Supplier cyber security audits are a key way of establishing trust. And trust is a valuable commodity in business, especially when establishing relationships with new suppliers. Although legal agreements and references can help, much of the process is based on trust, and that trust can be a wonderful way in for hackers and cyber criminals.
When your organisation starts trading with a new supplier, there is an interim period in which relationships and methods of working established and this is when both organisations are very vulnerable to attack. Once both parties have gone through this period, the level of skill required to pull of a successful attack raises slightly, but it still possible due to the trust relationship being established and staff lowering their guards.
Trust is a wonderful thing, but organisations really need to know how well each other handle security so they can keep themselves and their clients’ safe. And this is where cyber security audits comes in; by providing, or undertaking, an audit, one party can prove to the other that they have considered security implications and have suitable policies in place.
Security audit documents can pose a security issue in themselves, due to their contents. The more detailed documents can provide a wealth of information to an attacker, so care much be taken to control who has access to them, and the type of audit document provided.
A security statement is the most basic form of audit document, akin to a risk assessment. It’s a document which contains statements regarding the latest cyber security audit’s findings, when it was carried out, who carried it out, and explains the steps taken to mitigate risks. In many cases, the organisation carries out the audit themselves. Rather than providing specific details, the document shows that aspects of cyber security have been thought about and taken seriously by the providing organisation.
Security audit report
An audit report is a professionally produced document, which covers the results of the most recent cyber security audit. The reports lists the date of the audit, the organisation who carried out the audit, the date of the next planned audit, the areas which were assessed, whether they needed improvement and when the improvement is planned.
As with the security statement, details of the security products and systems used are not supplied, to help maintain security.
For clients who need the highest level of security, clients or suppliers may insist on an audit being carried out either by themselves or their appointed auditor. Security audits may involve a thorough inventory of the hardware and software used, copies of system logs, interviews of staff, a thorough assessment and/or test of procedures and even penetration tests or red team testing.
These audits can be extremely intensive and costly and are often only insisted on for high risk transactions or if the security audit report is not available or highlights an unacceptable level of risk.
How prepared should my organisation be?
That can be a difficult question to answer without a professional assessment, but every organisation should have at least a security statement ready to send to third parties. This is often the first document that a new customer or supplier asks for when establishing a relationship, so it should be kept up to date and be ready to send out.
If you are working with a new supplier or partner, you should be prepared to ask for their statements or conduct an audit so you can be sure that any information you share with them will be correctly handled and processed.
IXCG is able to provide all levels of supplier cyber security audits either as a fixed price professional services engagement for statements, or as part of an investigation or response team for detailed audits. Contact us today for a quote.