Analysts estimate that up to 80% of cyber breaches originate in the supply chain. Making matters worse, organizations that enter into third-party business relationships take the security practices of the vendor into their own risk profiles.
In 2013, criminals stole data from tens of millions of credit and debit cards of customers of the US retail giant, Target. The hackers used the network credentials of a third-party heating, ventilation and air-conditioning company (HVAC).
It is critical that organizations implement third-party management policies that clearly define the vendor’s responsibilities to meet specific cyber security guidelines. International standards, such as those found in the ISO/IEC 27000 family, offer invaluable help.
In particular, the four-part standard ISO/IEC 27036 provides guidance on vendor relationships, including supply chain and cloud service security. ISO/IEC 27036 helps organizations to manage risk across the entire lifecycle of the relationship, from initiation to termination and exit.