Supplier Security Assessments: A Practical Approach

The SolarWinds breach. The Kaseya attack. Countless incidents where attackers compromised suppliers to reach their ultimate targets.

Your security is only as strong as your weakest supplier. But how do you assess supplier security when you’re a 40-person company without a vendor risk team?

Here’s a practical approach.

Why Supplier Security Matters

When you work with suppliers, you’re extending trust:

  • They may have access to your systems
  • They may store your data
  • They may connect to your network
  • They may have admin credentials

If they get breached, you’re affected. Their weakness becomes your vulnerability.

Common supplier-related incidents:

Managed service provider compromise: Your IT provider gets breached. Attackers use their access to reach all their clients, including you.

SaaS platform breach: Your CRM or HR system gets compromised. Your customer or employee data is exposed.

Data sharing incident: A supplier you share data with has inadequate security. That data ends up exposed.

Supply chain attack: Software you use is compromised at the source. Malicious updates are pushed to your systems.

None of these are your fault directly. All of them are your problem.

Who Needs Assessment

Not all suppliers are equal risk. Prioritise based on:

Access level:

  • Do they have access to your systems? (High priority)
  • Do they connect to your network? (High priority)
  • Are they purely transactional? (Lower priority)

Data exposure:

  • Do they handle customer data? (High priority)
  • Do they handle employee data? (High priority)
  • Do they handle financial data? (High priority)
  • Do they just receive marketing emails? (Lower priority)

Criticality:

  • Would their failure disrupt your business? (High priority)
  • Could you easily switch to an alternative? (Lower priority)

Focus your assessment efforts on high-access, high-data, high-criticality suppliers.

The Tiered Approach

Tier 1: Critical suppliers (IT providers, major SaaS, data processors)

What to do:

  • Formal security questionnaire
  • Review of security certifications
  • Annual reassessment
  • Contractual security requirements

Examples: Your managed service provider. Your cloud hosting. Your CRM. Your HR system.

Tier 2: Important suppliers (regular access, moderate data)

What to do:

  • Abbreviated questionnaire
  • Verification of basic controls
  • Periodic review

Examples: Marketing platforms. Analytics services. Collaboration tools.

Tier 3: Standard suppliers (limited access, limited data)

What to do:

  • Basic due diligence
  • Review of public information
  • Contract clauses for data protection

Examples: Office supplies. Utilities. Most vendors without system access.

The Security Questionnaire

For Tier 1 suppliers, you need to ask specific questions.

Basic questions:

  1. Do you have a security certification (ISO 27001, SOC 2, etc.)?
  2. Do you require MFA for all system access?
  3. How quickly do you patch critical vulnerabilities?
  4. Do you conduct security awareness training?
  5. Do you have cyber insurance?
  6. Have you had a security incident in the past two years?
  7. How do you protect data at rest and in transit?
  8. What’s your backup and recovery capability?
  9. Do you conduct penetration testing?
  10. How would you notify us of a security incident?

For suppliers with system access:

  1. How is privileged access managed?
  2. Do you use a VPN or zero trust approach for remote access?
  3. What endpoint protection do you use?
  4. How are admin credentials secured?
  5. Do you monitor for security threats?

For suppliers handling sensitive data:

  1. Where is our data stored (country/region)?
  2. Who can access our data?
  3. How is our data isolated from other customers?
  4. What’s your data retention policy?
  5. Can you provide data deletion on request?

You don’t need all these questions for every supplier. Adapt based on the relationship.

Reading the Answers

Questionnaire responses need interpretation:

Good signs:

  • Specific, detailed answers
  • Reference to certifications with evidence
  • Clear processes and responsibilities
  • Transparency about limitations
  • Willingness to discuss further

Warning signs:

  • Vague or boilerplate responses
  • Claims without evidence
  • Resistance to providing information
  • “We’ve never had an incident” without controls to explain why
  • Inability to answer basic questions

Red flags:

  • No MFA
  • No security training
  • No incident response plan
  • No encryption for sensitive data
  • No regular patching
  • No cyber insurance

Certifications and What They Mean

Suppliers often cite certifications. Here’s what they indicate:

ISO 27001: International standard for information security management. Requires documented processes, risk assessment, and controls. Annual audits. Value: High. Indicates systematic security management.

SOC 2: US-based audit standard. Examines controls related to security, availability, processing integrity, confidentiality, and privacy. Value: High, especially Type II (examines controls over time, not just a point in time).

IRAP Assessment: Australian government assessment framework. Required for providers handling government data. Value: High for government-related work. Indicates thorough assessment.

PCI DSS: Required for handling payment card data. Specific controls for protecting cardholder data. Value: Indicates attention to one category of sensitive data.

Essential Eight Maturity: Australian framework. Shows alignment with ACSC guidance. Value: Indicates attention to practical security controls.

Certification isn’t everything: A certification means controls existed at assessment time. It doesn’t guarantee current security. Ask when assessments were conducted and whether they’re ongoing.

Contract Provisions

Beyond assessment, contracts should include security provisions:

Required elements:

  • Data protection obligations
  • Breach notification requirements (24-48 hours typical)
  • Right to audit or review security practices
  • Subcontractor approval requirements
  • Confidentiality obligations
  • Compliance with relevant laws

Useful additions:

  • Requirement to maintain specific security controls
  • Requirement to maintain cyber insurance
  • Termination rights for security failures
  • Data return/deletion on contract end
  • Liability provisions for security breaches

Work with legal counsel to get contract language right. Many suppliers will accept reasonable security provisions.

Ongoing Monitoring

Assessment isn’t one-and-done.

Annual activities:

  • Reassess Tier 1 suppliers
  • Review any reported incidents
  • Verify certifications are current
  • Update questionnaire for new risks

Ongoing activities:

  • Monitor for news about supplier breaches
  • Review access levels when relationships change
  • Update risk assessments when suppliers change what they do

Triggers for immediate review:

  • News of a supplier security incident
  • Significant changes to supplier services
  • Supplier acquisition or major changes
  • Concerns raised by your team

When Suppliers Fall Short

What if a supplier’s security isn’t adequate?

Options:

Work with them: Sometimes suppliers will improve if you explain requirements. Especially if you’re a significant customer.

Accept the risk: Document the gap, implement compensating controls, and accept that this supplier has higher risk.

Mitigate technically: Limit the supplier’s access. Segment them from sensitive systems. Implement additional monitoring.

Find alternatives: If the risk is too high and they won’t improve, consider switching to a more secure supplier.

The right choice depends on how critical the supplier is and how significant the security gaps are.

The MSP Conversation

Your IT provider deserves special attention. They often have extensive access to your systems.

Questions to ask:

  • What security controls do you have on your RMM tools?
  • How are your engineer accounts secured?
  • What happens if one of your staff goes rogue?
  • How would you detect if your systems were compromised?
  • What’s your incident response process?
  • Do you carry cyber insurance with appropriate coverage?

What good looks like:

  • MFA on all access, including internal tools
  • Principle of least privilege for engineer accounts
  • Security monitoring of their own systems
  • SOC 2 or ISO 27001 certification
  • Clear incident response procedures
  • Adequate insurance coverage

If your MSP can’t answer these questions satisfactorily, that’s a significant risk factor.

Getting Help

Supplier security assessment can be time-consuming. Team400 and similar firms can help:

  • Develop assessment frameworks appropriate to your size
  • Conduct assessments on your behalf
  • Review supplier responses and identify gaps
  • Recommend risk mitigation approaches

For businesses with many suppliers, this can be more efficient than doing it all internally.

The Australian Regulatory Context

Privacy Act obligations:

You’re responsible for personal information even when suppliers handle it. If they breach, you may have notification obligations.

Notifiable Data Breaches:

If a supplier breach affects personal information you collected, you may need to notify affected individuals and the OAIC.

Supply chain security guidance:

ACSC provides guidance on securing the ICT supply chain. Worth reviewing if you work with technology suppliers.

Building a Simple Program

Month 1:

  • Inventory your suppliers
  • Categorise into tiers based on risk
  • Identify Tier 1 suppliers for immediate assessment

Month 2:

  • Develop or adopt a questionnaire
  • Send to Tier 1 suppliers
  • Review contract provisions

Month 3:

  • Review questionnaire responses
  • Identify gaps and concerns
  • Begin conversations with suppliers about improvements

Ongoing:

  • Annual reassessment of Tier 1
  • Periodic review of Tier 2
  • Update inventory as suppliers change

Practical Reality

I know this sounds like a lot. Here’s the minimum:

  1. Know who your critical suppliers are. At minimum, list the suppliers with system access or handling sensitive data.

  2. Ask basic questions. MFA? Patching? Insurance? You don’t need a 50-question assessment to get useful information.

  3. Include security in contracts. Breach notification requirements at minimum.

  4. Pay attention. Monitor for news about your suppliers. React when things change.

Even basic supplier awareness is better than none. Working with specialists like AI consultants Brisbane can help build more comprehensive programs when you’re ready.

Final Thought

Your suppliers are part of your security perimeter. Their weaknesses affect you.

You don’t need an enterprise vendor risk management program. You need awareness of who your critical suppliers are and basic assurance they’re not negligent about security.

Start simple. Build over time. Pay attention.

The businesses that manage supplier risk avoid being collateral damage in someone else’s breach.