Help reduce cybersecurity risk with robust supply chain due diligence
A proactive approach with third-party vendors helps protect company systems, data, and payments
By Justin Ellerman, Head of Cyber Client Advisory, Cyber Resiliency & Human Defense, Wells Fargo, and Anil Khilnani, Fraud Education & Awareness Program Lead, Wells Fargo
IT and finance professionals, how well do you know your company’s vendors?
It’s not an easy question to answer.
Most companies interface with hundreds (even thousands) of third-party organizations and independent contractors each year. These can be temporary staff working onsite during peak seasons. Payroll services firms that streamline employee compensation. Cloud and SaaS platforms that facilitate customer orders. Managed services providers monitoring critical networks for uptime. The vendor list at most organizations is long and varied.
What these outside entities have in common is some level of access to your facilities, your systems, and even your proprietary data.
That necessary interconnectivity is why supply chain due diligence is now an essential component of modern cybersecurity. An attack can originate at a vendor, then cascade through connected organizations.
One in three data breaches now involve a third party
Protecting your company means ensuring external vendors and contractors apply the same level of vigilance as your own company.
It’s not just a best practice, supply chain due diligence is quickly becoming a compliance obligation. Organizations that fail to manage vendor risk can face fines, disruptions, or loss of certification.
The facts can be sobering:
- One in three data breaches now involve a third party.
- Supply chain attacks surged 431% in the last five years.
- Fewer than half of organizations monitor cybersecurity for even a portion of their supply chain.
While cybercriminals can target any industry, some sectors face additional risk due to their complex supply chains and high value data.
The five most targeted sectors are:
- Manufacturing
- Finance and insurance
- Professional and business services
- Energy and critical infrastructure
- Healthcare
Four steps to a coordinated cybersecurity strategy with key vendors
Supply chain due diligence takes a proactive approach to help avoid these cybersecurity issues. Follow these four steps to create a coordinated strategy for your organization:
- Inventory your vendors. First, size up the vendors and independent contractors in your ecosystem. A company-wide audit will help you understand the true scope of your supply chain footprint.
- Assess vendor risk. Next, drill in to each third-party provider. What’s their role? Who within the company has or needs access to your systems or data? Assign a risk rating to each based on criticality, services provided, and type and amount of data shared.
- Create supply chain protocols. Once you understand your range of interconnected people and systems, develop requirements to protect your business. Establish procedures for onboarding new vendors and for ongoing relationships, along with standards third-parties must adhere to ensure your information and assets are protected from cyber threats.
- Monitor continuously. Supply chain due diligence works best as an evergreen program, rather than a one-time event. Determine when and how you will interface with vendors on a regular basis, both for recurring assessments as the relationship and threat landscape evolves.
As you build more resilience into your supply chain, consider risk assessments like Standardized Information Gathering (SIG) and Know Your Third Party (KY3P). These industry-standard tools are helpful in identifying potential issues at third parties such as weak security controls, outdated software, unmanaged subcontractors, or foreign ownership concerns.
Banks like Wells Fargo can also serve as valuable resources, particularly around protecting your financial data and payments infrastructure. Be sure to reach out with questions, attend webinars, and follow protocols designed to safeguard your information and assets.
In the end, supply chain due diligence is all about leveraging your key vendors, trading partners, and third-party contractors as your biggest allies in cybersecurity (rather than your weakest links). A proactive approach and ongoing monitoring can cement strong working relationships and effective cybersecurity for all.
Verizon Data Breach Investigations Report (DBIR)
Cowbell Cyber Report, 2024.
The views expressed are intended for Wells Fargo customers, prospects, and other parties covering the Food and Agribusiness industry only. They present the opinions of the authors on prospective trends and related matters in food and agribusiness as of this date, and do not necessarily reflect the views of Wells Fargo & Co., its affiliates and subsidiaries. Opinions expressed are based on diverse sources that we believe to be reliable, though the information is not guaranteed and is subject to change without notice. This is not an offer to sell or the solicitation to buy Wells Fargo product or service including security or foreign exchange product.
Wells Fargo Bank, N.A. Member FDIC.
RO-5497872
LRC-0626
