The ways software and networks are coded matter; a scorecard can help
May 2021
As organizations utilize more digital services, they can be exposed to cyber attacks if vendors used are not properly vetted. Bad actors are sneaky, sometimes persistent, and can move around networks undetected – SolarWinds can attest to that.
If a digital service connects to a company’s network, bad actors can use that as a back door into the entire system. That is why it is important to vet service providers to be sure they have a strong supply chain process in place — including the companies they do business with.
Last year, Hoosier Energy’s Communications Coordinator Eric Neely and Video Producer Chris Johnson set out to find a solution to manage the department’s digital content, including branding and image assets. Knowing they wanted to use cloud-based software, known as Software as a Service (SaaS), they found vendors whose software runs through any web browser.
“We wanted the system selected to not only help us work smarter and faster as a team, but also be one that does not pose a security risk for the company,” said Neely.
To find out what requirements are needed for new software, Neely reached out to Hoosier Energy’s Manager of Cybersecurity and Network Richie Field. He learned there is a cybersecurity scorecard that helps pinpoint secure platforms.
“This helps identify the probability of an issue and its impact so the level of risk can be determined,” said Field.
This is a tool that helps the co-op select vendors who are doing their due diligence when they build their systems. Based on the responses given, it can be determined which vendors take a serious look at security when they build their network.
The scorecard is part of a two-pronged approach in place at Hoosier Energy. Contract language is one aspect vendors are reviewed on. This ensures the co-op is contacted when a vendor has a breach and establishes how the response will be coordinated.
The second component is an assessment to make sure hardware and software used has been properly vetted. This is how SaaS system vendors will be reviewed and approved to use.
“When I reached out to vendors about completing the scorecard, some said they are no longer interested in our business. That is when I knew the strength this analysis brings,” said Neely.
This review, consisting of up to 280 questions, analyzes how the software is built, and also how hardware, firmware and open-source coding is originated and authenticated.
“Through this process, we were able to find a system that is more than a win-win, it is a secure-win,” said Neely.