Prepare for cybersecurity assessments from your customers

PORTLAND, Maine—When a cyberattack occurs, it’s rarely an isolated occurrence. A single cybersecurity incident at one organization creates a ripple effect — impacting vendors, service providers, customers, and many others throughout the supply chain.

Enterprise organizations now realize that their service providers — the smaller vendors they do business with every day — may be a potential weak link or even a gateway to a breach. Enter the vendor cybersecurity assessment and the security integrator’s need to be ready to respond to its requests with a plan in place to actively minimize customer risk.

To get an idea of the cascading effect of cyber breaches, consider a few major incidents this year:

• SolarWinds is a U.S. company that develops software for businesses to manage their networks, systems, and IT infrastructure. Attackers were able to compromise its Orion software impacting customers reportedly who included private and government agencies. As of early 2021, it was reported that the SolarWinds attack may have impacted an estimated 18,000 organizations across the globe with over 100 organizations being directly compromised.
   
• The Microsoft Exchange Server incident  has been blamed on an advanced persistent threat (APT) group called Hafnium who used a zero-day flaw that allowed infiltration in to email and other IT systems. This incident had a waterfall effect as it affected an estimated 60,000 customers who scrambled to patch software before becoming further targets and victims.
   
• As consumers, we all saw the widespread impact of a ransomware attack when Colonial pipeline’s operations were shut down by attackers resulting in the limitation of fuel supply to the east coast for days.  Following the incident the Biden Administration announced that U.S. pipeline operators will need to conduct assessments and tighten defenses. 

Security Integrators and the supply chain

Cyber incidents can also impact the security integration industry. Security companies have a responsibility to address any potential risks that may impact customers, with an understanding that their work is of a sensitive nature and provides them privileged access to sensitive data. Here are some examples:

• Integrators store high-security diagrams showing security device locations, passwords for installed devices, and maintain schedules of customer IT systems including architecture IP/MAC addresses.
   
• Managed Services is driving significant opportunity and revenue to integrators, but with many of the solutions it requires providing remote customer support. Managed services need to be conducted securely and attackers have proven that when it is not the case, it may provide them a gateway to for their crimes (over the years, the US Secret Service  has been sending public notification that Managed Service Providers are being targeted by cyber criminals for this exact reason).
   
• Integrators provide and install IP enabled devices, servers, switches and more, all of which need to cyber-hardened appropriately prior to installation and subsequently on an ongoing basis.
   
• Technicians travel from customer to customer plugging into IT infrastructure at each location for installation and troubleshooting. Not only is there risk that these machines are moving between sites, but commonly those laptops contain highly sensitive customer information.   

The physical security industry is inherently unique and the risk to the customer high – making the integrator’s responsibility exceptional. And if it hasn’t yet made it to your inbox or crossed your desk, you’ll most likely see a cybersecurity assessment questionnaire from your customer’s team assigned to conduct vendor assessments. These questionnaires usually come from the Enterprise Risk Assessment team who often has risk assessment software they utilize to rank vendors who are at the highest risk and from there decide how and when to conduct more comprehensive reviews.

After analysis they may choose all types of vendors to do deeper reviews on. Attorneys, IT providers, software manufacturers, consultants and—you guessed it--technology integrators are high on that list based on the privileged access they and their technicians have to IT systems, sensitive documents, and a multitude of protected infrastructures.

If selected for a cyber evaluation, be prepared. A cybersecurity questionnaire can be quite thorough and will encompass a variety of internal cybersecurity controls around assessments and testing, training and policies, and detection and response.

How to prepare for a vendor cybersecurity assessment

It’s 2021 and cybersecurity incidents make the news every day. You can no longer ignore the fact that instituting a cybersecurity program at your organization is essential and you implementing cybersecurity best practices is no longer a nice-to-have. Get ahead of the game and begin to devise your own comprehensive internal programs that allow you to check off the boxes of these assessments with ease. Don’t view it as an expense. Instead, consider it an investment in doing business. Perhaps even a differentiator as getting ahead when others are failing to can mean keeping and winning business. Having antivirus and firewalls alone is not enough to meet the requirements.

Organizations today are mapping against control frameworks such as NIST (which has over 100 controls) to see how well they are doing with cybersecurity and are learning that many more safeguards are required for proper hygiene, spanning people, process, and technology. Here are a few tips to help you with a successful assessment:

• Don’t panic if you receive a vendor questionnaire. Take your time and review where you stand against the controls they have outlined. These teams prefer a candid conversation, so if you are comfortable doing so you should discuss the assessment with them. Remember that sometimes these assessments are standardized documents designed for all vendors and if you feel specific areas don’t necessarily apply to your services, it’s ok to discuss those directly.
   
• Answering the questionnaires with confidence and accuracy is equally important. Incorrectly answering queries could mean serious litigation if an incident occurs and ignoring or acting like they don’t matter is not an option. You can very well lose business and potentially damage your organization’s reputation and professional standing.
   
• Don’t be surprised if your customer agreements now include legal language about conducting these kinds of assessments on your organization regularly, along with clauses that require you to report incidents impacting their business within a specific timeline. Having a specialized Data Security attorney as a resource can be extremely helpful—think about adding one to your team of professionals now, not later.
   
• One of the interesting twists to monitor is the fact that some of these teams want you to conduct risk assessments on YOUR vendors too. It comes back to the supply chain and the cascading effect of an incident.

Risk teams are stepping up their cybersecurity assessments of vendors by leveraging a variety of technology and statistical tools to rank and select providers. Vendor cybersecurity assessments, questionnaires, and supporting documentation are becoming a necessary adjunct to the security integrator’s business.

As a protector of life and property, not having proper cybersecurity in place has much broader implications. Without a cybersecurity program, good hygiene, and a strong posture, you’re opening your business to the potential for a third-party customer incident – and that’s far more costly than having a solid plan. 

Rob Simopoulos is the Co-Founder of Defendify, the All-In-One cybersecurity platform that makes cybersecurity for all organizations. Rob is a 20+ year veteran of the security industry, he and his company have received numerous awards and recognition from many trusted industry experts and publications.