This week, we have a guest post from Jean Paul Koelbl, Principal Consultant at NTT Security.

Attacks via vendors are often the cause of large-scale data theft. In fact, according to our latest Global Threat Intelligence Report (GTIR), business and professional services is the third most attacked sector globally. Similarly, our Risk:Value Report reveals that 26% of business decision makers believe attacks on their suppliers or partners pose a security threat to their organisation over the next 12 months.

These findings perhaps come as no surprise. After all, why attack a target directly if an attacker can access it indirectly through its business partners? It has therefore become essential to understand, monitor and manage the risks with each vendor. 

So what should security teams do? 

First, you should not rely on obtaining a new, colorful tool that uses secret algorithms to calculate any risk value that does not fit into your enterprise risk management. It’s better be analytical. It’s important to answer the following questions: 

  • What are my company’s risk management needs in terms of data processing and vendors? 
  • What security certifications or standards do vendors have to meet today?
  • What are the biggest inherent risks with our vendors?
  • How can the residual risk be assessed and how can this be implemented in our Enterprise Risk Management (ERM)?
  • What are the processes that need to be adapted (vendor onboarding, risk evaluation, risk reporting, audit planning etc)?
  • Who is the process owner and how can I standardize the process?

Some of the questions may be obsolete or need to be reformulated, but the important thing is that your company is responsible for the data. You should therefore create and maintain an inventory of your vendors that includes at least the number of records, data type and data criticality. This is the only way to make an initial classification of which company represents which inherent risk for your company. 

The risk management system now knows the inherent risk, but which measures can be checked quickly and easily in order to keep the vendors' risks within the risk appetite? We recommend asking the service provider for standardized audit results such as Service Organization Control (SOC), ISAE3000, SSAE16 and others. Familiarize yourself with these standards and learn the essence for your company. These contain many details about the service and how it was "safely" implemented. 

However, if the vendor is still in the "red" zone because it does not have an audit report or does not contain enough measures for the inherent risks, an on-site audit is usually the only next step. It is important to measure all vendors regularly using the same method so that the reports are comparable.

It is not enough just to implement another software tool. With regular audits – and risks incorporated into the ERM – only then can you understand exactly which vendors represent which risks.  

DevSecOps in multi-cloud environments sounds like the Pandora's box for any risk manager. But, with a sophisticated supplier risk management strategy, you can help your company become more agile and successful. 

ERM must not stop at your own company, but must be implemented along the entire value chain. Enforce your vendors' standards and measure success regularly. 

NTT Security has extensive experience in rolling out comprehensive vendor risk management programs, audits and certifications. Challenge us, we are happy to support you.