The vendor ecosystem is an integral part of many organisations and provides support for a successful business. This intimate, often complex, relationship between vendors has resulted in fault lines that hackers exploit. Security Awareness Training with third-party suppliers is extremely important.
The extent of these third-party vulnerabilities was captured in a 2020 survey by Opinion Matters: the survey explored third-party ecosystem security issues with CIOs, CISOs, and Chief Procurement Officers. One of the most worrying outcomes of the report was that around 82% of UK organisations had suffered a security breach originating in the wider vendor ecosystem. The survey also pointed out that the UK has the poorest visibility of security vulnerabilities in the supply chain.
An effective way to manage third-party supplier vulnerabilities is to implement Security Awareness Training with third-party suppliers.
Managing the Security Implications of Using Third-Parties
Security Awareness Training with third-party suppliers is a holistic process that involves many moving parts. Because of the complexity of these systems both accidental data exposure and cyber security targeting of the supply chain leads to serious security threats and increased corporate risk.
Companies that use suppliers and other third parties, are typically responsible for the outcomes of a cyber attack, even if the fault lies with a third party. Regulations such as ISO27001 and PCI DSS (Payment Card Industry Data Security Standard) have requirements that expect any data risks associated with third-party suppliers are managed.
A recent study from ENISA found that 58% of attacks focus on obtaining access to data with 62% of attacks dependent on manipulating the trust of customers in the supply chain. The ENISA report states that:
“strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.”
Incident reporting was also highlighted in the report as being poor, thus impacting the visibility of vulnerabilities up the chain.
With supply chains being responsible for so many cyber attacks, focusing on the human side of cyber security, by ensuring all third parties are fully aware of the challenges of security, is vital. Addressing the human element in the cyber security threat equation comes in the form of Security Awareness Training. But how does an organisation manage Security Awareness Training with third-party suppliers?
Important Questions in the Management of Security Awareness Training with Third-Party Suppliers
Managing the security vulnerabilities in the supply chain comes down to the education of employees across that chain. Management of the Security Awareness Training with third-party suppliers and employees comes with several key questions:
Does the Third-Party have Security Awareness Training in place?
Find out if your supplier has a Security Awareness Training package already in place? Bear in mind, however, that not all security awareness packages are made equal. The level of training must be of a standard that meets your own company’s expectations. Check that training is carried out at regular intervals. A poor training package that does not use interactive and engaging training materials may not change poor security behaviour in employees.
Does the Supplier use Phishing Simulations and other Phishing Awareness Education?
In a 2021 survey by Thales, phishing ranked number 3 in the top ten concerns for data threats. Malware and ransomware, often initiated by phishing, were numbers 1 and 2 respectively.
Phishing simulations take an employee through carefully configured automated phishing simulation exercises. Over time, this builds up staff confidence in knowing how to spot tell-tale signs of phishing and how to then report the threat. Check with your supplier to see if they use phishing simulations, and if not, help them to develop a program that simulates typical phishing scams that impact your sector.
Evaluate any Existing Security Awareness Training Campaign with Third-Party Suppliers
Once you have established that the supplier has a Security Awareness Training program you can evaluate its effectiveness by checking out:
- Documentary evidence of training, e.g., training session attendance of employees, types of questions asked by trainees, etc.
- Metrics of training effectiveness, e.g., how many employees were able to recognise a phishing message and then report it?
Metrics help to make focused changes to a program that results in even better training outcomes.
What if your Third-Party Supplier doesn’t use Security Awareness Training?
It is increasingly important to tackle the human element of cyber risk. Another ENISA report found that 95% of phishing emails need human intervention to initiate a malware infection. In addition, the threat from accidental insiders also needs to be considered; the Verizon Data Breach Investigations Report, 2021 finding that 22% of security incidents involved insiders.
Supplier staff needs to be trained to the same exacting levels in security awareness as your own company’s staff. To manage this, the Service Level Agreement (SLA) between your company and your supplier must reflect the level of training you expect to be undertaken. This legal agreement should require that the security training program details are approved to your own standards. Having an SLA in place, that includes a clause for security awareness provisioning, shows that the supplier is committed to both their security as well as yours.
Great third-party suppliers ensure a competitive edge, but security vulnerabilities can turn a great supplier into a liability.
Cybercriminals look for the weakest link in the chain, the supplier and their staff. To ensure that these chinks in the armour of the chain are mitigated, make sure that the Security Awareness Training with third-party suppliers carried out is carefully managed to meet the expectations and standards you expect.