3 Ways to Prevent Vendor Cyber Attacks
10:40
If your vendors get hacked, you’re in trouble.
If your vendor’s vendor gets hacked - you’re still in trouble.
Cyber security across your supply chain should be a priority. Cyber security protects internet-connected systems such as hardware, software and data, from cyber attacks. It involves preventing unauthorised access, destruction, or manipulation of computer systems and networks.
Sounds critical. And it truly is.
Experian recently reported that total cyber security breaches by section were:
- 38% in Healthcare
- 21% in Financial Services
- 16% in the Public Sector
The recent cyber attacks on Santander and the NHS reinforce this trend of vulnerabilities within major institutions.
And it makes me wonder how many organisations genuinely know what is happening across their supply chain.
That worries me.
vendor Cyber attacks in regulated businesses
Santander, a global banking giant, recently issued a breach notification following a supply chain attack. The attackers, known as Shiny Hunters, stole data from Santander’s banks in Chile, Spain, and Uruguay and are holding the data ransom to $2 million.
This unauthorised third party accessed a database containing:
- Personal information of 30 million customers and employees
- 28 million credit card numbers
- 6 million account numbers and balances
The UK’s National Health Service (NHS) trust faced a similar crisis when Synnovis, a provider of lab services, was hit with a ransomware attack. This incident affected seven hospitals as their IT systems became unusable.
As a result, multiple hospitals had to cancel operations and blood transfusions and some appointments needed to be redirected to other providers.
Cyber attacks on businesses like Santander and the NHS can have dire consequences for ordinary people. Compromised financial data can lead to identity theft and financial ruin, while attacks on healthcare systems can disrupt medical procedures and put lives at risk. These breaches threaten personal welfare while eroding customer trust in essential services.
The risks of poor Vendor cyberSecurity
Healthcare, Financial Services and other regulated industries handle vast amounts of sensitive data and operate under complex legal frameworks.
As well as breaches and operational disruption, poor levels of cybersecurity throughout your supply chain can also lead to:
- Financial Losses: Direct costs from ransom payments, recovery efforts, and regulatory fines. The average cost of a data breach globally was $4.45 million in 2023.
- Reputational Damage: Erosion of customer confidence, affecting long-term business prospects.
- Legal Consequences: Increased scrutiny, audits and potential lawsuits from regulatory bodies and affected parties.
- Non-compliance with evolving regulation:
Yet, procurement teams are still struggling to manage their vendor's cyber security, with 98% of companies having had one of their vendors breached in the last two years, according to a report by Security Scorecard and the Cyentia Institute.
The cost of poor compliance and control of your vendors’ cyber security could break your business. But I've got you covered here with three ways to assess their security and mitigate potential risks.
3 easy ways to assess your Vendor Cyber Security
I used to oversee hundreds of vendors and their contracts for a London-based FinTech. We prioritised cybersecurity and broader risk reviews of every vendor.Our most strategic vendors were given priority based on our vendor segmentation model and cross-team collaboration. But I know this isn’t the story everywhere.
These steps are best used in your business with a joined-up approach from Procurement, Legal, Risk, InfoSec and IT. (Or some combination of individuals experienced in these areas if you don’t yet have dedicated team members.)
1. Market IQ Cyber Assessments and Mitigation Workflows
Market IQ Cyber, powered by SecurityScorecard, is designed to address your third-party risk management requirements and fortify your defences against cyber attacks.
It makes your business more resilient by automatically alerting you to changes in your vendor's profile, allowing you to identify and mitigate cybersecurity vulnerabilities.
This is how it works.
Each vendor you assess with Market IQ Cyber is assigned a grade between A-F. "A" means the vendor is in good shape.
Behind each grade is a scoring system.
Behind the scores is a weighting aligned to a specific risk factor.
If you’ve got a vendor that scores 100, no cyber security issues were detected.
I particularly like the historical performance that provides an insight into how they’ve treated cyber over a more extended period.
But what happens if a vendor’s cyber score declines?
This lower score triggers a Best Practice Cyber Risk Mitigation Workflow (Market IQ Escalation) in Gatekeeper's Workflow Engine, prompting the business to send questionnaires to the vendor about their cyber status.
You can then assess the responses from the vendor whilst also reviewing more details with your SecurityScorecard account.
I’d also suggest you catalogue any risks in the Gatekeeper Risk Register.
If the cyber risk is no longer a concern, you can move the card through to completion without further action. If this vendor is of concern, that’s when you can further manage their performance and even ensure that the vendor’s RAG status is marked as Red on their vendor record.
All of this gives you the following:
- Visibility as to your vendors’ cyber health
- Automated mitigation measures
- Evidence that you're assessing your vendors’ cyber health which can be given to any data subjects, auditors and/or investors.
2. Security Assessment and Certification
Look for certifications such as ISO 27001, SOC 2 and PCI DSS (depending on your industry). These certifications are a good indication that the vendor has the required security posture and processes in place to protect your data.
I recommend asking your vendors if they have completed any third-party security assessments or have additional certifications such as ISO 27002 or NIST 800-53.
By assessing a vendor’s cyber security posture, you can ensure that the vendor you are working with is taking the necessary steps to protect your data. If you're operating in Europe, this will become even more crucial with the upcoming Digital and Operational Resilience Act.
We must go beyond the certificates and understand:
- The vendor’s policies and processes around cybersecurity
- Their incident response plans, data backups, and regular security audits
- If they have participated in any vulnerability assessments or penetration tests
You can always ensure a penetration test is carried out before you engage the vendor for added protection.
3. Due Diligence Questions on Cyber Security
I’ve always been a fan of sending out carefully selected questionnaires that require the vendor to provide assurances. The answers to these questions - combined with Market IQ Cyber and the vendor’s certifications - should give you a good reading about their cyber security stance.
You can mandate these questions as part of vendor onboarding or ongoing due diligence.
| Questions | Objectives |
|---|---|
| Have you implemented appropriate information security policies which have been approved, published, and communicated to your employees and relevant external parties? | This question seeks to understand your vendor’s policies. You could then review each individually or hand-pick specific policies to focus on. |
| What are your security policies and processes related to remote access? How often do you check employee knowledge and awareness of your policies? | What is the approach to employees, vendors, contractors etc., accessing parts of your business online from anywhere in the world? |
| Can you explain how your software can produce reports of all registered users, including their location, log-in history, password expirations, and any changes they make to customer data? | Most organisations must comply with regulations requiring them to understand how their employees use customer data. You need to ensure that your employees, when using any new software platform, are doing so compliantly e.g. they aren’t changing or moving customer data from the platform (except for reports). |
I’ve included a list of additional questions you could ask to inspire you when creating your own due diligence questions.
- Does the vendor have a dedicated cybersecurity team and/or a Chief Information Security Officer?
- Does the vendor have a written cybersecurity policy that is regularly updated and reviewed?
- Does the vendor have a response plan in place in the event of a breach?
- Does the vendor regularly conduct security audits and vulnerability assessments?
- Does the vendor have a backup plan in case of a system outage or data loss?
- Does the vendor have a data protection strategy in place?
- Does the vendor use encryption to protect data in transit and at rest?
- Does the vendor have a policy for monitoring and managing user access?
- Does the vendor have a patch management system to ensure the software is up to date?
- Does the vendor have a policy in place for securely disposing of data?
- Does the vendor have a policy in place for securely storing data?
You can build each of these questions into Gatekeeper and automate follow-up questions depending on the responses you receive.
We have a form feature that allows you to build out questions, and you’ll have an audit log of the activities around these questions.
This would include a visual that they’ve been submitted, reviewed and approved in Gatekeeper.
I’m telling you that this is an auditor’s, customer’s and investor’s dream.
Wrap Up
By using Gatekeeper, you can assess your vendors' cyber security, evaluate their security policies, conduct a risk assessment, and verify their compliance with industry standards.
By doing this you’re going to reduce the likelihood of a vendor being hacked, be alerted to any cyber issues in your vendor base and mitigate the impact of a breach.
If you want to take your due diligence approach to a new level, let’s set up a meeting to discuss how Gatekeeper can help you with this.
-3.png)
.png)
.png)
.png)