Are Any Of Your Suppliers A Security Risk Waiting To Happen?

Organisations rely on scores of different vendors to provide and support the technical infrastructure that runs their daily operations. But what if there’s a weak link somewhere in the supply chain? 

In the case of something like the cyberattack-induced outage at managed IT services provider CTS, it could mean organisations relying on these third-party services experiencing costly downtime and exposing their assets and sensitive content to cyber criminals. In the case of something like the SolarWinds attack and the Log4j vulnerability, the weak link can lead to devastating breaches of confidential information at a global scale.

The very real risk presented by third-party vendors and suppliers shouldn’t be ignored – which is why it’s essential for CISOs and security teams to proactively take steps to manage supplier risk  to maintain a secure and protected environment.

A Smarter Approach To Screening

One of the ways organisations can help reduce risk is by better screening suppliers right at the outset.

Gathering all the different information required to properly screen vendors – everything from risk assessment questionnaires to corporate and financial data, to recent news events or Internet “chatter” that involves the vendor – has historically been a very time-consuming process. 

Fortunately, generative AI is lending a hand to this task, providing a faster way to extract information from questionnaires or corporate databases, analyse the data, and then provide a summary evaluation for a “human” review. This helps to quickly “triage” vendors into different groups, depending on their risk profile. 

Some vendors will automatically be weeded out if they don’t meet a certain benchmark, while others will clear that initial “hurdle” but warrant further, closer examination. Additionally, reporting can quickly be generated to provide the selection committee, the Board or the CFO, with the intelligence they need to make an informed decision.

The end result is an ability to more thoroughly screen vendors for risk right from the beginning – helping to eliminate potentially risky suppliers from becoming part of an organisation’s infrastructure in the first place. And this method can help to improve the ongoing risk assessment of suppliers, especially when dealing with a multitude of third-party vendors.

The Benefits Of Consolidation

It’s also worthwhile for organisations to seek ways to consolidate their existing vendors, to make sure they’re taking advantage of best-of-breed suppliers. 

As large tech companies – think here of Microsoft, Cisco, and the like – buy smaller companies to develop their own capabilities and expand their product portfolio, it becomes easier for organisations to consolidate on a single vendor for multiple aspects of a particular function, rather than relying on five or six different point solutions. 

In doing so, they can reduce the risk of potential vulnerabilities associated with using connected products that are on very different update cycles or that may not provide regular updates or patches due to limited R&D budgets.

Is The Supplier’s House In Order?

Organisations should also shine a spotlight on vendors and the policies, plans, and processes they have in place to manage risk.

For instance: When it comes to the data centres that are hosting cloud services, who has access to those data centers physically and remotely? 

Also, what does their business continuity and disaster recovery processes look like? Should any sort of disaster occur, how long will it take to restore data? And how often do they test these processes?

If there is a breach, what are the policies around incident notification? After a breach is detected, how long before the customer is notified? And how is the customer notified? By phone? By email? All these details should be crystal clear.

It’s not enough for these policies, plans, and processes to be documented and made available on demand: They should be readily accessible to any potential customer who wants to view them at any point in time. A compliance portal with 24/7 access would go a long way. Furthermore, these policy documents should be regularly refreshed with the most up-to-date information. Every 3-6 months is a good cadence to look for and ensures the documentation isn’t gathering cobwebs or becoming an increasingly irrelevant collection of out-of-date information.

Less Weak Links Means Less Risk

While supplier risk is impossible to eliminate entirely, a few key steps make it possible to significantly reduce it. Leveraging new technologies such as generative AI responsibly, can help to reduce a lot of the burden from manual evaluation.

Given that any organisation is only as strong as the weakest link in its supply chain, a conscious approach can help to strengthen its overall security and improve its risk profile by aiming to avoid potentially "at risk” third-party vendors and suppliers.

Manuel Sanchez is Information Security and Compliance Specialist at iManage

Image: tanit boonruen

You Might Also Read: 

Reducing The Risk Of Weak Links With Consolidation:   


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

 

« Warnings Over Cyber Security At The Paris Olympics
Large-Scale IT Outage Causing International Disruption »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Security University

Security University

Security University is a leading provider of Qualified Hands-On Cybersecurity Education, Information Assurance Training and Certifications for IT and Security Professionals.

IAC

IAC

IAC is a specialist Irecruitment consultancy covering Internal Audit, Risk, Controls, Governance, IT Audit, and Cyber Security roles.

Elysium Analytics

Elysium Analytics

Elysium Cognitive Security Analytics delivers the latest and most flexible security system to reduce cost and complexity while providing unmatched scalability.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

Servian

Servian

Servian is one of Australia's leading IT consultancies, with expertise in cloud, data, machine learning, DevOps and cybersecurity.

BreachLock

BreachLock

Breachlock delivers the most comprehensive Penetration Testing as a Service (PtaaS) powered by Certified Hackers and AI.

Help AG

Help AG

Help AG provides leading enterprise businesses and governments across the Middle East with strategic consultancy combined with tailored information security solutions and services.

The Citadel Department of Defense Cyber Institute (CDCI)

The Citadel Department of Defense Cyber Institute (CDCI)

CDCI is established to address the critical national security needed for a skilled cybersecurity workforce.

Sekuro

Sekuro

Sekuro is your leading governance and cyber security partner. Building organisational resilience. Enabling fearless innovation.

Otto

Otto

Stop Client-Side Attacks. Plug otto into your application security suite and protect your supply chain.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

Cybalt

Cybalt

Cybalt is a security services company that provides end-to-end security solutions to help clients achieve their business goals.

Fraud.net

Fraud.net

Fraud.net operates the first end-to-end fraud management and revenue enhancement ecosystem specifically built for digital enterprises and fintechs globally.