Careful Security | Cybersecurity Risks

Supply chain security

wed their policies and procedures.

 Supply chain security is often overlooked in the wide scope of Cybersecurity, although these are the attacks that commonly make headlines. With companies like Target, Home Depot and the most recent Solar Winds hack all falling victim to supply chain security attacks. It it imperative that modern companies take security measures when dealing with third parties.
Q: What is supply chain security?

A: Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation. Its goal is to identify, analyze and mitigate the risks inherent in working with other organizations as part of a supply chain.

Q: What happened in the solar winds hack?

A:SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months, Reuters first reported in December. Foreign hackers, who some top US officials believe are from Russia, were able to use the hack to spy on private companies like the elite cybersecurity firm FireEye and the upper echelons of the US Government, including the Department of Homeland Security and Treasury Department.

Q: What was learned from the Solar Winds attack?

A:The recent solar winds hack has taught us that even if we keep our infrastructure secure, a third party whom we are relying on, can get compromised, and therefore, expose our infrastructure and our sensitive information to unauthorized users. Because of the solar winds hack, which was so pervasive that it even impacted the CIA, or the FBI, and hundreds of companies worldwide. Government is clamping down on the importance of supply chain security.

Q: What does this mean to a business owner?

A: It means business owners are responsible to verify the security controls of all the third parties that you do business with.

Q: What if I am just buying something from a third party?

A: Let’s say you are buying some furniture for your office from a third party, you do not need to validate their security controls, but if there is a third party that is doing some data processing such as hosting a part of your infrastructure or processing customer data or collecting marketing data then yes, you need to validate their security controls.

Q: How do I review vendor security?

A: By asking the vendor some security related questions. Now of course, the vendor can be untruthful and say yes to all the security questions, but then the welder vendor holds himself or herself legally responsible if a breach occurs.

Q: What are some of the security questions I can ask?
 A: You can start by asking “ do you have anti malware controls” “ Do you have monitoring and alerting?” “ Do you have logging and are you preserving your logs? “How are you encrypting your data?”
Q: Can I ask vendors for security certifications?

A: Yes, make sure you are looking for the right ones. For example, if the vendor is ISO 27,001 certified, or sock two certified it is the industry standard. They must maintain this every year.

Q: What are my main responsibilities as a business owner in terms of cyber security?

A: As a business owner, you are responsible for validating your vendors, security controls. You need to review your DSA or data security addendum, this is the contractual agreement that covers you. In the case of a security breach it’s better that these agreements are reviewed by lawyers. The DSA contract ensures that in the case one of your vendors has a security breach they are obligated to notify you within 24 to 72 hours of discovering the incident.

Q: If I get hacked and have to pay a ransom, will cyber security insurance cover it?

A: Not always. In the past two years there has been a spike in ransomware attacks. Cyber insurance companies are now saying they will not pay your claim if you don’t have all these necessary security controls. In order to renew your cyber insurance, you need to have these necessary controls in place.
 Need to schedule a consultation? Contact us today!

These are the rules to avoid chaos in your company.