Vendor / Supplier Risk Assessment and the Vulnerabilities They Can Introduce to Your Network
The cybersecurity environment is constantly changing and ever evolving. As a result, cybersecurity threats become more complex in nature. Subsequently, organizations may not understand how rapidly the cybersecurity dynamic can essentially affect their organization.
An example of this involves ransomware attacks. These have become so common that targeted attack groups (ransomware gangs) are now using them to provide cover for the most serious attacks against a company or organization.
Consider what your organization stands to gain from cybersecurity audits. Cybersecurity is a complex web of systems and processes that must evolve according to the dynamic of the threat presented to the organization. Hence, security audits will help bring knowledge to the forefront, as well as awareness to the deficiencies of how network architectural infrastructure is designed. These vulnerabilities include misplacement of firewalls, lack of upgrading security software, and appropriate audit logs being captured and reviewed. These audits help bring clarity and insight which could be wanted or unwanted. Meaning: maybe in years past, the organization has not had a sufficient audit performed. Because of this, it’s critical that the security audit being performed should expose significant outstanding threats that must be addressed based upon the criticality of the risk involved.
Your supply chain should also be considered as it provides goods and services and sometimes has access to your network as well, while they don’t have a good security posture themselves. A key example here is how Intel had design information stolen via vulnerabilities stemming from essentially a third-party with inadequate security controls around external connections and the transfer of information.
In some organizations, there may be a lack of awareness of how often security policies must be understood, reviewed, and enforced. IT departments may or may not have the tools they need to ensure their systems are secured. Security audits will bring light to this situation and should absolutely be applied to vendor/supplier risk as well.
Ideally, the focus of a risk assessment must be on identifying weaknesses within the network infrastructure that could cause the network to be compromised without warning if it’s not properly revealed or identified within the assessment. Additional benefits obtained from these audits is that they typically have extensive experience with penetration testing. They identify gaps within load balancers involving firewall endpoints within the DMZ. And they provide guidance as to the best practices to strengthen company programs and security policies.
These auditors typically have a more precise view of the entire organization structure, including Bring Your Own Devices (BYOD) that might not be an official part of the organization’s workflow.
The organization should have an agreed upon Service Level Agreement (SLA) with the third-party performing the services. Within that SLA, it should speak of the fact that the company can/should and will examine server configurations, conduct penetration testing, and review security event management rule sets.
Additionally, companies should be reviewing the organization’s data protection and privacy laws to ensure the company is keeping their Personal Identifiable Information (PII) secure.
A security audit vendor should start off with a Security Risk Assessment (SRA) aimed at identifying and fixing the issues. An effective SRA can prevent breaches, reduce the impact of realized breaches, and inform the organization of what necessary infrastructure upgrades must be handled accordingly. It also helps the company position itself to protect the customer’s data and to be proactive in its approach. The handling of the most dynamic emerging attacks is something the company will (not likely, but will) encounter, sooner rather than later.
A failed audit of vendor risk will typically be an instance where only permissible findings were assessed and relayed back to the company. If this happens, fire your auditing company. A successful completion of an audit will typically disclose many deficiencies an organization may find hard to swallow. Hence, before a security audit begins, the company and security vendor should have mutually agreed upon time frames or check points to discuss findings detected at each integral period of time to allow the organization time to digest results and make necessary incremental changes so the organization is not having to digest everything at the end of the audit process.
President and CEO