandatory adherence to security policies—therefore putting their own and their customers’ data at risk. And 19 percent lack a formal policy for remote working that includes security.

The report also found that 40 percent of suppliers do not conduct regular penetration tests of internal systems to get a sense of how vulnerable they are to cyberattacks.

Supply chain are inherently vulnerable from a security perspective. Understanding common weaknesses gives chief information security officers (CISOs) a list of controls to focus on when reevaluating their own suppliers’ ability to handle security concerns.

“Companies rarely run security assurance against more than 10 percent of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent,” said Haydn Brooks CEO, Risk Ledger, in a statement. “To improve this situation, better data and insights into the most prevalent weaknesses in the wider supplier ecosystem are needed, so that remedial efforts can become more focused.”

Related Stories

Some of the areas that need fixing are straightforward. For example, 20 percent of suppliers don’t use a password manager, which means more employees are likely to create passwords that are easy to hack.

Another 17 percent of suppliers fail to enforce multi-factor authentication (MFA) on remotely accessible services. But while this is simple to implement, it does increase user friction, which is why it’s often provided as an optional setting which needs to be intentionally configured. This often leaves MFA disabled and the accounts vulnerable to unauthorized access through password theft.

The report is based on proprietary data from more than 2,500 suppliers that have shared information on their risk posture against over 200 cybersecurity controls with their customers on the Risk Ledger platform.

On the positive side, most organizations on Risk Ledger (86 percent) say they ensure that all of their third-party partners with access to personal data have a formal agreement in place that covers all the requirements of relevant data protection regulations.

Those agreements will typically include the responsibilities of each party relating to the services being delivered, as well as instructions for data processing and requirements for security.

Additionally, they would have definitions that make it clear who is the data processor and who is the data controller.

There are also usually clauses within the agreements that cover the use of subcontractors or international data transferring, and any other specific legal clauses required by local data protection legislation.

While formal agreements are vital to give a company the right of recourse if their data were stolen or misused as a result of a breach further down the supply chain, businesses must spend just as much time learning about a potential supplier’s security competencies.

Nearly one-third of suppliers (32 percent) do not have their own supplier security policy, meaning they have not set out any expectations as to the minimum level of security controls their suppliers should have in place.

That can leave room for ambiguity, with a supplier possibly deeming their protection sufficient, when in fact it is inadequate for the service they are providing a brand, therefore putting their partner at significant risk. This is likely to be the case for the 21 percent of suppliers that aren’t conducting security due diligence on their own suppliers, according to Risk Ledger.

At the same time, more than one-third of suppliers (36 percent) on Risk Ledger do not conduct business impact assessments on their vendors in order to understand the true impact to their business in case one of them was to suffer a disruption or security breach. Without a business impact assessment, suppliers have a harder time prioritizing risks to manage and mitigate.

Another 33 percent also don’t conduct regular assurance activities with their suppliers, the survey says. That means that they are not regularly assessing whether their own suppliers are still providing an adequate level of security. It also means that these organizations, while likely knowing that their suppliers were secure when they were onboarded, can no longer confirm whether they are secure now.

The report recommended brands tackle supply chain security by dividing their suppliers into two separate groups.

The first involves onboarding new suppliers in the future, with Risk Ledger suggesting that businesses build a meaningful connection with the supplier’s security teams so that they can more readily access immediate risk mitigation support when necessary, as well as in situations where an incident occurs.

From there, companies would pivot to their current backlog of existing suppliers, where they should ask the question: “What risks do they pose?” While this process could extend to hundreds or even thousands of existing suppliers, Risk Ledger advises businesses not to let the perceived scale of the task prevent them from making improvements for the future.