Have you talked with your supply chain manager about information security? For many, this conversation never takes place, it’s not even an afterthought! One would expect it to be given the mission critical information shared with suppliers and third parties. Some of the most high profile information breaches were traced back to suppliers, Target being one of the most high profile of these cases. In the case of Target, the data breach occurred with their HVAC supplier who was victim of a phishing attack which granted hackers access to Target’s databases. The end result was the theft of 110 million customer records, 40 million of which had credit card information (Rashid, 2017). Needless to say, this impacted Target’s market standing. To think this happened through a supplier is nerve wracking to say the least. So how can you protect yourself from this fate?


It is risky business not to pay attention to information security risks in your supply chain. Thankfully, we’ve put together a quick guide on how you can start today. So let’s get started!

Change Starts at Home

Remember that popular saying “People who live in glass houses shouldn’t throw stones”. Before engaging suppliers there needs to be assurance that good information security policy are in practice in your organization. It is good to keep up with latest research from Institute for Critical Infrastructure Technology and CERT, this will ensure you are staying current in company policy and practice.Once there is a strong information security practice in your organization that practice needs to extend or integrate to your suppliers and your suppliers’ suppliers.

Stakeholder Engagement and Onboarding

Ensuring information is secure across your supply chain is not just a technological matter but also one of people and processes. There are a few approaches an organization can take to ensure compliance one is through stakeholder engagement and establishing a common security policy together. This takes a lot of work but can be done by expressing the extensive financial risks involved with not having an information security policy and practice in place. Use examples such as Target and Home Depot to demonstrate just how damaging a leak can be. Another alternative to this is to set strict security practice requirements for suppliers to engage with your organization in business. Also in contracts with suppliers allow for auditing of their information security practices and policies.Combining engagement on the basis of financial risk and requiring suppliers to have their information security policies aligned with yours before engaging in business limits your exposure to risk.

Establish a Vendor Management Program

First step after making your processes are in check is to establish a vendor management program. So what is this exactly and why do you need one? Vendor management programs are a series of security processes that are built for accountability and monitoring between your organization and the vendors you use. These programs follow four steps to getting established: definition, specification, controls, and integration.

    1. Definition:
      The definition phase involves identification of the most mission-critical vendors to your organization. These are vendors whom a breach or relationship issue could have significant impact on operations and revenues. These may be vendors who often handle or have access to intellectual property or customer data in order to complete their work. Once these vendors have been identified, create the next tier of vendors who are somewhat impactful to your bottom line. Continue this processes of definition based on material impacts to your organization.
    2. Specification:
      The next step is to specify a security liaison to each vendor. This person acts a go between for your organization and the vendors they are assigned to. The responsibilities of this liaison are to maintain compliance knowledge, perform audits, facilitate security communications, provide training, track contracts and all documentation, and general oversight. This liaison can be a dedicated role or someone in the organization with other responsibilities. This person is critical to the success of a vendor management program.
    3. Controls:
      After the security liaison has been identified for each vendor you’re working with, the next step is the formation of a vendor management policy. Whatever policy is developed should not be viewed as a one time event. This policy should be reviewed every quarter or 6 months, and updated as needed. The most critical aspect of the policy will be the controls. The controls what vendors must follow to engage in any sort of business with you. These should at minimum include: the right to audit security controls, requirement for vendor compliance with monitoring, security performance reporting, and timely notification of any data breach. These controls in the vendor management policy will allow for the security liaison to perform their duties to ensure your organization’s information is being handled safely.
    4. Integration:
      With a dedicated liaison and a strong vendor management policy. Information about your supply chain should be easier to gather and manage. It is at this point that you want to integrate this information with your organization’s existing information security practices and auditing procedures. Make sure it is not a program that is happening on the side, vendor management needs ot be an integrated part of information security in your organization.
      Let’s look at information security beyond what’s readily within our control and start engaging our partners in the supply chain to ensure together we can have secure information. In business islands simply do not exist, acknowledging that security is a collective effort will protect us all in the long run.

Rashid, F. Y. (2017, May 31). Target’s data breach settlement sets a low bar for industry security standards | CSO Online. Retrieved from http://www.csoonline.com/article/3199064/security/targets-data-breach-settlement-sets-a-low-bar-for-industry-security-standards.html

Shackleford, D. (2015). Combatting Cyber Risks in the Supply Chain. Retrieved from SANS Institute website: https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252