Posted by Brandon Hill
The supply chain of most companies is long and complex. It’s often difficult to get a complete picture of your company’s supply chain, which involves not only direct suppliers, but also the suppliers that supply your suppliers. And so on down the chain.
But even though this lack of knowledge is common and, in many cases, unavoidable, it’s still cause for concern. Many companies share sensitive corporate data with those in the supply chain, such as intellectual property information, customer data or employee info. This information, some of it crucial for business to move forward, some of it not, is often shared without any regard for the information security practices of the company receiving the info.
It’s a risky move. On the one hand, the vendor you’re sharing info with and everyone they’re sharing info with might have great security in place. Their systems might be as tight as a drum. On the other hand, just because your systems are secure doesn’t mean those of the companies you work with are equally secure, and data might be leaking from your organization like a sieve.
Hackers have always gone after the weakest link. If they want your data, they’re probably not going to start with a barrage on your systems (unless your systems aren’t secure either, in which case, that’s a separate issue for a separate blog). Instead, they might go after a few of the companies you work with. Once they get access to those systems, they’ll grab any of your data they can find. If that company has a way to get into your network, they’ll use that to get even more data.
So what can you do? Aside from the relatively foolproof, but completely impractical solution of not working with any other companies or not sharing any info with those you do work with, it’s important to ask the right questions of those you work with. Ask about their security – what are they doing to keep their systems secure? Do they allow removable media such as USBs to be used with compatible company devices? What do they do to prevent data or devices from being removed from the premises? Do they use an MDM system, if there are mobile devices accessing corporate data?
It’s important to ask these and many other questions about security before sharing any sensitive information with those companies your company works with. Understand how seriously they take the security of their systems and your data. And it’s probably a good idea to limit the data you share to what is absolutely essential – just in case.