Mayhem in Manufacturing, Part II: Best Practices for Third-Party Risk Management

by: Ross Williams, Critical Start DFIR Leader

As I mentioned in Part I of my “Mayhem in Manufacturing” blog, the complexities of today’s global supply chain require that you pay close attention to third-party risk management (TPRM) strategies. In Part II, I’ll delve into specific best practices you can implement to minimize your exposure to these risks.

Protect Your Most Valuable Assets

Manufacturing is especially vulnerable to third-party risks because so many outside vendors are involved in a typical manufacturing process. It’s relatively simple to keep tabs on what’s going on within your own operations, but what about the critical functions you’re outsourcing to others? Consider this: You wouldn’t drop your child off at a day care center without first paying them a visit and verifying their credentials. Why would you entrust your critical customer data, intellectual property, and reputation to a vendor you haven’t properly vetted?

Don’t Be the Next Big Headline

In 2019, a major aerospace company experienced not one, but four large-scale attacks through four different suppliers. Here are a few simple best practices you should put in place now—before your company becomes the next cautionary tale:

#1: Define your company’s cybersecurity risk tolerance threshold. In other words, how much risk are you willing to assume? Once you have figured that out, set a more restrictive threshold for your third-party vendors and suppliers.

#2: Create a set of minimum expectations that your vendors and suppliers must meet. Require these groups to respond to a set of questions that address your concerns. For example, you might ask:

• Does your company use anti-virus software?
• Do you have an endpoint protection platform (EPP) in place?
• Do you change your network passwords on a regular cadence?
• How do you manage physical access to your networks?

If you need help compiling your third-party risk management questionnaire, a lawyer should be able to help. The National Institute of Standards and Technology (NIST) and the Information Technology Infrastructure Library (ITIL) also both offer frameworks to aid in this process.

#3: Trust, but verify. Don’t take the answers to your questionnaire at face value. Ask your vendors to provide evidence.  For example, if they respond “yes” to the question, “Have you ever been breached?” ask for the details of the breach. (Such details may not be publicly available.) Keep in mind that many companies are not willing to send you electronic versions of their policies and procedures. In those cases, you should be prepared to walk through that information in a phone call and create a detailed record of the responses.

#4:  Evaluate vendor responses and make tough decisions where needed. As mentioned in #1, you should decide what your company’s minimum threshold is for assuming risk. That should be the standard by which you rate the responses you get from your vendors. If a vendor does not meet that threshold, don’t do business with them.What if they are the only provider of a specific product, such as a digital conveyor belt, that is critical to your operations? In that case, you may decide to accept a higher level of risk. Just be sure to mitigate that risk with increased security on your side, such as creating an isolated network and performing additional penetration testing.

#5: Repeat this process on an annual basis. As with most cybersecurity functions, TPRM is not a once-and-done initiative. You should repeat your due diligence process every year.

Start Now, Adjust Later.

Building a robust TPRM program takes time, it doesn’t happen overnight. The most important thing you can do is get started, then you can make adjustments as you gain more information and mature your program over time.

You might also be interested in: 

Learn how a major international manufacturer stopped a breach with CRITICALSTART IR Services.