There has been a number of supply chain attacks recently including MoveIT and 3CX, these cyber attacks can be immensely costly and at the lest distressing for the businesses involved. For the software provider though these breaches can and often do have disastrous impact on their business, which could have been avoided by following a secure software development programme.
The cyber security processes in place at your suppliers is just as important as your own. Supply chain cyber attacks are becoming more common as the opportunity for payout is so much larger – 100s to 1000s of potential targets.
A supplier is any business that your business leverages for connectivity, software applications, Software as a Service, Infrastructure especially the tiny calendar sharing apps/appointment booking services etc that request your M365 Exchange online permissions (often more than is needed).
Where a supplier handles any of your data (even user name and password were not federated), or has access to your systems then you need to know that their security processes are more robust than yours!
If your supplier is unable to answer the above then it is likely that they are not designing with security in mind, you would be very wise to review whether you really should work with them. We should expect our business partners to be more focused on protecting their customers than any financial motivation for a quick and easy product.
Ask them about their software development processes (open source inclusions), data protection policies, Incident response processes and their risk management strategies as well as cyber security maturity.
Often it is best to stick with “Off the Shelf”, but less configurability than a bespoke app where the origins are not well known.
Always look to adopt a framework like the ASD essential 8 as a starting point as the security it provides will ensure the basic cyber security protections are covered.
In the below case, it is a warning to all of us to check our suppliers as it is a part of our own risk assessment, limit software installs and ensure that data leaving your premise is always the least information possible and hopefully has some form of document protection on it like encryption.