Are Any Of Your Suppliers A Security Risk Waiting To Happen?

Uploaded on 2024-07-18 in TECHNOLOGY--Resilience, FREE TO VIEW

Organisations rely on scores of different vendors to provide and support the technical infrastructure that runs their daily operations. But what if there’s a weak link somewhere in the supply chain? 

In the case of something like the cyberattack-induced outage at managed IT services provider CTS, it could mean organisations relying on these third-party services experiencing costly downtime and exposing their assets and sensitive content to cyber criminals. In the case of something like the SolarWinds attack and the Log4j vulnerability, the weak link can lead to devastating breaches of confidential information at a global scale.

The very real risk presented by third-party vendors and suppliers shouldn’t be ignored – which is why it’s essential for CISOs and security teams to proactively take steps to manage supplier risk  to maintain a secure and protected environment.

A Smarter Approach To Screening

One of the ways organisations can help reduce risk is by better screening suppliers right at the outset.

Gathering all the different information required to properly screen vendors – everything from risk assessment questionnaires to corporate and financial data, to recent news events or Internet “chatter” that involves the vendor – has historically been a very time-consuming process. 

Fortunately, generative AI is lending a hand to this task, providing a faster way to extract information from questionnaires or corporate databases, analyse the data, and then provide a summary evaluation for a “human” review. This helps to quickly “triage” vendors into different groups, depending on their risk profile. 

Some vendors will automatically be weeded out if they don’t meet a certain benchmark, while others will clear that initial “hurdle” but warrant further, closer examination. Additionally, reporting can quickly be generated to provide the selection committee, the Board or the CFO, with the intelligence they need to make an informed decision.

The end result is an ability to more thoroughly screen vendors for risk right from the beginning – helping to eliminate potentially risky suppliers from becoming part of an organisation’s infrastructure in the first place. And this method can help to improve the ongoing risk assessment of suppliers, especially when dealing with a multitude of third-party vendors.

The Benefits Of Consolidation

It’s also worthwhile for organisations to seek ways to consolidate their existing vendors, to make sure they’re taking advantage of best-of-breed suppliers. 

As large tech companies – think here of Microsoft, Cisco, and the like – buy smaller companies to develop their own capabilities and expand their product portfolio, it becomes easier for organisations to consolidate on a single vendor for multiple aspects of a particular function, rather than relying on five or six different point solutions. 

In doing so, they can reduce the risk of potential vulnerabilities associated with using connected products that are on very different update cycles or that may not provide regular updates or patches due to limited R&D budgets.

Is The Supplier’s House In Order?

Organisations should also shine a spotlight on vendors and the policies, plans, and processes they have in place to manage risk.

For instance: When it comes to the data centres that are hosting cloud services, who has access to those data centers physically and remotely? 

Also, what does their business continuity and disaster recovery processes look like? Should any sort of disaster occur, how long will it take to restore data? And how often do they test these processes?

If there is a breach, what are the policies around incident notification? After a breach is detected, how long before the customer is notified? And how is the customer notified? By phone? By email? All these details should be crystal clear.

It’s not enough for these policies, plans, and processes to be documented and made available on demand: They should be readily accessible to any potential customer who wants to view them at any point in time. A compliance portal with 24/7 access would go a long way. Furthermore, these policy documents should be regularly refreshed with the most up-to-date information. Every 3-6 months is a good cadence to look for and ensures the documentation isn’t gathering cobwebs or becoming an increasingly irrelevant collection of out-of-date information.

Less Weak Links Means Less Risk

While supplier risk is impossible to eliminate entirely, a few key steps make it possible to significantly reduce it. Leveraging new technologies such as generative AI responsibly, can help to reduce a lot of the burden from manual evaluation.

Given that any organisation is only as strong as the weakest link in its supply chain, a conscious approach can help to strengthen its overall security and improve its risk profile by aiming to avoid potentially "at risk” third-party vendors and suppliers.

Manuel Sanchez is Information Security and Compliance Specialist at iManage

Image: tanit boonruen

You Might Also Read: 

Reducing The Risk Of Weak Links With Consolidation:   

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« Warnings Over Cyber Security At The Paris Olympics
Large-Scale IT Outage Causing International Disruption »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Zayo

Zayo

Zayo is a leading global bandwidth infrastructure services provider for high-performance connectivity, secure colocation and flexible cloud services.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

Backup112

Backup112

Backup112 has been delivering professional cloud backup services since 2004.

Secmentis

Secmentis

Secmentis is a cyber security consultancy specializing in penetration testing, threat intelligence, and proactive defense for your IT infrastructure.

Referentia

Referentia

Referentia leads the development of critical infrastructure solutions that benefit society, including cyber security and network performance management.

SecurityScorecard

SecurityScorecard

SecurityScorecard provides the most accurate security ratings & continuous risk monitoring for vendor and third party risk management.

ElcomSoft

ElcomSoft

ElcomSoft is a global leader in computer and mobile forensics, IT security and forensic data recovery.

SecureBrain

SecureBrain

SecureBrain software and services help protect against Japanese-specific cybercrime and global internet security threats such as online fraud, phishing, drive-by downloads and malware attacks.

Cyber Observer

Cyber Observer

Cyber Observer’s team specializes in providing corporate officers with comprehensive, visual, real-time performance overview, critical security control (CSC) analysis.

Eskive

Eskive

Eskive is a Brazilian cyber security awareness and education platform that empowers users and strengthens their company in the face of cyber threats.

Cyberstarts

Cyberstarts

Cyberstarts’ vision is to become the leading platform for amazing teams of entrepreneurs to solve the next big problems of the cybersecurity world.

01 Communique Laboratory

01 Communique Laboratory

01 Communique Laboratory is an innovation leader in the new realm of Post-Quantum Cyber Security.

F1 Security

F1 Security

F1 Security provides a family of web security solutions including web application firewalls, web shell detection solutions, and web shell scanners.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

Heartland Business Systems (HBS)

Heartland Business Systems (HBS)

Heartland Business Systems serves commercial, public sector and small to medium business with results-driven and dedicated information technology services.

Vonahi Security

Vonahi Security

Vonahi Security is a cybersecurity SaaS company that pioneered automated network penetration testing.