Supplier Risk Management: Why & How To Address Cybersecurity

Due diligence when it comes to managing supplier risk isn’t a new thing. Most companies dig into a supplier’s finances, past performance, and legal history to determine if there’s potential for a business relationship. If you’re an environmentally driven company, for example, you won't want to purchase from a supplier known for creating excessive amount of emissions or pollutants.

But when you’re looking for potential suppliers, do you carefully consider and review cybersecurity posture?

A cyber-attack on a supplier could result not only in the loss of your sensitive data, intellectual property, business strategy, or trade secrets; it could cause an operational disruption so large that it impacts your ability to produce your goods or services.

So even if you know why it’s critical to address cybersecurity with your suppliers — how do you go about doing it? Here are four crucial steps to take.

1. Identify your most critical suppliers.

You need to be able to triage the risk each supplier poses to your organization in order to effectively mitigate that risk. This includes addressing all suppliers of hardware, software, business services, and more. You’ll need to be able to identify criticality based on the amount of access the supplier has to your corporate network or the amount of sensitive data they store on their network.

Keep in mind that some suppliers may not appear to be critical at first glance, so you’ll want a comprehensive team in place who is willing to do the due diligence necessary to parse through each supplier. For example, you may have a software provider that doesn’t seem to have any direct access to your data — but if there are vulnerabilities in their code, there is still a chance it could threaten your networks.

The following tools can help you determine if hardware or software suppliers pose a threat:

  • Veracode: This cloud-based technology helps test the security of applications developed by third parties.
  • Safecode: This nonprofit organization offers best practices for enhancing the security of software development processes.

2. Limit your suppliers' access and permissions.

You’ve identified which suppliers should be considered critical—now you need to act on that. In response, you’ll want to limit your non-critical suppliers’ access and network permissions as much as possible. Take the 2013 Target breach as a warning. Target hired Fazio Mechanical Services to monitor its refrigerated units nationwide—but granted the small vendor an unreasonable amount of network access. Hackers were then able to breach Fazio’s network and gain access into Target’s network, resulting in the compromise of over 70 million customer records.


Can you differentiate between your actual and perceived security? These metrics can give you a hand.

Download Guide
Button Arrow

And while your most critical suppliers may rely on a particular amount of network access to properly perform their jobs, you absolutely must monitor them on a continuous basis. We’ll go into detail about this in #4.

3. Specify contractual language with your suppliers' access and permissions.

The best time to take care of this step is when you are on-boarding your suppliers, because it’s far easier to begin the business relationship with a clear understanding of the first party’s cybersecurity expectations. But, you can still reevaluate current contracts if necessary. Gather all of your supplier contracts with your legal and IT security teams, and start looking for any instances that aren’t very specific about contractual cybersecurity obligations. Your vendors may have a legal obligation to report some breaches because of compliance—but you need to convey to all suppliers that cybersecurity is of the utmost importance at your firm, and that you must be notified of any breach as soon as possible after it takes place. The language you use is particularly important, so be sure you have the best and brightest in your organization reworking any contractual areas that need to be revisited.

4. Continuously monitor your suppliers.

So, you’ve identified your most critical suppliers, limited network access and permissions for non-critical suppliers, and made sure your contracts are airtight. But now what? Do you just sit around and hope that your suppliers are taking cybersecurity as seriously as you do?

Of course not. The solution? Continuous monitoring software. This is the most effective way to ensure your suppliers are in good standing in regards to their cybersecurity and to easily follow up with any potential vulnerabilities or risks on their networks.

In Summary

It’s very important to broaden your risk management horizons and incorporate more non-financial data—which includes cybersecurity metrics. And keep in mind, you don’t need to be a cybersecurity expert to get started. BitSight’s security ratings do the heavy lifting for you and make it easy get started right away.