Your Vendor Can Be an Attack Vector

It is impossible to implement effective information security until you address the “vanishing perimeter” in policies and agreements. This term refers to the porous nature of an organization’s network and information-sharing system. A company’s IP and other sensitive data no longer simply exists within the confines of a firewall. It travels “off network” and potentially around the world every day via email, and on the mobile devices of supply-chain and other vendors, business partners and service providers, including outside law firms.

Most large organizations have already experienced breaches, whether they are aware of it or not. You are only as secure as the weakest link in your supply chain, and it should be assumed that if you and your supply chain have not yet been compromised, they will be. This assumption should drive internal and supply chain information risk management and legal processes.

A program to mitigate risk in the supply chain begins with identifying which data is considered “sensitive” by your organization. Next, assess which vendor or partner that has access to the network, or that retains copies of your IP, PII (personally identifying information) or financial data, represents the greatest risk to information security. Rank your vendors. Creating such a list lays the groundwork for a tiered approach to agreements, as well as to the level of network and/or data access granted.

General counsel can play a role in supply chain cybersecurity by working with other stakeholders to weave new protections into existing processes.