Are Any Of Your Suppliers A Security Risk Waiting To Happen?

Organisations rely on scores of different vendors to provide and support the technical infrastructure that runs their daily operations. But what if there’s a weak link somewhere in the supply chain? 

In the case of something like the cyberattack-induced outage at managed IT services provider CTS, it could mean organisations relying on these third-party services experiencing costly downtime and exposing their assets and sensitive content to cyber criminals. In the case of something like the SolarWinds attack and the Log4j vulnerability, the weak link can lead to devastating breaches of confidential information at a global scale.

The very real risk presented by third-party vendors and suppliers shouldn’t be ignored – which is why it’s essential for CISOs and security teams to proactively take steps to manage supplier risk  to maintain a secure and protected environment.

A Smarter Approach To Screening

One of the ways organisations can help reduce risk is by better screening suppliers right at the outset.

Gathering all the different information required to properly screen vendors – everything from risk assessment questionnaires to corporate and financial data, to recent news events or Internet “chatter” that involves the vendor – has historically been a very time-consuming process. 

Fortunately, generative AI is lending a hand to this task, providing a faster way to extract information from questionnaires or corporate databases, analyse the data, and then provide a summary evaluation for a “human” review. This helps to quickly “triage” vendors into different groups, depending on their risk profile. 

Some vendors will automatically be weeded out if they don’t meet a certain benchmark, while others will clear that initial “hurdle” but warrant further, closer examination. Additionally, reporting can quickly be generated to provide the selection committee, the Board or the CFO, with the intelligence they need to make an informed decision.

The end result is an ability to more thoroughly screen vendors for risk right from the beginning – helping to eliminate potentially risky suppliers from becoming part of an organisation’s infrastructure in the first place. And this method can help to improve the ongoing risk assessment of suppliers, especially when dealing with a multitude of third-party vendors.

The Benefits Of Consolidation

It’s also worthwhile for organisations to seek ways to consolidate their existing vendors, to make sure they’re taking advantage of best-of-breed suppliers. 

As large tech companies – think here of Microsoft, Cisco, and the like – buy smaller companies to develop their own capabilities and expand their product portfolio, it becomes easier for organisations to consolidate on a single vendor for multiple aspects of a particular function, rather than relying on five or six different point solutions. 

In doing so, they can reduce the risk of potential vulnerabilities associated with using connected products that are on very different update cycles or that may not provide regular updates or patches due to limited R&D budgets.

Is The Supplier’s House In Order?

Organisations should also shine a spotlight on vendors and the policies, plans, and processes they have in place to manage risk.

For instance: When it comes to the data centres that are hosting cloud services, who has access to those data centers physically and remotely? 

Also, what does their business continuity and disaster recovery processes look like? Should any sort of disaster occur, how long will it take to restore data? And how often do they test these processes?

If there is a breach, what are the policies around incident notification? After a breach is detected, how long before the customer is notified? And how is the customer notified? By phone? By email? All these details should be crystal clear.

It’s not enough for these policies, plans, and processes to be documented and made available on demand: They should be readily accessible to any potential customer who wants to view them at any point in time. A compliance portal with 24/7 access would go a long way. Furthermore, these policy documents should be regularly refreshed with the most up-to-date information. Every 3-6 months is a good cadence to look for and ensures the documentation isn’t gathering cobwebs or becoming an increasingly irrelevant collection of out-of-date information.

Less Weak Links Means Less Risk

While supplier risk is impossible to eliminate entirely, a few key steps make it possible to significantly reduce it. Leveraging new technologies such as generative AI responsibly, can help to reduce a lot of the burden from manual evaluation.

Given that any organisation is only as strong as the weakest link in its supply chain, a conscious approach can help to strengthen its overall security and improve its risk profile by aiming to avoid potentially "at risk” third-party vendors and suppliers.

Manuel Sanchez is Information Security and Compliance Specialist at iManage

Image: tanit boonruen

You Might Also Read: 

Reducing The Risk Of Weak Links With Consolidation:   


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

 

« Warnings Over Cyber Security At The Paris Olympics
Large-Scale IT Outage Causing International Disruption »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Aurec

Aurec

Aurec provides specialist recruitment and contracting services including ICT professionals.

Veracode

Veracode

Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

Assured Data Protection

Assured Data Protection

Assured Data Protection specialises in data protection and disaster recovery services for large SME and enterprise organisations.

Verimatrix

Verimatrix

Verimatrix is a global provider of innovative cybersecurity solutions that protect content, devices, software and applications.

Equilibrium Security Services

Equilibrium Security Services

Equilibrium Security Services is a specialist cyber security company providing a full spectrum of IT security solutions from consultancy to design & implementation and managed security services.

Towergate Insurance

Towergate Insurance

Towergate Insurance is a leading UK specialist insurance broker. Business products include Cyber Liability Insurance.

Salt Communications

Salt Communications

Salt communications is a global leader in secure communications. Our bespoke platform is the secure communications solution that uniquely gives complete control to our customers.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

eLearnSecurity

eLearnSecurity

eLearnSecurity is an innovator in the IT Security training market providing quality online courses paired with highly practical virtual labs.

Conduent

Conduent

Conduent delivers mission-critical technology services and solutions on behalf of businesses and governments. Solution areas include digital risk and compliance.

Avancer Corporation

Avancer Corporation

Avancer Corporation is a multi-system integrator focusing on Identity and Access Management (IAM) Technology. Founded in 2004.

Grove Group

Grove Group

Grove provides businesses with the tools that work best for their unique operations, through cybersecurity and cloud services, custom software development and our big data analytics expertise.

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies offer an advanced innovation for AI security. The Bosch AIShield is the definite answer to safeguard your business against model extraction attacks.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

Relyance AI

Relyance AI

Relyance AI - One unified platform for privacy, security, & governance.