Managing vendor and supply chain risk in a recession

The COVID-19 crisis is putting security vendors, especially startups, under severe pressure. Here's how to vet their financial stability and prepare for the worst.

Keep third-party risk on your radar: Piggybacked deer, giraffe and cat balance on a tightrope.
SIphotography / Jamie Lawton / Getty Images

A 2018 Ponemon report found that companies share confidential and sensitive information with 583 third parties on average. Only 34% keep an inventory of these third parties. In the cybersecurity function alone, the average company deploys around 47 different solutions and technologies.

“CISOs have a very patchy overview of their current third-party cyber risk,” says Paul McKay, senior analyst at Forrester. “Security questionnaires traditionally used differ from reality, and technology solutions such as cyber risk ratings solutions and third-party risk management technologies are in their early stages.” Consequently, third-party or supply-chain risk management has become a hot topic.

“Taking into account the current economic conditions being experienced as a result of the pandemic, financial viability of suppliers becomes a real live issue,” says Mckay. “It is also worth thinking about the types of suppliers this is likely to impact. SME firms with limited cash flows are particularly vulnerable. Larger firms and hyperscale cloud computing providers should be able to weather the economic conditions in the longer run.”

Sudden failure of a vendor could leave data inaccessible, leave a key tool or service unsupported and at risk of future exploitation, or cripple key processes or operations. If a business or its equipment is sold, organizations will need to ensure that data was deleted before the sale.

“If a key supplier fails, depending on what they do, it could be as simple as being locked out of a system, having difficulties retrieving data, or in the worst case, significant disruption to the entire business if the provider is operating as key outsource provider or security provider,” says McKay. “In normal times, termination of contracts often results in data access being left over, data not being properly and securely disposed of, and assets sold on without being properly purged of data stored on it.”

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.