Two cyber security experts have suggested some key questions that professionals in procurement and supply chain jobs need to ask of third parties if they are to prevent serious security breaches.
Cyber security executive Jeremy Haas and cyber security analyst Ryan Bergquist cite recent research from the Ponemon Institute showing that 61% of US organisations experienced data breaches due to security weaknesses in third parties.
Only 16% reported that their organisations were ‘highly effective’ in combating this risk.
They recommend that practitioners in supply chain and procurement jobs ask security-critical questions of prospective third-party partners (designated ‘X’ below) before entering into any formal agreements with them.
Key questions include:
- What company systems and data will X have access to? While many third parties will have no need to access sensitive data, others such as an HR provider or a finance system vendor certainly will. These parties require special vetting for data security practices.
- What logging and monitoring activities does X undertake? The sheer volume of logs recording a company’s responses to actions in its environment today is simply beyond human mental capabilities alone to track. Tools must be used to keep tabs on security events and triage organisational activity records. A vendor needs to be upfront about the tools they use in this area and show that they prioritise this monitoring.
- How does X handle physical and technical access controls? Companies need to know the actual locations where their prospective third-party partner stores, analyses and transmits data, as well as the extent of physical security at these places. It’s also vital to ask third parties how many people will have access to company data, how frequently permissions are reviewed, and how access is blocked for departing staff.
- Patching systems? Organisations are far more at risk of known vulnerabilities than unknown ones, so robust cyber security patching programmes are essential for third parties.
Data security can no longer be an afterthought for anyone involved in supply chain management.