teissTalk: Securely onboarding new suppliers

On 28 June, teissTalk host Thom Langford was joined by Michael Manrod, CISO, Grand Canyon Education, Inc.; Alan Jenkins, Advisor, Security Architecture; Stuart Leach Technical Director - Cyber Consulting, Grant Thornton UK LLP.

Views on news

According to panellists at a session at Infosecurity Europe 2022, questionnaires tailored to individual suppliers are useful when onboarding them. They may not be enough by themselves, though unless amended with monitoring for abnormal behaviour and automated patching.  The question arises why it falls on buyers to fix their suppliers security when it should be the suppliers’ task. But today vendor risk is not just about what data gets leaked through a third party but also about what malicious actors are added to the product. On the upside, previous breaches have opened the door for new controls, standards and improvement that everyone has benefitted from. Contractual agreements with third parties often don’t cover areas such as what controls the third party should have in place or obligations to inform its partners when a breach has occurred, although, generally speaking, breach reporting and cyber insurance as getting better and better. Asking for a supplier’s cyber insurance and the date when it was last renewed, for example, can now give you a good idea of the level of controls your third parties have in place. But insurance companies can also get breached and incidents we had in the last couple of years may have contributed to the increase in cyber incidents. With some businesses having thousands of suppliers, just to get out questionnaires to them and evaluate what comes back is next to impossible given that no two suppliers and the risks they present are the same. However, as your suppliers run their software in your environment, it’s  legitimate to ask questions about their CI/CD pipeline, how they release and scan code or if they have EDR software, etc.

The tactics of supplier onboarding

Try to have a broader perspective and think not only of the security of your company but the wider community. Bear in mind that it’s not just you who your suppliers fill out questionnaires for. The business community needs to join up at least as much as cyber criminals do. Get beyond NDAs. You need to prioritise the suppliers who pose a higher risk in terms of integrity, confidentiality or availability for your business and identify which 10-50 of them you need to send the long questionnaire to. Cyber Essential can be a great tool when deciding how deep you want to go with the assessment of individual suppliers. Cyber Essentials Plus is much more recommended than the basic version as it considerably raises the bar. But if you don’t have a centrally managed estate and your users can update as they wish, it will be hard to monitor your third parties as well. Business Impact Assessments can also be used as questionnaires, as well as ISO 27001. But what you need to look out for when it comes to standards is how widely they’re applied or if they cover the entirety of the service that you buy from them. New, more robust versions of 27001 and 27002 are expected to come out this year, which is good news for independent vendor assessment. They will also have a structure more similar to NIST, which will allow a commonality of language. Given the wide spectrum of risks such as cyber, data, modern slavery, credit, etc, it may be tricky to decide which unit should take the lead – procurement, legal, security or compliance? Supplier risk is a technology/business issue and has to be the responsibility of the security team that should, however, collaborate closely with procurement. In specific cases, where they can’t decide, the issue can be escalated to the Chief Risk Officer. The onboarding process can be rendered much smoother if vendors have a document summarising their product and the standards that they comply with. Security concerns may be rather different in the case of a software developer than a cloud service provider. With software designers, another dilemma is how you enshrine and validate security by design. (Requesting their SOC 2 Type2 or Type3 report can be a good start.)