Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back with us this week. And we are continuing our discussion on the Dirty 13, the top 13 issues that we see when auditing CPA firms.
And honestly, it's practically everybody that we see these exact same issues. This week, we are going to go into supplier management, all the issues that we see around supply chain management, supplier management. This is a pretty common issue across all industries.
So we'll dive into that a little bit. Before we do, please click that subscribe, click that follow wherever you're listening to us at Spotify, Apple podcast, and would also really love to hear from you. Send us some comments.
And also, if there's areas that you would like to hear more about, let us know. More than happy to set up a podcast for you. So getting into the Dirty 13, bad supplier management.
Supplier management has become a major issue across practically every regulation in every framework. Previously, in HIPAA, other regulations, some frameworks, there were considerations for information security management with suppliers. And that's still a big issue.
However, because of what happened with COVID, and all of those supply chain issues just completely imploding, the full supply chain management has become a major issue. I don't want to be too broad and just say financial. I'll say for the non-production, for the non-infrastructure critical companies, the chain management isn't as strong as it is in some of those frameworks.
However, it still is a very, very big issue as far as making sure that you don't just assess your suppliers, but you're assessing essentially how they're getting what they need to provide to you what you need. It doesn't help if we have three separate suppliers to provide us chips, security chips or circuit chips. That should have fallen out of my head.
But it doesn't help if we have three different suppliers for those if all three of those suppliers are getting their chips from the same wholesaler. If that wholesaler goes offline, now we're completely sideways. And the discussion of how to manage that in issues where all the supply chains come into one point, that's a completely different discussion, something that we'll continue to talk about in risk management side of things.
It's actually one of the areas that when we're working with companies, we dive pretty deep into to figure out how can we manage things if this completely goes away, if the supply chain is completely offline. That's a big consideration and a big area that we look at in the risk management process. But a little bit too deep for today.
But what we typically see in companies when we're doing our audits is first and foremost a complete lack of a supplier and vendor management process. There's no process for how we request new suppliers, how we formally do that. There's no process for how we assess the suppliers, their risk, their capabilities.
Are they going to be able to provide to us what we need when we need it? Are they going to keep our information secure as we need it? There's also typically no selection criteria. And finally, a lot of companies don't have any structured process for how they're going to review their suppliers. Once they've started working with them, there's no structure for how are we going to make sure that they're continuing to hold up their end of the bargain.
And typically that only, typically suppliers are only reviewed if they stop providing the product. Well, if they're managing information, we also want to continue to review them to make sure that they're staying up with their security practices. It's very important with any type of supplier that is storing, processing, or transmitting any of our sensitive data that they have strong information security protocols in place too.
Protocols that match or exceed our own internal requirements. The reason this is important, and we've talked about this before, is you can never shift your fiduciary responsibility for any information that you own. So if you've collected information on clients and now you're storing that in say Microsoft 365 or HubSpot or Google Suite or any other company out there.
Naming those is not an endorsement, it's just examples. If those companies get hacked, you're still responsible to your clients for the data of theirs that you collected that was compromised. Now any of those companies are responsible to you for the information of yours that you provided to them.
But this doesn't get you off the hook. You can't go to your clients and say, listen, Microsoft got hacked, you're going to need to take it up with them. That's like me giving you the keys to my car, you giving it to your brother, and then telling me, hey, James, sorry, my brother wrecked your car, you're going to need to take it up with him.
Why'd your brother have my keys? I gave them to you. You're responsible, you take it up with your brother, but you and me are going to take it up together. So it's a sucky thing about information, about data collection, that each hop of that information basically replicates the risk.
It's exponentially increasing as it moves to different locations. And like Brian Barnhart from Infiltration Labs, our foremost forensics expert, says, it's like toxic sludge. Once it's there, you can't really get rid of it.
Now that's just a risk and it's going to be there for practically forever. So it's very important to make sure that with our suppliers, we're evaluating the type of information security controls they have in place. Are they keeping the information appropriately secured? What information do they need specifically? And then how are they going to delete that information? It's very, very important to be able to identify exactly how our information is going to be handled.
And even now, a few years into the FTC safeguards rules and some other more stringent requirements, a lot of suppliers don't have this defined. They don't have a structure there. And previously, with a lot of, if we're connecting data or if we're connecting different systems, it's just a car block.
Here's access to everything. You pull what you need and preferably leave the rest alone. That's typically how it's been in the past.
And where you want it to be is much more of a, what specific data sets do you need or data points? You need the name, address, and phone number? Great. That's all you're going to get. Now tell us how you're going to secure that.
What security protocols are you transmitting? Is that TLS 1.2 and higher? Where you're storing it? Is that fully encrypted? AES 256? Or if you're going by our policy set, any of the FIPS 140-2 or 140-3 approved cryptography methods? Any of those? And what does your access control process look like? Who has access to this information in your organization? Is it anybody in your company? Just right here we can see how many questions start coming into our assessment of the suppliers. And that's one of the next big issues. We're not properly assessing the suppliers.
So one of the areas that we look at is if we're storing very sensitive information, trying to keep that to companies that have an ISO 27001 certification or a SOC 2 certification or some sort of information security certification that shows that an external entity, a certification body, has come in and looked at their security controls to validate they have them in place. I'll give a little caveat, a little hairy butt around the corner, but you want to make sure that whatever security certification they have is properly scoped for how you're going to interact with the company. It doesn't do you any good if their security certification is on one of their servers in Kansas and you're storing all of your information in the EU.
So very important when you're looking at the security certifications to match up their scope statements to make sure that they align with your use with that supplier. Another big thing that we see, and this ties in with the lack of supplier process, but is no approved supplier list or something similar. A lot of companies can't even quickly identify who it is they're doing business with, what suppliers they're using.
A lot of times the only way that we're able to figure this out is to go to the financial side of the company and look at their purchase orders, their invoices. Let's look at your credit card receipts. Let's basically do a forensic audit over there so that way we can identify everybody that you're paying and this looks like all the suppliers that you're using.
You want to make sure that you can identify all of the different suppliers that you're using. The next big issue that we see is even in cases where there's a supplier process. Okay, it's going to go through a few channels, they're going to be evaluated, and they've got to get approved before we can use them.
That process doesn't tie to the risk management process and structure that the company has in place. So on our risk management side, the way we're evaluating all the risk in the company, the way we're trying to protect the company to keep it operational regardless of what happens. Over here with our suppliers, which are the main component of keeping the business running, we're evaluating them a completely different way or a lot of times it's just a high, medium, and low.
Whatever that means. And this lack of cohesion between the risk management process, our risk appetite, our risk scales, and our supplier assessment process create situations to where we can have radically higher risk, radically more exposure than we considered originally in our risk assessment process. To where now if say a supplier goes offline or a supplier gets a data breach, it is a massive impact to our organization that we're just not prepared for.
We're not ready to handle, and we may not be able to weather it. That happened a lot during COVID. That's happened a lot with major companies that have gone offline.
With the CrowdStrike issue, with the DMS system, good gracious I can't think of their name now, but with the dealership management system that went offline, a lot of dealerships weren't structured to be able to weather that. They just shut their doors for days, some for weeks, until things got back online. You don't want your business in a position there, you want to make sure that you're properly evaluating your suppliers.
And your risk management process and your supplier management process should be very, very well connected. The way that you evaluate risk internally and externally should be the same way that you're evaluating your suppliers. The final thing that we see is suppliers not being obligated to protect information security.
They're not obligated to any type of information security standards. And this is very important because a lot of regulations, FTC safeguards rule, HIPAA, PCI, it requires that when you're working with a supplier, that they're adhering to information security requirements. A lot of these regulations say that they have to adhere to your information security requirements.
Now, if we're working with Microsoft, we're working with Google, we're working with these big companies, they're not going to read our information security policies. They're going to tell us to fly a kite. They actually won't even tell us that.
There's nowhere that we can even contact them to have this conversation. It's a complete brick wall. So what we have to do in those cases is, again, make sure that they're implementing the security controls that we require for better.
And that in some place, whether it's our terms of service, our master service agreement, whatever type of contract we have with that supplier, that it states that they will maintain those security requirements. So their contract doesn't need to specifically say they're going to adhere to ours. But it does need to specify the standards that they'll maintain a certain level of information security.
And whatever that level is has to meet or exceed what our requirements are. The nice thing with a lot of major companies is, like with Microsoft, Google Suite, tons of companies, is if you need those extra security requirements or you have those specific contract requirements like you do with HIPAA, there's actually processes that you can go through to get assigned business associate agreement or to validate that you've met those requirements. And that's typically something that you do on your side, going through a few steps, maybe turning on a few things in the environment, and then it gives you a certificate or points to a place that says that they're going to meet those contract requirements with you.
And that's fine for your regulatory requirements. But it's important that you have these in place. Where it's missed a lot is with contractors, consultants, and they're not required to manage security in the way that you require.
A lot of times the way that we help companies get around this is if it's a supplier or a consultant, if we're just giving them access to our system, we just treat them as an employee. Here's our security awareness training. Here's our policies.
You're going to sign this document that you'll adhere to them so that you understand what we have to do. And there's a lot of companies that we are doing a lot of HIPAA training for to validate that we're doing what it is that they need for their security requirements. That's a lot easier than trying to fully audit a consultant security practice or to go through all of their information security policies and procedures.
And honestly, a lot of them don't have anything in place, which means that you would be searching for a very long time to find a consultant that did. Now, Input Output does have all that structure in place, just throwing that out there. But it's much easier to be able to just say we're going to treat them as an employee and they're going to fall under the umbrella of our information security program.
And we'll do some minor validations on like the systems they use, things like that. There's a lot of other good ways that you can enforce that with things like Microsoft Intune, with a lot of other security tools out there. So more than happy to connect to discuss those and how that can make the process a lot easier.
Also, more than happy to dive in and we'll probably create some other podcasts to go more into the supplier process, but how you can create supplier risk profiles. So you can put your suppliers in buckets. You don't necessarily need to fully assess every product supplier.
If you're just buying toilet paper from them, other paper products, pens, you don't need to do as much of an assessment as say you would on the platform that is going to store all of your client's data, all of the sensitive information, and back it up. That's going to be a much deeper analysis, a much different risk profile than just those product providers. So when you're creating your supplier process, or if you're using ours, it's structured in a way or ours is structured in a way that you can just use risk profiles and simplify this considerably, but still get the same risk assessment and all of that benefit.
So that is all that we have today for supplier. Bad supplier management, one of the dirty 13, that is actually number five. Next week we're going to go into audit logging and some pretty serious issues there with audits and log requirements and some sneaky things we're seeing with regulations and insurance.
So definitely tune in next week for that, but thank you for listening to Cash in the Cyber Sheets this week. Please click that follow and subscribe and can't wait to see you here next week.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
