Supplier security is something most organisations are at least aware of, and lots actually realise they need to do something about it. However, most of the time, “doing something” about it involves a quick chat with the supplier, possibly a generic check-list and a review that the contract at least mentions security. The problem is thinking if the supplier drops the ball, the supplier will suffer the harm.
This week, T-Mobile USA were unfortunate enough to be the example showing why that mindset is really, really wrong. There is no escaping the fact that supplier security matters. If you aren’t driving them hard things will end badly.
Supplier security – what went wrong for T-Mobile?
First off, for the avoidance of doubt, there is no reason to think T-Mobile have done anything wrong. Nothing here is meant to imply they failed to implement good supplier security controls.
Yesterday, it was reported (here and here) that the credit checking agency Experian had suffered a major breach. The breach exposed personal data belonging to T-Mobile USA customers. Initial reports are that the breach lasted over 2 years and around 15 million records have been compromised.
It seems the attacker(s) accessed a file containing every credit check Experian has ever conducted for T-Mobile. The customers put their faith in T-Mobile and there was no breach at T-Mobile. However, they are still the ones who will feel the impact here.
As an immediate damage limitation exercise, Experian have offered anyone affected by this a free 2 year account on ProtectMyID. Unfortunately this means you need to continue trusting Experian and its not clear how effective a credit checking agency will be at general ID protection.
For T-Mobile, this is a pretty painful situation. They had no breach, but their customers suffered. Some customers will blame T-Mobile for this. Some customers may leave T-Mobile. Customers don’t care about supplier security.
Don’t forget, if this was the UK/EU, the Data Controller is the one who gets the fine not necessarily the data processor.
Supplier security – what should you do?
No one wants to be in the same boat as T-Mobile but every business needs suppliers of some description. So, the question is, how can you check your supplier security is good enough?
Step 1 – actually take your supplier security seriously. Don’t assume it is just a task you have to tick off on an audit list. Don’t assume all your suppliers are the same. You need to fully integrate your supplier security processes in to everything you do.
Step 2 – risk assess your suppliers. Not all suppliers carry the same risk. Not all suppliers need the same level of scrutiny. Supplier security is never a one-size-fits all problem. Some suppliers will provide business critical services. Some will be able to cause you massive reputational damage. Some wont. You need to understand every supplier. In some cases, it may even be necessary to war game possible scenarios so you can really understand how things can go wrong. Figure out what happens if they go bust, get breached or just mess up. Once you know this, you know how much pain you can feel from this supplier.
Step 3 – drive the supplier security process. The low risk suppliers can probably stay with the check list approach. The high risk suppliers really need a dedicated supplier security assessment. This means you need to dedicate resources to go and fully understand how the supplier protects your services. If they aren’t up to scratch, find a new one.
Supplier security doesn’t need to be hard.
There are lots of resources available to help with supplier security assessments – such as our free Supplier Security Assessment Questionnaire, or if you are willing to pay, the Supplier Security Evaluation Tool (SSET) provided by the ISF.
Whatever approach you decide, the most important thing is having an approach to supplier security which you actually use.
Never allow yourself to fall into the trap of thinking your suppliers don’t need supervision. Never fall into the trap of thinking that their problems will only be their problems. Never fall into the trap of assuming contracts will protect you.
Supplier security is important. Never forget that.