By Massimo Cotrozzi
It is now commonplace for large companies, and even SMEs, to have in place a number of IT interfaces with suppliers, partners and contractors. Some may provide one-off services and for others, there may be an ongoing relationship. For example, the purchasing department of one organization may be linked into the delivery department of their supplier.
Although third-party suppliers may bring many benefits, the reality is that their systems, data management and even employee training standards may be vastly different to that of the organization receiving the services.
The question that many organizations fail to ask is: Do you know if your suppliers take the same attitude to cyber-attacks and hacking risks as you do?
A hacker can easily target a poorly secured IT system of a contracted facilities operation and could, in turn, compromise an entire organisation – undoing the efforts made centrally. Many third-party suppliers wrongly believe a quick IT security check is sufficient; however, cases have been found of hackers infiltrating a company through the organization’s contracted air-conditioning system. So the lesson to be learned is that no stone must be left unturned, and you can never be too careful with IT security matters.
The issue is further complicated when you examine the process of procurement. There are a broad range of stakeholders involved in the process, and the emphasis is on value for money and capabilities of the offering. For procurement officers, there is so much pressure to deliver on these objectives for the company that IT security often takes a backseat. Perhaps a cursory glance or a vague assurance that basic security is in check normally suffices before the services are incorporated into an organization.
One solution to this is to look into supply chain certification. This is where the security of all hardware and software is tested and reviewed to ensure compliance to a pre-agreed standard.
This is already common and widespread within the payments industry. For example, all the Payment Card Industry Data Security Standard (PCI DSS) ensures all the hardware and software involved in Chip and Pin card payments is certified on a regular basis.
For some businesses, costs may be an issue and prevent such an extensive standard from being put in place. However, even if a formalized security standard isn’t possible, asking the right questions of all your partners and suppliers IT is essential in today’s complex environment. Furthermore, regular contact with those responsible for the security of those systems can ensure that one weak link doesn’t compromise ongoing efforts to keep the hackers out.
Massimo Cotrozzi is the Director of EY's Fraud Investigations and Disputes Services. Controzzi works in EY’s cybercrime investigations team and his main focus is looking into how and why companies and organizations suffer security breaches. He joined EY from KCS Group, an intelligence and investigations firm based in London, where he spent four years. His previous experience includes working for governments and corporate clients on investigating intellectual property theft and large-scale cyber attacks. Cotrozzi is also a forensic expert witness in international litigation cases.