DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Why High-Reliability Organizations Evaluate the Threat Potential of Suppliers

Why High-Reliability Organizations Evaluate the Threat Potential of Suppliers

Cyber attachers have become proficient at penetrating a business's security protocols by abusing key suppliers whose own security practices are not as good.

Hakon Olsen user avatar by
Hakon Olsen
·
May. 02, 17 · Security Zone · Opinion
Like (0)
Save
Tweet
1.82K Views

Join the DZone community and get the full member experience.

Join For Free

Cyber attacks tend to penetrate the attack surface using one of just a few initial attack vectors:

  • Phishing e-mails (80%).
  • Abuse of trust relationships.
  • Web application session hijacking.

Sometimes the easiest way into a large and well-protected organization is through compromising a trusted third-party, such as a key supplier with less secure practices. If you are really good at security awareness, application security, and network segregation, it may be easier to exploit your trust with a supplier instead. How do the best in class organizations deal with this type of risk?

20150424_155646090_iOS

Your internal security practices may be good – but how does that help if an attacker can abuse a trusted supplier with a smaller degree of organizational hardening to gain access to your systems? Supplier qualification is a key risk management activity – also in the cybersecurity domain.

Qualify Your Suppliers

Every professional procurement organization already does supplier qualification. They tend to ask for ISO 9001 certification (quality management), they do credit and financial solidity check (you don’t want your supplier to go bankrupt before delivering the crucial goods), and so on. And those organizations that are the most security-aware include security related checks in this process. A quick informal survey on Twitter shows that most people don’t do this (and the result is quite biased – most of the respondents here are IT pros, not “normal people”). A whopping 44% says that they don’t have any process for evaluating the security implications of their supplier selection!




Håkon Olsen@sjefersuper

What is your current process for evaluating the security implications when selecting a supplier to your firm? #infosec#supplychainrisk

3:17 AM - 20 Apr 2017


Factors to Consider

There are many ways to qualify a supplier. You might want to do a full due-diligence audit, require ISO 27001 certification, and so on – but then it will most likely be very hard to procure goods as most suppliers don’t have this mature processes in place – unless you deal in very special markets. So what should you have a look at, at the initial state? Here’s a quick list of some important factors:

  • The business sector(s) the supplier is active in. The sector may be of interest to some actors, and less so to others.
  • The size of the firm. The medium sized businesses tend to be the ones most often targeted by cyber attacks. Smaller businesses to a lesser degree, but they often have very weak controls. Large enterprises are less attractive targets because they typically have better controls.
  • Political risk: is the company heavily involved in business relationships in regions with high political risk? Studies indicate that companies in countries with a higher degree of political risk are attacked more frequently than those in more politically stable regions.

Creating criteria based on these factors should give you some relevant hooks to use for supplier qualification. Depending on the nature of the procurement, you may choose to disqualify a supplier, to introduce more controls in the contract if the risk is perceived as higher, or also to do a more in-depth review before making a decision (such as asking to review their policies, etc.).

The outcomes of doing this in a reasonable manner are:

  • Better risk management for your firm – reduced likelihood of being stung by the third-party bee
  • Driving security culture at your own firm, tying security practices to business workflows in an obvious way, thereby making benefits less mysterious
  • Helping suppliers become more security-aware and resilient – thereby creating shared goodwill that will strengthen the supplier relationships
security

Published at DZone with permission of Hakon Olsen, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Streaming ETL with Apache Kafka in the Healthcare Industry
  • What I Miss in Java, the Perspective of a Kotlin Developer
  • How to Build Microservices With Node.js
  • How to Get GDPR and Customer Communications Right

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo