In 2013, Target was the victim of a highly publicized data breach. Over the course of 19 days, 40 million debit and credit card accounts were exposed. One of the most interesting details that came to light was that the cyberattack didn’t occur from some black-hat hacker wearing a hoodie in a dark basement. It was Target’s HVAC vendor, a supplier they trusted.
Your vendors are a greater security risk than you probably realize. According to one survey:
- 69 percent of businesses say they definitely or possibly suffered a security breach resulting from vendor access within the last year.
- The number of breaches attributed to vendors has increased by 22 percent since 2015.
- About two-thirds of companies don’t even know how many vendors are accessing their systems.
Handpicked related content: Will Your Cyber Liability Insurance Really Cover You?
How do you know if your supply chain is secure? Let’s take an honest look at what you need to do to assess and identify high-risk vendors.
PCI Compliance Isn’t Security
There’s a myth out there that is putting companies at risk of a security breach: “Our vendor is PCI compliant, and that means they’re safe to deal with.” If a vendor declares themselves to be PCI compliant, what does that really mean?
I’ve seen vendors claim they’re PCI compliant simply because they outsource aspects of their credit card data responsibilities. I’ve also seen large international suppliers provide Attestations of Compliance (AOC) for a service that had nothing to do with the service they were actually providing to the client.
Those are both really bad justifications. When it comes to the security of your sensitive data, you can’t get just a vendor signature on the vendor’s AOC and trust everything is in order.
What’s even scarier is this: if your supplier screws up, you’re the one holding the bag. No one knows who Target’s HVAC vendor was, but the whole world knows that it was Target whose data was breached. You can take your supplier to court and sue their pants off, but you’re still the one who gets the black eye in the marketplace.
Assess Your Vendor Security
The PCI compliance standard requires you to look at suppliers involved in any of your sensitive operations. You need to identify who they are, what they’re doing, and what their roles and responsibilities are. It even comes down to the janitor, because he or she has physical access to your facility and could be physically exposed to sensitive data.
How do you make sure you’ve got the security you need from your supply chain? Start by implementing a program for validating supply chain security. Here’s how.
1) List your current vendors
It’s important to take inventory of all your suppliers, and to be sure no one slips through the cracks. Start with your accounting department to seed the initial list, then validate with your various internal departments to ensure the list is complete. Develop an exhaustive list and include the following information:
- Contact information
- Services they provide
- Security and compliance certifications
- Third-party audit results (including services audited)
Map vendor services against your in-scope compliance standard to develop a responsibility matrix. This matrix should clearly call out who is responsible for what. Also ensure that you have their contractual language and agreements. Validate that they include appropriate provisions, based on the security standards your organization is subject to, and based on vendor responsibilities.
2) Ensure vendors conduct their own security and compliance reviews
Every vendor on your supply chain should be certified against an appropriate standard. Ideally, that confirmation should come from a qualified third party. Just because a vendor says they’re compliant, that doesn’t mean they really are.
Now this is going to sound strange, but you need to actually read the vendor’s security and compliance attestations. I can’t tell you how many companies have a process of requesting documentation — then upon receipt and without review, they check the box and call it done. It’s very important to read the security and compliance reporting so you can understand what scope was included and which service offerings are covered. You may be surprised.
If they aren’t certified at all, or aren’t validated by an appropriate third party, you’ll need to dig down a bit more. Make sure your vendors have written information security policies in place. Interview them and, if possible, get into a greater level of depth with them surrounding their policies and procedures, to confirm they are adequate and being followed.
3) Assign a security rating to each vendor
Using your vendor KPIs, evaluate the level of risk they present to your company. In some cases, the risk will be too high and you’ll decide not to use that vendor anymore. Other times, you might make the call that their role is minor enough to be an acceptable risk and continue using them.
Assigning a security rating will help clarify what your next priorities are — the areas where you need to find new vendors, and who to monitor most closely.
4) Continuously monitor your vendors
Your initial vendor rating is only a snapshot in time. Monitor your vendors on a regular basis and track their ratings over time. Organizations change, and you need to keep up. If security practices change within a supplier’s organization, you need to know about it so you aren’t caught by surprise. You should have a program in place to revalidate vendors at least annually.
Streamline Your Vendor Security
TCT Portal makes it easy to reach out to your vendors and request their security and compliance certification paperwork.
If you have your own security survey spreadsheet, TCT Portal lets you automate the communication back and forth. You can use TCT Portal to host your vendor management platform and automate the data collection process, saving you time and increasing accountability.
TCT Portal can also help manage your compliance and automate the matrix of responsibilities by certification type for Service Providers. Service Providers can put a profile of their responsibilities into the TCT Portal, then push it over to any client that uses the Portal. It’s a great way to streamline the provision of your security and compliance matrix to your customers more easily and more efficiently.
Make Supply Chain Security a Priority
Supply chain security isn’t something you can take for granted. Being PCI compliant doesn’t make a vendor safe, and you can’t afford to be hands-off with it.
Develop a plan to review your approach to supply chain security. Set a goal to have your practices in order by the next quarter. Once you’ve really looked into your vendors’ security, you’re sure to have greater peace of mind, and a solid game plan for risk reduction.
Need help automating your supply chain security? We can work with you to figure out where you are, what you need and how to get from Point A to Point Z.