Intelligent Issue 22 | Page 30



Jaime Arze , Manager II , Third Party Risk , Datto
their vendor and partner relationships may expose over time .
Do you know how critical each vendor is to the business ? Are there supplier redundancies or unnecessary relationships ? If so , they need to be promptly evaluated and addressed . Based on the type of service delivered , every vendor or partner entering or leaving should be accounted for in a system of record . Keeping an up-to-date inventory of vendors / partners and centrally managing those relationships is a good starting point for identifying and minimising any inherent risks . With deeper knowledge of your vendors / partners , you ’ ll gain a clearer view of potential exposure , allowing you to greatly minimise the attack surface area . Additionally , a centralised vendor portfolio provides many advantages such as the ability to tier suppliers to fast-track procurement of low-risk vendors / partners .
Get answers to the right questions
Not all vendors are created equal and with resources being scarce , you need to make the most of your security resources . First , prioritise those vendors / partners that matter the most . Next , focus on the suppliers whose compromise could cause the greatest damage and disruption to your operations , as well as impact your customers .
To get you started , here are some questions to help you assess the strength of your vendors ’ security posture . Ask about their vulnerable areas . Find out what proactive measures they are taking to improve defences . Can they demonstrate that they are safeguarding the confidentiality , integrity and availability of their client ’ s data in the same way you would ? When asking security questions , being specific will result in more precise responses . Identify and evaluate what risks your suppliers might be exposing you to over time and find out what they are doing to close those gaps .
Each vendor in your portfolio should be able to explain how they are protecting themselves and their customers against attacks , including how they restrict access to systems and how they encrypt data . Do they – as a minimum – follow industry standards ? When requested , vendors should be able to show independent audits of their security performance . Finally , come to each of the vendor meetings with a list of clearly defined requirements and be prepared to ask some difficult questions .
Create a culture of transparency and accountability
The ever-increasing number of suppliers that have access to an SME ’ s systems and sensitive data is making it relatively easy for threat actors to target less secure elements in the supply chain . Hackers piggyback on trusted vendor
. tech
Intelligent SME . tech