intelligent

CONTRACTUAL SECURITY

LANGUAGE WILL NOT ONLY PROTECT YOUR COMPANY BY HAVING VENDORS ABIDE BY BEST PRACTICES , BUT IT WILL ALSO SET

THE CADENCE FOR THE ENTIRE

RELATIONSHIP . and partner relationships to deliver malware to customers . Using this pipeline gives them the ability to bypass security measures and to propagate a single attack to hundreds , if not thousands , of end-users simultaneously . It ’ s been estimated that 62 % of supply chain attacks exploit the trust between an SME and their suppliers . This makes it imperative for SMEs to follow up on the findings after the initial risk assessment is complete .

Once the criteria for identifying your most critical vendors and partners have been established , develop an appropriate way to evaluate them based on their tier . On a continuous basis , you need to measure vendors in a way that mirrors your own internal requirements . In most cases , Tier 1 vendors should be treated as an extension of the business , and thus should have similar or better policies , procedures , processes and capabilities than those you have set for your company . Whereas Tier 3 vendors , such as office suppliers , will only have access to public data , marketing data or administrative data and have no integration to your environment or products , making them close to a negligible risk .

When it comes to Business Continuity and Disaster Recovery ( BCDR ), it ’ s important that you set clear expectations with your vendors and partners . Be sure their Business Continuity plans are built and tested to withstand the unforeseen , not just comply with a requirement . If availability is a concern , firm SLAs need to be built into the contract and the vendor / partner should have an adequate and well-documented incident response plan . If they don ’ t have a formalised and tested BCDR strategy to review , work with them to put one in place .

Since managing vendors and partners is an ongoing process , not a one-off exercise – perseverance is required to keep relationships transparent . As your suppliers ’ security programmes evolve and improve , they should be able to demonstrate that they can adapt to changing threats .

In addition , as vendor / partner relationships grow , so must the level of diligence and security expectations . Every contractual relationship comes with a degree of accountability . Contractual security language will not only protect your company by having vendors abide by best practices , but it will also set the cadence for the entire relationship . It will bind both you and the supplier to standards that should be met in the event of an incident : Things like incident response , data retrieval , data ownership , rights to an assessment , etc . should all be termed upfront .

SMEs can and must demand quality security outcomes from their vendors and partners . Remember , the status of a trusted supplier is earned not through the length of a relationship , but from greater transparency around security . Ultimately , this trust will help you minimise risk , exposure and impact from supply chain attacks . �