teissTalk: Building an effective infosec strategy for critical third-party suppliers

teissTalk host Jenny Radcliffe was joined by Kush M. Sharma, Director, Municipal Modernization & Partnerships, Municipal Information Systems Association, Ontario (MISA Ontario); Garrett S. Smiley, CISO/VP of Information Security, Serco; Sebastiaan Passtoors, sr. Manager Business Information Security EMEA, Johnson & Johnson.

 

Views on news

 

Threat actors has stolen Social Security numbers, addresses and account numbers of home mortgage holders at KeyBank. The breach was allegedly caused by third-party vendor Overby-Seawell. Both KeyBank and Overby-Seawell have been named in a proposed class action lawsuit over the data breach.

 

We are likely to see more of similar incidents as the supply chain remains vulnerable through third parties. It is yet another case when an awful lot of time passed between learning about the breach and informing customers about it.

 

Offering two years of free Equifax identity protection as compensation is a typical move that financial institutions take when being breached but it’s not enough. Offering free remediation services for their lifetime would be more in line with the seriousness of the risk clients have become exposed to. What could stop these mega-breaches from happening is defining what due diligence is and forcing its execution.

 

Self-assertation, questionnaires, third-party risk tools or close collaboration?

 

Self-attestation by third party suppliers has its flaws, however, in the absence of a right as a supplier to go and audit them (right to audit clauses are quite rare), it helps them make accountable for the lack of controls that they were contractually obliged to have in place.

 

For a buyer it’s important to define what its critical systems are from a business, an operational and a security perspective. Tools which are scanning supplier organisations from the outside may provide good results also while the supplier’s internal processes are precarious (a bit like judging how good your car is by looking at the paintjob.)

 

Although audits are a thing of the past, collaboration between buyers and their suppliers seems to be replacing them more recently, which can work rather well as businesses increasingly show willingness to improve their posture.

 

The panel’s advice

 

Start with the top 10 high-value critical processes. Decision about these processes shouldn’t be made by information security but should go to the emergency management team (in the public sector) or the leadership.

In addition to questionnaires, use third-party risk tools that’ll help you assess suppliers’ external internet-facing postures.

 

Work closely with legal to win them over to sharing data between your business and your business partners.

 

Watch it on-demand here.