Why Vendors Are Your Weak Point

by Gary Phipps

Diversifying your supply chain is a necessity for most companies. While third parties are needed to function, they can open the door to a cybersecurity breach. In this blog post I will talk about diversification, why third-parties are a target, and how CyberGRX can help.

First, let’s explore the difference between a supplier and a vendor. If you sell a good and need suppliers to provide components in order to manufacture or assemble your finished product, it makes sense to have multiple suppliers of any one part or any ingredient in the recipe to avoid a disruption to your supply chain, right? Let’s say I make golf balls for example. One of the key ingredients is rubber, which comes from my supplier in Southeast Asia. Now, what if suddenly there is a disruption to the global rubber supply due to regional geopolitical issues? Or if seasonal weather catastrophes damage the rubber tree farms? You would want to have alternative sources of rubber, right?

Well, when it comes to cybersecurity, diversifying your supply chain can be dangerous as well as REALLY expensive and time consuming.

The more diverse your portfolio of technology vendors is, the more applications you have to configure and patch. The more network connections you have to monitor, the more data you have being babysat by, hopefully, well-vetted baby or data sitters. The more credentials you have to provision and deprovision, the more… you guys get the point. Diversification is expensive when it comes to security.

When you onboard a vendor who’s going to control or process your or your customer’s data, you have a responsibility to ensure that your vendor can prevent a technology disruption (such as a ransomware attack) that could disrupt your ability to provide service to your customers. The process of doing that is usually conducted using self-assessment questionnaires completed by vendors with back-up documentation to support their answers, which are typically reviewed by the Procurement and Security departments.  

Now, if anyone in your company with a credit card can sign up for a cloud application and load a ton of your data, how can the procurement and sourcing teams ever perform that much due diligence properly, at scale, as fast as your project plan predicts your digital transformation is supposed to happen? You can’t, and threat actors know that.  They know that you are onboarding third parties faster than you can secure that growing attack surface. That’s why third parties are a top attack vector.

CyberGRX provides a lot of value for third-party cyber risk regardless of which side of a breach you are on, but stopping cyber attackers from doing bad things isn’t our value proposition. Our value proposition is making sure it doesn’t happen to you.