Are Any Of Your Suppliers A Security Risk Waiting To Happen?

Uploaded on 2024-07-18 in TECHNOLOGY--Resilience, FREE TO VIEW

Organisations rely on scores of different vendors to provide and support the technical infrastructure that runs their daily operations. But what if there’s a weak link somewhere in the supply chain? 

In the case of something like the cyberattack-induced outage at managed IT services provider CTS, it could mean organisations relying on these third-party services experiencing costly downtime and exposing their assets and sensitive content to cyber criminals. In the case of something like the SolarWinds attack and the Log4j vulnerability, the weak link can lead to devastating breaches of confidential information at a global scale.

The very real risk presented by third-party vendors and suppliers shouldn’t be ignored – which is why it’s essential for CISOs and security teams to proactively take steps to manage supplier risk  to maintain a secure and protected environment.

A Smarter Approach To Screening

One of the ways organisations can help reduce risk is by better screening suppliers right at the outset.

Gathering all the different information required to properly screen vendors – everything from risk assessment questionnaires to corporate and financial data, to recent news events or Internet “chatter” that involves the vendor – has historically been a very time-consuming process. 

Fortunately, generative AI is lending a hand to this task, providing a faster way to extract information from questionnaires or corporate databases, analyse the data, and then provide a summary evaluation for a “human” review. This helps to quickly “triage” vendors into different groups, depending on their risk profile. 

Some vendors will automatically be weeded out if they don’t meet a certain benchmark, while others will clear that initial “hurdle” but warrant further, closer examination. Additionally, reporting can quickly be generated to provide the selection committee, the Board or the CFO, with the intelligence they need to make an informed decision.

The end result is an ability to more thoroughly screen vendors for risk right from the beginning – helping to eliminate potentially risky suppliers from becoming part of an organisation’s infrastructure in the first place. And this method can help to improve the ongoing risk assessment of suppliers, especially when dealing with a multitude of third-party vendors.

The Benefits Of Consolidation

It’s also worthwhile for organisations to seek ways to consolidate their existing vendors, to make sure they’re taking advantage of best-of-breed suppliers. 

As large tech companies – think here of Microsoft, Cisco, and the like – buy smaller companies to develop their own capabilities and expand their product portfolio, it becomes easier for organisations to consolidate on a single vendor for multiple aspects of a particular function, rather than relying on five or six different point solutions. 

In doing so, they can reduce the risk of potential vulnerabilities associated with using connected products that are on very different update cycles or that may not provide regular updates or patches due to limited R&D budgets.

Is The Supplier’s House In Order?

Organisations should also shine a spotlight on vendors and the policies, plans, and processes they have in place to manage risk.

For instance: When it comes to the data centres that are hosting cloud services, who has access to those data centers physically and remotely? 

Also, what does their business continuity and disaster recovery processes look like? Should any sort of disaster occur, how long will it take to restore data? And how often do they test these processes?

If there is a breach, what are the policies around incident notification? After a breach is detected, how long before the customer is notified? And how is the customer notified? By phone? By email? All these details should be crystal clear.

It’s not enough for these policies, plans, and processes to be documented and made available on demand: They should be readily accessible to any potential customer who wants to view them at any point in time. A compliance portal with 24/7 access would go a long way. Furthermore, these policy documents should be regularly refreshed with the most up-to-date information. Every 3-6 months is a good cadence to look for and ensures the documentation isn’t gathering cobwebs or becoming an increasingly irrelevant collection of out-of-date information.

Less Weak Links Means Less Risk

While supplier risk is impossible to eliminate entirely, a few key steps make it possible to significantly reduce it. Leveraging new technologies such as generative AI responsibly, can help to reduce a lot of the burden from manual evaluation.

Given that any organisation is only as strong as the weakest link in its supply chain, a conscious approach can help to strengthen its overall security and improve its risk profile by aiming to avoid potentially "at risk” third-party vendors and suppliers.

Manuel Sanchez is Information Security and Compliance Specialist at iManage

Image: tanit boonruen

You Might Also Read: 

Reducing The Risk Of Weak Links With Consolidation:   

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« Warnings Over Cyber Security At The Paris Olympics
Large-Scale IT Outage Causing International Disruption »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DoD Cyber Crime Center (DC3)

DoD Cyber Crime Center (DC3)

DC3 is a US Department of Defense (DoD) center of excellence for Digital and Multimedia forensics.

SecureWorks

SecureWorks

SecureWorks provides intelligence-driven security solutions for organizations to prevent, detect, rapidly respond and predict cyberattacks.

IS Decisions

IS Decisions

IS Decisions builds affordable and easy-to-use Access Management software solutions, allowing IT teams to effectively secure access to Active Directory infrastructures, SaaS apps and data within.

Anect

Anect

Anect is a leading provider of ICT security and services for hybrid and cloud solutions.

Advens

Advens

Advens is a company specializing in information security management. We provide Consultancy, Security Audits and Technology Solutions.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

Center for Education & Research in Information Assurance & Security (CERIAS)

Center for Education & Research in Information Assurance & Security (CERIAS)

CERIAS is one of the world’s leading centers for research and education in areas of information and cyber security.

Fly Ventures

Fly Ventures

Fly Ventures is a seed-stage venture capital fund for outstanding teams building Enterprise and Deep Tech startups in Europe.

StartupXseed Ventures

StartupXseed Ventures

StartupXseed Ventures is a smart capital provider for Deep Tech, B2B, Early Stage Startups. We support, NextGen Tech Entrepreneurs, who have potential to deliver the outsized growth.

Firmus

Firmus

As the leading penetration testing services provider in Malaysia, Firmus evaluates the ability of your internal or external information assets to withstand attacks.

Accenture

Accenture

Accenture is a leading global professional services company providing a range of strategy, consulting, digital, technology & operations services and solutions including cybersecurity.

EdgeWatch

EdgeWatch

EdgeWatch is a platform that helps information accredited security practitioners discover, monitor, and analyze devices that are accessible from the Internet.

Coffee Cup Solutions

Coffee Cup Solutions

We offer a full spectrum of IT Services, from our UK based Helpdesk to IT Consultancy and Cyber Security. Our team has the skills and experience to develop, deliver and manage IT for your business.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.

Amtivo Group

Amtivo Group

Amtivo provides Certification, Inspection and Training services to national and local Government bodies, multi-nationals, enterprise clients and SMEs.

Kaavalan

Kaavalan

Kaavalan was founded with a mission and a vision to protect you against cyber threats in the connected world.