12 Lessons Learned From The SolarWinds Breach: RSA Conference

Scrutinize Suppliers On A Continuous Basis

Most businesses do a thorough inspection of a supplier’s security practices before agreeing to work with them, but very few organizations maintain that level of scrutiny on an ongoing basis, according to OneTrust Chief Revenue Officer Kevin Kiley. Companies must continuously assess the security practices of their suppliers and use that to recalibrate the level of risk each supplier might represent, Kiley said.

Organizations need to move beyond simply asking for security certifications when putting out a request for proposal and make supply chain security an ongoing practice. Specifically, he said companies should examine how third parties are being used, what data is being shared with them, whether it’s necessary to share all that data with them, and if/how data is being destroyed after it’s no longer being used.

From there, Kiley said businesses should examine the risk represented by fourth and fifth-party companies that work with their suppliers or their suppliers’ suppliers. Since the SolarWinds attack, Kiley said organizations have invested heavily to gain more insight into who they’re working away and what kind of risk they represent.