Before you leave your house, do you check all the locks – doors and windows? Bet you do.
When you audit your organisation’s IT security, do you do the same thing? Bet you don’t.
You may have excellent perimeter defences; strong security policies; thorough security awareness training. You may run mobile device management, and configuration change control, and have an IDS. But if you’re not auditing your supply chain, you’ve left the back door unlocked.
Ask yourself: who else has access? To your network; to your data; to your building. Ask them: what are their security policies; how are their staff vetted; who’s in their supply chain? Find out if they have the right ISO certifications; whether they’re members of the relevant trade association; if they have any security-qualified staff.
Check your supplier contracts. Do they have an obligation to keep you secure; is there a non-disclosure agreement; are they bound to observe your security policies?
Many of the significant security compromises of the last couple of years have a similar MO. Spearfish or otherwise compromise a supplier, then use their credentials to get in to the real victim. The routes have been varied – EPOS system suppliers, HVAC contractors, outsourced IT support. Many others, too – remember not only that an email from a supplier will carry an implicit level of trust, but that lots of suppliers also have physical access to your building: cleaners, service engineers, couriers.
If your suppliers aren’t secure, change them. If they sell a commodity, buy it from someone less risky; if your relationship is closer, or they sell something unusual, then help them fix their issues. Better to spend a little money securing your supply chain now than spend a lot shutting the stable door after the horse has been hacked. Just ask Target.