Watching the flanks: Suppliers and cyber security

In today’s technological world, cyber security is a paramount facet for every organization, no matter its size, industry or what their purposes are. Every single day, companies receive millions of cyber attacks, ranging from simples denial-of-service ones to full penetrations into their systems and applications. This cause technical, financial, reputation and even legal damages. Therefore, organizations spends large amounts of money in order to shield their systems. But, no matter what strong and secure a cyber security framework is, probably left weak links. They are the other entities with what the organization interconnect. And almost probably, they are their suppliers.

In the course of a relationship with a supplier, it’s highly probable that an organization gives them access to their own systems. That is specially relevant in the case of subcontracting IT services. Those resources often came with their own tech gadgets. So both enterprises networks and systems share a connection. If the supplier’s IT resources are tainted with some kind of malicious software, there is a great chance that buying organization’s own system got compromised.

So how a buying enterprise can avoid this possible pitfall? Some measures could be:

  • Asses if there is a real need to give access to their own systems.
  • If there is a business need, then review to what subsystems / applications the supplier could access. No blanket accesses.
  • Establish policies and processes regarding to network / system accesses from 3rd parties.
  • Review any device that the supplier personnel use to get into the organization.
  • Establish an IS audit framework for suppliers, in order to review their own policies and processes.
  • Educate the human resources from both organizations, to avoid breaches due to social engineering attacks.
  • Have a communication process in place, in order to supplier communicates any breach in their systems. Also, to inform any modification in the HR who access the buyer’s systems.
  • Close all accesses to systems and applications at the end of the enterprises relationship.

Of course, a perfect cyber security doesn’t exist. But, to put on the table the topic will give to the buying enterprise a clear advantage over any cyber aggressor. Therefore, it’s paramount that the organization’s key stakeholders know what the dangers are. Those previously mentioned damages and costs. Specially the procurement organization or the external advisor. That way they can work with other internal organizations in order to have strong defenses against any intrusion.


Note – disclaimer: This post constitutes the doctrinaire / personal opinion of the author. Do not constitutes a legal, commercial, financial and / or any other professional advice.

Leave a Reply

Your email address will not be published. Required fields are marked *