Lessons from 'The Iconic': Being Savvy With Your Supply Chain
Recently, online retailer The Iconic suffered a cybersecurity event where customers' accounts were compromised due to a spike in fraudulent login attempts. This got me thinking, businesses are increasingly reliant on a network of suppliers and vendors to meet their operational needs. While these partnerships are a necessity, they also introduce a new set of challenges, particularly in relation to cybersecurity. We recently took a closer look at this as a part of our ISO27001:2022 certification process. The importance of supplier cybersecurity cannot be overstated and not just limited to system security but extend to the culture around cybersecurity and the nature of data organisations are holding. In an attempt to move us all forward and in the spirit of shared learnings, I wanted to pen some of my thoughts in relation to the cyber newsworthy events of late and how that should change our thinking when it comes to choosing our partners in business.
1. What data do they have access to and hold?
Before entering into any partnership, it's essential to gain a comprehensive understanding of the nature and extent of data they will handle. This can include sensitive customer information, financial records, intellectual property, or any other proprietary data. Identifying the scope of data access allows you to assess the level of risk associated with the collaboration.
Ask questions such as:
- What specific data will you be handling?
- Where is the data stored, and who has access to it?
- How is data transmitted between parties?
- How long will the supplier retain the data, and what is their data disposal process?
These details are often (or should I say, should be) advertised in a publicly available Privacy Policy. Let’s look at The Iconic. The reason so many clients were able to have their credentials scraped and falsified orders placed in their name was because the credit card details of clients were being kept. There are plenty of third-party applications, such as Stripe, that mean a supplier or retailer does not need to keep your credit card details in their systems. Even further, if those details are required to be kept there are numerous options when it comes to authenticating the payment method at purchase. Needless to say, by understanding the details, you gain insights into the potential vulnerabilities and can make a risk-based decision accordingly.
2. What security measures are in place?
Understanding the security measures implemented by your suppliers is undeniably important in ensuring the protection of your shared data. The implementation of a cybersecurity framework should encompass various layers of defence to mitigate potential threats effectively.
Key questions to pose:
- What encryption methods are used to protect data in transit and at rest?
- Are regular security audits and assessments conducted?
- How is access to sensitive information controlled and monitored?
- What, if any, known frameworks are you aligning to when it comes to cybersecurity?
By probing into these aspects, you canevaluate the supplier's commitment to cybersecurity and assess their ability tohandle potential threats in a proactive manner.
3. Can they demonstrate compliance with industry standards and regulations?
Different industries have specific cybersecurity standards and regulations that businesses must adhere to. Ensuring that your suppliers are compliant with these standards is critical for overall security and legal reasons.
Questions to ask:
- Are you compliant with industry-specific cybersecurity standards?
- How do you stay informed about and adapt to changes in cybersecurity regulations?
- Can you provide evidence of previous compliance audits?
Ensuring that your suppliers meet industry standards not only helps protect your data but also minimises legal risks associated with non-compliance. I am going to be honest here, I get really excited when a prospect asks me about what we do on a security front. Not because we are infallible, if the last 2 years have taught us anything it is that none of us are! But because it means they value what we value, the security of their information and systems.
4. Cyberculture – do they even know what that word means? How do they train and educate their staff on cybersecurity?
This can be challenging as one of the more ‘felt’ than ‘measured’ elements, but it matters. Human error remains a significant factor in cybersecurity incidents. Ensuring that your suppliers care about employee training and awareness programs is crucial in mitigating this risk. If they don’t talk about security on their website, if they don’t have good answers to the above questions there is a strong change you should listen to your gut.
Ask about:
- The frequency and nature of cybersecurity training provided to their staff.
- How they enforce security policies within their organisation.
- Measures taken to detect and prevent insider threats.
Trust me, you want the kind of supplier who knows it is not a matter of “if” but “when” and are taking every measure to ensure that you are not the next unwitting victim of their neglect. I say all the above not to add decent to an already fickle topic. However, I cannot stress enough that when you are considering the safety of your systems, the thought cannot extend to only yourself, it simply must extend to your suppliers, vendors, partners. The businesses and entities that represent and carry the network of your data. These are the places you are most vulnerable. I truly believe the day is coming where those businesses that protect and manage data security with the sobriety and investment with which it deserves are going to warrant the trust of the public…and so they should.