Why Do My Customers Want Due Diligence?

From

editione1.0.0

Updated October 9, 2023
Now Available
Security for Everyone

Our businesses operate as part of an ecosystem. This system is made up of organizations of all shapes and sizes connecting to each other to share information, collaborate, and transact. No organization can operate alone, each of us needs other companies and organizations to provide the products and services we need to get the job done (but they are not part of our core business model).

This ecosystem is vast and densely coupled. Each organization connects to dozens if not hundreds of others in an interconnected network.

Figure: The business ecosystem is highly interconnected.

Securing our data, people, and systems requires trust. We trust the people we employ, the policies we write, and the systems we build to protect what matters most to us whilst ensuring it remains available for use.

When we decide to share or connect with other organizations, by purchasing their products or software, using their people’s skills, or connecting to their infrastructure, we are trusting that this third party will have at least the same level of security maturity as we do and that the data and access we share with them will remain secure.

Definition This interconnectivity is what makes customer due diligence so important. The old saying goes that a chain is only as strong as its weakest link and, in this case, our network of organizations is only as secure as its least secure members. This concept is sometimes referred to as supply chain security.

The Importance of Supply Chain Security

Supply chain attacks are on the rise. Incidents like the 2020 compromise of security solutions provider SolarWinds illustrate the complexity and severity of these attacks. In this incident, attackers were able to compromise a security software platform developed by SolarWinds and use it to distribute malicious software to their customers. Approximately 18K Solarwinds customers globally are believed to have been infected and compromised as a result, including national government organizations as well as Fortune 500 companies.

Remember that, like most people, attackers are lazy and looking for the most effective ways to compromise the most targets. Supply chain attacks can provide an economy of scale for these criminals who are able to invest once in their attack and compromise many companies as a result.

Due diligence helps us to systematically verify supply chain security and gives us confidence that our security will not be compromised as a result of this relationship. While this assessment can never completely remove the risk of a supply chain attack, it helps your organization understand where it has vulnerability and risk outside of its immediate control, and gives you an opportunity to plan for and manage this risk.

If you found this post worthwhile, please share!