teissTalk: Building an effective infosec strategy for critical Nth-party suppliers

On 15 June, teissTalk host Kevin Craine was joined by Irene Njoroge, CEO, Gadiness Ltd; Fene Osakwe, Group Head, Digital and Technology Assurance, Wellcome Trust; Mike Seeney, Supply Chain Information Risk Lead, Pinsent Masons.

 

Views on news

 

Discord, an American voice, chat and video application popular with gamers has notified users of a data breach that occurred when a threat actor gained unauthorized access to the support ticket queue of a third-party customer service agent. Reports of breaches often only mention that a customer’s account has been compromised, without specifying where the breach actually happened – on the customer or the provider’s side. In 2023, supply chain attacks have already increased by 742%. Collaboration around cyber threats is very useful, where sometimes hundreds of suppliers get updated about current attacks.

 

Shifting from tick-the-box compliance and securing software supply chains

 

When a breach happens, companies tend not to pay any attention to incident and response plans. Therefore, it’s key to ensure that the procedures that are actually followed are the ones that are documented. Rather than having a contract with Nth party suppliers, it’s a better idea for the two companies’ security people jump on a call and talk security issues through. If you have a robust, end-to-end 3rd party management framework, then standards will eventually trickle down the chain. But first you need to establish who your critical suppliers are as you can’t monitor everyone with the same granularity. Even so, automation is key to monitoring due to the enormous amount of data. In the case of suppliers from other jurisdictions, you always have to pay special attention to regulatory compliance issues. On onboarding a new supplier, however, questionnaires still have a role to play. From questionnaires, you will get informed about organisational changes, acquisitions etc. In addition to questionnaires, it’s very useful to have one-on-one conversations with the software suppliers and visit their premises too. If the contract says that the supplier is responsible for any vulnerabilities in their software, it will exonerate the business if a breach happens through that weakness.

 

The panel’s advice

 

For a start, make an accurate inventory of your assets including mobile phones and other devices.

 

Compliance is a component of your strategy but not strategy in itself.

 

Screening prior to on-boarding has acquired strategic importance.