Data breaches are cyberattacks that result in the theft of confidential or protected information. In the United States, 61% of these cyber incidents can be attributed to a vendor or other third party, according to a recent study from SecureLink. Phishing, a cybercrime in which the target is typically contacted by email, can be especially effective if the attacker impersonates someone (such as a vendor) that the recipient regularly does business with.
Because of this risk, effective vendor management is about more than just on-time deliveries. The challenge, however, is the inability to look inside a vendor’s organization to determine their level of cybersecurity. For manufacturers that are part of the supply chain for the U.S. Department of Defense, complying with NIST SP 800-171 demonstrates a commitment to following cybersecurity best practices. That’s why the DoD requires it to keep the contracts you have and to bid on new ones.
Some of your vendors may also adhere to NIST SP 800-171, but what if they don’t? How will you identify vulnerable vendors that could pose a risk to your own organization? At a time when many manufacturers are looking for second sources or are interested in reshoring, there are three questions to ask potential new vendors. These same questions are also appropriate for existing vendors whose cybersecurity may be a cause for concern.
Have they been hacked before?
Before signing a contract with a new vendor, determine if they’ve ever had a cyber incident. If a company denies that a documented incident occurred or becomes defensive, that’s a warning sign. If the company readily admits that a data breach happened, determine if they can provide documentation about how the issue was addressed. A vendor that’s been attacked and doesn’t have a plan to prevent similar attacks could pose a significant risk.
Do you see unusual vendor activity on your network?
With help from your IT department, you may see signs that a vendor’s network has been compromised. Examples include large file transfers from the vendor, odd sources of IP addresses or domains, unusual or unapproved server access, or unusual login hours. Of course, it’s also important to determine if the behavior is truly suspicious. For example, did members of your accounting department access files on a Sunday night to prepare for a Monday morning meeting with the vendor?
Do you have general concerns about the vendor’s security practices?
Vendors with poor security practices may lack formal security policies, records of security audits, and third-party certifications. Companies that ask for shared credentials but that cannot demonstrate strong practices for handling this information are also cause for concern. If a vendor asks your company to use a remote access tool, make sure it aligns with your own security posture. Ensuring that vendors use secure authentication practices when accessing your network is also important.
Cybersecurity and Your Supply Chain
Are you ready to learn more about cybersecurity while you strengthen your supply chain? Join FuzeHub on August 11, 2021, in Syracuse for Strengthening New York’s Industrial Base, our first in-person Manufacturing Forum since the COVID-19 pandemic began. This event runs from 9 AM to 12 PM and now includes a special bonus session about cybersecurity from 12 PM to 1 PM. Registration closes this week, so sign up while there’s still time.