One weak link in a supply chain can result in thousands— or millions— of dollars in ransomware payments. Comprehensive vendor management is the solution.

Supply chain attacks rose 42 percent in the first quarter of 2021, affecting roughly seven million people in the United States. SolarWinds, Shell, Kaseya, and Kroger are some of the recent high-profile attacks that have thrown supply chain security into the spotlight.

Supply chain attacks occur because hackers are looking for an easy way in. Their target might be a huge company. However, successful businesses typically have sophisticated IT environments. Because of this, cyber criminals look for vulnerabilities elsewhere. Generally, they find it in a software supply chain partner and upload malicious code to distribute to connected companies.

To strengthen the supply chain, organizations of all sizes must develop a formal vendor management strategy.

Vendor Management Strategy Components

1. Identify the information vendors will access.

   Understanding how a vendor accesses your data is key to understanding the risks they pose. To accomplish this, make a list of the systems, information, and networks a vendor will require access to. Ask: how does the vendor fit into the organization’s business objectives?

2. Establish risk tolerance per vendor.

   To create a picture of risk, align the information from step 1 with the organization’s business goals. As a result, the organization will develop an information risk tolerance. This determines which risks the organization is willing to accept, transfer, mitigate, or refuse. Ask: How critical is this vendor to operations? How much information do they need? How many critical systems and networks do they have access to?

3. Make good contracts.

   Defining business relationships benefits all parties involved. Developing a service level agreement (SLA), for example, helps distinguish vendor responsibilities, requirements, and how they relate to the organization. Consequently, SLA should include protocols, controls, and/or requirements for:

   1. Access authorization
   2. Employee security awareness training
   3. Encryption and decryption
   4. Endpoint security
   5. Information access
   6. Password management
   7. Network and system security protections and updates
   8. Security incident liability

4. Sustained vendor monitoring.

   Vendor management isn’t a one and done check. Only continuous monitoring will ensure vendors’ security postures are aligned with the organization’s business goals and risk tolerance over time. Organizations should therefore monitor:

   1. IT diagrams and architecture
   2. Physical security
   3. Security documentation
   4. SOC reports
   5. Vendor audits and internal audit reviews

Gone are the days of isolated security. As businesses become more interconnected, it also becomes more important than ever to closely examine each link in the supply chain. Ultimately, establishing a comprehensive vendor management plan will strengthen vendor partnerships, help protect company, customer, and employee data, and stop cyber criminals from demanding impossible ransoms.