Supply chain: A data dependent future, means knowing your suppliers as well as you know your customers.

• by Ellie Hurst
• Advent IM Blog

From the Advent IM Head of Client Development, Derek Willins.

Delighting your customers and stakeholders is the foundation of all commerce. But how to do this, continually changes. For example, for the last few years and particularly since covid struck, ‘digital transformation’ has accelerated amongst most organisations. Digital transformation is about making everything you do quicker or cheaper, and better for customers. This means more dependence on data, its collection, its management, and its security.

Data entanglement with third parties has now become unavoidable as a result of continued digital change. This will not change, ever. Today and tomorrow, data dependency means supplier dependency. This means data protection and business recovery planning are now as important as electricity or innovation. However, recent surveys tell us there is still a way to go. Amongst many new threats, we struggle with is the threat from our own supply chains. It is one of the biggest sources of threat we face, and it’s an area that often gets the least attention.

In a 2021 Ponemon survey*, the majority of organisations view third-party remote access as a potential cyber threat.  However, over half of organisations sampled (51%) say their organizations are not assessing the security and privacy practices of third parties before granting them access to sensitive and confidential information! In addition, over half of organisations sampled have experienced a data breach caused by third parties that resulted in misuse of its sensitive or confidential information either directly or indirectly.

In summary, third parties are a known risk but not nearly enough is done to reduce this risk. Some of the reasons for not doing enough from the Ponemon Survey include; Don’t have enough resources to check them (56%), Confident in supplier ability (48%), We have insurance for breach (52%), We have contractual terms (59%). These are not reasons to be cheerful.

So, what can be done? Here is a shortlist of basic activities that should not take up a huge amount of resource.

• Appoint one person to be responsible for third-party access risk.
• Create a list of all suppliers and third parties with privileged access to your network and a process for managing additions and deletions.
• Review privilege access tools and processes, and ensure fit for purpose.
• Create a monitoring tool to continually measure which third parties are accessing what and for how long. Rank them all by levels of risk.
• Audit and review the security and privacy practices of the highest risk third parties. Eventually all of them with privileged access, over time.
• Use an independent specialist firm to do the audits and reviews, this avoids relationship and trust issues.
• Engage regularly with third parties. on changes as the environment changes.

Advent IM has a great deal of experience helping organisations minimise their third-party risk. It does not have to be a resource-hungry process, and done well will make a big contribution to the reduction of your enterprise risk.

*2021 Ponemon Institute Survey; “A crisis in third-party remote access security”.