3 Ways to Prevent Vendor Cyber Attacks
10:40
This website stores cookies on your computer. These cookies are used to improve your website and to provide more personlised services to you, both on this website and through other media.
To find out more about the cookies we use see our Privacy Policy.
Compliance, Vendor risk, Vendor risk management
Daniel BarnesJun 11, 2024 3:13:00 PM
If your vendors get hacked, you’re in trouble.
If your vendor’s vendor gets hacked - you’re still in trouble.
Cyber security across your supply chain should be a priority. Cyber security protects internet-connected systems such as hardware, software and data, from cyber attacks. It involves preventing unauthorised access, destruction, or manipulation of computer systems and networks.
Sounds critical. And it truly is.
Experian recently reported that total cyber security breaches by section were:
The recent cyber attacks on Santander and the NHS reinforce this trend of vulnerabilities within major institutions.
And it makes me wonder how many organisations genuinely know what is happening across their supply chain.
That worries me.
Santander, a global banking giant, recently issued a breach notification following a supply chain attack. The attackers, known as Shiny Hunters, stole data from Santander’s banks in Chile, Spain, and Uruguay and are holding the data ransom to $2 million.
This unauthorised third party accessed a database containing:
The UK’s National Health Service (NHS) trust faced a similar crisis when Synnovis, a provider of lab services, was hit with a ransomware attack. This incident affected seven hospitals as their IT systems became unusable.
As a result, multiple hospitals had to cancel operations and blood transfusions and some appointments needed to be redirected to other providers.
Cyber attacks on businesses like Santander and the NHS can have dire consequences for ordinary people. Compromised financial data can lead to identity theft and financial ruin, while attacks on healthcare systems can disrupt medical procedures and put lives at risk. These breaches threaten personal welfare while eroding customer trust in essential services.
Healthcare, Financial Services and other regulated industries handle vast amounts of sensitive data and operate under complex legal frameworks.
As well as breaches and operational disruption, poor levels of cybersecurity throughout your supply chain can also lead to:
Yet, procurement teams are still struggling to manage their vendor's cyber security, with 98% of companies having had one of their vendors breached in the last two years, according to a report by Security Scorecard and the Cyentia Institute.
The cost of poor compliance and control of your vendors’ cyber security could break your business. But I've got you covered here with three ways to assess their security and mitigate potential risks.
I used to oversee hundreds of vendors and their contracts for a London-based FinTech. We prioritised cybersecurity and broader risk reviews of every vendor.Our most strategic vendors were given priority based on our vendor segmentation model and cross-team collaboration. But I know this isn’t the story everywhere.
These steps are best used in your business with a joined-up approach from Procurement, Legal, Risk, InfoSec and IT. (Or some combination of individuals experienced in these areas if you don’t yet have dedicated team members.)
Market IQ Cyber, powered by SecurityScorecard, is designed to address your third-party risk management requirements and fortify your defences against cyber attacks.
It makes your business more resilient by automatically alerting you to changes in your vendor's profile, allowing you to identify and mitigate cybersecurity vulnerabilities.
This is how it works.
Each vendor you assess with Market IQ Cyber is assigned a grade between A-F. "A" means the vendor is in good shape.
Behind each grade is a scoring system.
SecurityScoreCard Grades and Scores
Behind the scores is a weighting aligned to a specific risk factor.
SecurityScoreCard Risks
If you’ve got a vendor that scores 100, no cyber security issues were detected.
I particularly like the historical performance that provides an insight into how they’ve treated cyber over a more extended period.
But what happens if a vendor’s cyber score declines?
This lower score triggers a Best Practice Cyber Risk Mitigation Workflow (Market IQ Escalation) in Gatekeeper's Workflow Engine, prompting the business to send questionnaires to the vendor about their cyber status.
You can then assess the responses from the vendor whilst also reviewing more details with your SecurityScorecard account.
I’d also suggest you catalogue any risks in the Gatekeeper Risk Register.
If the cyber risk is no longer a concern, you can move the card through to completion without further action. If this vendor is of concern, that’s when you can further manage their performance and even ensure that the vendor’s RAG status is marked as Red on their vendor record.
All of this gives you the following:
Look for certifications such as ISO 27001, SOC 2 and PCI DSS (depending on your industry). These certifications are a good indication that the vendor has the required security posture and processes in place to protect your data.
I recommend asking your vendors if they have completed any third-party security assessments or have additional certifications such as ISO 27002 or NIST 800-53.
By assessing a vendor’s cyber security posture, you can ensure that the vendor you are working with is taking the necessary steps to protect your data. If you're operating in Europe, this will become even more crucial with the upcoming Digital and Operational Resilience Act.
We must go beyond the certificates and understand:
You can always ensure a penetration test is carried out before you engage the vendor for added protection.
I’ve always been a fan of sending out carefully selected questionnaires that require the vendor to provide assurances. The answers to these questions - combined with Market IQ Cyber and the vendor’s certifications - should give you a good reading about their cyber security stance.
You can mandate these questions as part of vendor onboarding or ongoing due diligence.
Questions | Objectives |
---|---|
Have you implemented appropriate information security policies which have been approved, published, and communicated to your employees and relevant external parties? | This question seeks to understand your vendor’s policies. You could then review each individually or hand-pick specific policies to focus on. |
What are your security policies and processes related to remote access? How often do you check employee knowledge and awareness of your policies? | What is the approach to employees, vendors, contractors etc., accessing parts of your business online from anywhere in the world? |
Can you explain how your software can produce reports of all registered users, including their location, log-in history, password expirations, and any changes they make to customer data? | Most organisations must comply with regulations requiring them to understand how their employees use customer data. You need to ensure that your employees, when using any new software platform, are doing so compliantly e.g. they aren’t changing or moving customer data from the platform (except for reports). |
I’ve included a list of additional questions you could ask to inspire you when creating your own due diligence questions.
You can build each of these questions into Gatekeeper and automate follow-up questions depending on the responses you receive.
We have a form feature that allows you to build out questions, and you’ll have an audit log of the activities around these questions.
This would include a visual that they’ve been submitted, reviewed and approved in Gatekeeper.
I’m telling you that this is an auditor’s, customer’s and investor’s dream.
By using Gatekeeper, you can assess your vendors' cyber security, evaluate their security policies, conduct a risk assessment, and verify their compliance with industry standards.
By doing this you’re going to reduce the likelihood of a vendor being hacked, be alerted to any cyber issues in your vendor base and mitigate the impact of a breach.
If you want to take your due diligence approach to a new level, let’s set up a meeting to discuss how Gatekeeper can help you with this.
Daniel Barnes is a seasoned Procurement and Contract Management Leader, with a Masters in Commercial Law from the University of Southampton. He’s on a mission to transition the sector from manual, spreadsheet-driven processes to efficient, automated operations. Daniel hosts the Procurement Reimagined Podcast, exploring innovative strategies to modernise procurement and contract management, striving for a more streamlined and value-driven industry.
Sign up today to receive the latest GateKeeper content in your inbox.
Copyright © 2015 - 2025. Gatekeeper™ is a registered trademark.
Before Gatekeeper, our contracts
Anastasiia Sergeeva, Legal Operations Manager, BlaBlaCar
were everywhere and nowhere.
Gatekeeper is that friendly tap on the shoulder,
Donna Roccoforte, Paralegal, Hakkasan Group
to remind me what needs our attention.
Great System. Vetted over 25 other systems
Randall S. Wood, Associate Corporate Counsel, Cricut
and Gatekeeper rose to the top.
Thank you for requesting your demo.
Next Step - Book a Call
Please book a convenient time for a quick call to discuss your requirements.