With the increase in the need for remote working after the pandemic, the digitalization process of information assets, which is already rapidly increasing, has accelerated further. During this process, although some institutions and organizations continue their business processes by storing their information assets within their own bodies, the number of institutions and organizations that continue their business processes by using hosting services is quite high. Institutions and organizations that hold their information assets ensure their security by taking their own security measures. So, can or should those who receive hosting services do anything to ensure the security of their information assets?
What is Supplier Security and Why is it Important?
Supplier security is the process of managing and mitigating risks from an organization's suppliers. This includes assessing suppliers' financial stability, cybersecurity, data protection practices and business ethics. Its purpose is to prevent supply chain disruption, cyber attacks, data breaches and reputational damage.
Hosting is a type of service that provides storage of information assets within supply services. As a result of a data breach in companies that provide hosting services, not only the hosting company but also the institutions and organizations to which it is a supplier suffer a data breach. The latest example of this situation is the data breach reported by Tekrom Technology on May 2, 2024. Tekrom Teknoloji’nin yaşadığı veri ihlali sonucu en az 28 şirket veri ihlaline uğrarken en az 862.000 kişinin verileri çalınmıştır [1][2][3][4].
The data breach experienced at Tekrom Technology is not an exception or a rare situation. In recent years, companies that provide hosting services such as Vodatech and Mivento have also suffered data breaches, and companies such as Beşiktaş, Vodafone and Toyota have also suffered from these data breaches [5][6][7]. In today's world where a new data breach occurs every day, we must ensure that not only ourselves but also the institutions and organizations we are associated with ensure their own security.
What Should We Do for Supplier Security?
Supplier security is also included among the measures prepared for information security nationally and internationally. Among these, in addition to standards and legislation such as ISO 27001, ISO 27701, GDPR, measures for supplier security have also been prepared in the Information and Communication Security Guide prepared by the Presidential Digital Transformation Office in our country.
In the Information and Communication Security Guide prepared to ensure information security of public institutions and organizations in our country3.5.3 Supplier Relations Security heading. These measures aim to eliminate vulnerabilities that may exist in the supply chain and offer certain measures for suppliers. The guide for supplier security:
- Defining information security policies in the organization's supplier relations,
- Addressing information security in contracts,
- Compatibility of acceptance criteria and security criteria,
- Determining communication methods,
- Determination of responsibilities regarding the contractor and subcontractor,
- Requires monitoring of supply services and supply chain.
Public institutions and organizations that are required to comply with the guide have become aware of information security and taken precautions against threats, thanks to the measures they have implemented. The success of the guide in ensuring information security can be observed in the activity reports prepared every year by KVKK. According to KVKK's 2021 Activity Report, 56% of all complaints and notices coming to the board consisted of public institutions and organizations [8]. As compliance with the guide became mandatory and awareness increased, the share of public institutions and organizations decreased to 14% in 2022 and 5% in 2023 [9][10].
In its Digital Defense Report prepared for 2023, Microsoft describes 2023 as "the year when the cyber threat thermometer reaches its boiling point." mentioned as [11]. In today's world where threats and risks are increasing, organizations need to address information security in a holistic manner and reduce their vulnerabilities against threats as much as possible. Supplier security constitutes one of the most important points of holistic protection, and data breaches are evident in cases where supplier security is not ensured. In this context, compliance with methods of ensuring information security such as ISO 27001, ISO 27701, Information and Communication Security becomes a necessity for all institutions and organizations with digital or physical information assets.
Source
[1] Public Announcement (Data Breach Notification) – Tekrom Teknoloji A.Ş. (KVKK)
[2] Public Announcement (Data Breach Notification) – Asymmetric Ses Işık ve Vision Sistemleri A.Ş. (KVKK)
[3] Public Announcement (Data Breach Notification) – Lizay Kuyumculuk Ticaret Anonim Şirketi (KVKK)
[4] Public Announcement (Data Breach Notification) – Aker Mağazacılık Tekstil Ticaret ve Sanayi Anonim Şirketi (KVKK)
[5] Public Announcement (Data Breach Notification) – Beşiktaş Sportif Ürünleri Sanayi ve Ticaret A.Ş. (KVKK)
[6] Public Announcement (Data Breach Notification) – Vodafone Dağıtım Servis ve Content Hizmetleri A.Ş. (KVKK)
[7] Public Announcement (Data Breach Notification) – Toyota Turkey Marketing and Sales Joint Stock Company (KVKK)
[8] 2021 Activity Report (KVKK)
https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/eaf2f71e-efa5-48e2-9326-9b7fa2813193.pdf
[9] 2022 Activity Report (KVKK)
https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/aae3c721-9da4-43c7-95a6-8d14e6413a36.pdf
[10] 2023 Activity Report (KVKK)
https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/1ee4f609-711f-4a85-aefc-69181bbcdf3a.pdf
[11] Digital Defense Report 2023 (Microsoft)
https://www.microsoft.com/tr-tr/security/security-insider/microsoft-digital-defense-report-2023
