Focus on Security: Vetting Your Supply Chain

In business, trends often start at the top. The largest companies are the first to adopt new practices, and once they have been refined and proven effective, the ideas trickle down to smaller organizations. That’s certainly the case with cybersecurity.

Supply chain security

The world’s largest organizations recognized the value of data early, taking steps to secure their systems and information. Those same companies have been the first to explore risk in their supply chains, asking subcontractors and suppliers to prove that they meet cybersecurity standards. There’s no need to wait on this one—it’s a practice every company should adopt now.

Understanding the industry push for security can be the why for vetting your supply chain, while simple guidelines provide the how.

The Drive for Cybersecurity

The federal government has launched wide-reaching initiatives to protect the country’s critical infrastructure. One program, called the Cybersecurity Maturity Model Certification (CMMC) requires Department of Defense contractors to prove they meet national standards, while others require contractors to prove that specific security practices are in use.

What do federal contractor requirements have to do with you? Remember the trickle-down effect. As the nation’s top contractors secure their supply chains, they are looking to thousands of subcontractors, vendors, and suppliers to prove their compliance, too. And those companies will need to secure their supply chains. The result is that millions of U.S. businesses will be asked to provide proof of their cybersecurity – as early as this fall.

Trace your connection to one of the 200,000 defense contractors – it’s like playing six degrees of Kevin Bacon. You’re probably linked closer than you imagine!

Risk Spreads

When systems and people connect and share data, they share cyber risk. Cybercriminals prey on the weakest links, often the smallest companies without protection in place. Not to steal money or data, but to gain access to larger companies.

That means change must happen in small businesses, especially those that have delayed implementing basic controls because they are too complex to handle without outside expertise and too expensive to add to the budget.

Vetting is Critical to Business

One day soon, or maybe already, you’ll find that you are being asked about cybersecurity to keep business relationships or to be considered for new work.

Having a System Security Plan (SSP) catalogs the cyber hygiene processes and controls in place and proves to others that your house is in order.

What about your network or business connections? Securing your supply chain means verifying every company you share data with. Many nonprofits have published vetting questions, but without proof, there can be no trust.

How to Vet Your Vendors

No matter how it’s handled, the vetting process requires your vendors to take responsibility for their security posture. Many companies handle this through:

  • Legal responsibility: This is a paperwork approach in which companies contractually agree to comply with cybersecurity standards and other regulations. It is an easy way to shift responsibility to the vendor should a breach result in financial losses.
  • Third-party validation: Requiring vendors to complete a third-party audit of their systems and processes proves that minimum standards are being met. This is the approach being used for CMMC.
  • System Security Plans and other certifications: Asking vendors to share their System Security Plans or their certification with ISO, SOC, or other audit-based standards requires more effort. The companies involved often must sign a non-disclosure agreement, and a cybersecurity expert or consultant will determine if the plan meets your standards.

Vetting might be complicated. Those with long-standing relationships or specialized suppliers may be reluctant to cut ties over cybersecurity. Some bigger companies may help their suppliers get secure or provide financial incentives to do so. Others are using security vetting to recompete relationships.

Time for Action

The topic of cybersecurity will dominate boardroom and Main Street discussions in the coming year. Every company that wants to continue operating in today’s regulatory climate and stay in favor with clients and customers must establish basic cybersecurity – including a trusted network.

Vetting your supply chain eliminates known risks. It might have started with big business, but’s been proven a solid best practice for all.

Shares

Leave a Reply

Your email address will not be published. Required fields are marked *