Monthly Archives: November 2021

iso, iso27001, iso27017, iso27018, Vendor Risk Management

How Your Competitors Are Preventing Supply Chain Attacks

Posted on by Yogev Kimor
How Your Competitors Are Preventing Supply Chain Attacks | Findings.co
30
Nov

Supply chain security threats are like the flu: Sooner or later, they’re bound to impact you, no matter how hard you try to avoid them.

Indeed, by their very nature, supply chain attacks are more likely to affect large numbers of organizations than most other types of breaches. The majority of cyber threats target individual companies. But a single supply chain attack could impact hundreds or thousands of businesses at once if it compromises software or data within their supply chains.

For proof of just how pervasive supply chain security risks are, you need only look at recent examples. The SolarWinds breach impacted dozens of organizations, including major U.S. federal agencies. The Kaseya breach extended to thousands of businesses spread throughout the world that use Kaseya’s software. Expect more figures like these as the prevalence of supply chain attacks — a threat that one major security research report called “staggeringly high” —continues to grow at rates approaching 400 percent.

That’s the bad news. The good news is that, as explained below, there are effective steps you can take to protect your business from supply chain risks. They won’t completely guarantee immunity from attack, but they’ll go a long way toward mitigating the threat.

Why supply chains are so risky?

The first step in managing supply chain threats is understanding what makes supply chains inherently risky.


The reasons are simple enough: Supply chains typically involve many suppliers, and it’s difficult to maintain visibility into the security state of each of them.


By comparison, it’s relatively easy to secure your own IT assets — meaning those you deploy and manage yourself. But it’s much harder to ensure that your vendors’ and suppliers’ IT environments are secure — especially when you have dozens or hundreds of vendors in your supply chain.

Managing supply chain security: The typical response

The typical playbook for managing supply chain risks includes some basic steps:

  • Compliance: Requiring suppliers to adhere to cybersecurity standards like the U.S. government’s NIST framework or the E.U.’s ENISA/ISO can help to reduce the prevalence of threats. But actually enforcing compliance across third-party vendors’ businesses can be difficult.
  • Vetting: Businesses often enforce vetting processes for new vendors. That’s good, but it doesn’t guarantee that you’ll avoid risks once a vendor relationship has already been established.
  • Cybersecurity teams: Investing in cybersecurity expertise can help harden IT assets against attack. But your own cybersecurity experts can’t do much to protect the assets of your vendors.

These are all useful strategies for managing supply chain risks. But they’re not enough on their own to make your security posture as strong as possible.

Going further to secure the supply chain

Beyond those basic supply chain security steps, businesses should implement additional measures to make their supply chains as safe as possible.

Access control

Businesses should implement tight access controls to govern who can access their systems. Access should be defined in a granular way and restricted by the principle of least privilege.

In many countries, regulations ensure that supply chain cyber security is legally required. Companies must comply with a security framework and checklist. Once this checklist is completed the vendor can prove increased controls are in place.  While strong access controls won’t prevent risks in your supply chain, they will mitigate the chances that a vendor’s cybersecurity problem becomes your cybersecurity problem.

Technology investment

Given the complexity and scale of modern supply chains, managing their security manually is not feasible in most cases. That’s why it’s wise to invest in tools that are purpose-built to assess and manage supply chain risks automatically, across all vendors’ IT estates.

Maximum visibility and coverage

Along similar lines, businesses should leverage automation technology to maximize their ability to identify and track security risks within their supply chains. This is also a process that you can’t handle manually unless you have a very simple supply chain.

Vendor Education

In addition to asking your vendors to be secure, consider providing educational resources that explain exactly how they should secure their assets. These resources could be based on cybersecurity standards that you want to enforce across your supply chain. Your vendor’s transparency should a breach occur could provide valuable feedback to others in that supply chain.

Assess vendor risk

Not all vendors pose the same level of risk. Risks vary depending on which types of data and applications the vendors supply or integrate with, and how important the vendors are to your business.

This means you should contextualize vendor risk and enforce security safeguards accordingly. High-risk vendors may require stronger oversight than those whose assets play a less central role in your operations.

Cybersecurity drills

Planning how to respond to a supply chain breach, then practicing the response via cybersecurity drills, goes a long way toward helping ensure a fast and effective resolution when attacks occur. In particular, your response plan and drills should address:

  • Business risks: It should be easy to identify which parts of the business are impacted by a breach and what level of risk their disruption poses to the overall business.
  • Manual vs. automated processes: Which response processes can be automated, and which will need to be performed manually? You’ll want to answer these questions before the breach occurs.
  • Mediation: Which teams or stakeholders will take the lead in managing a supply chain breach? If your organization does not have a CISO in place, then another person from either procurement or the I.T.  department could be appointed. Immediate decision-making in a crisis is critical.
  • Disclosure: How will you announce a breach to your customers and partners? How much information should you include about the breach? Different types of breaches and vendors may require different disclosures.

Response drills prepare you to remove risky components from your supply chain rapidly with minimal disruption to business operations.

Supply chain assessment

The most secure business is one that continuously assesses its supply chain to identify its weakest links from a security perspective. Again, not all vendors pose the same level of risk, and not all vendors can be assessed in the same way. You must implement an assessment process tailored to your particular supply chain.

As CIO Review explains, “While threats cannot be completely eliminated, supply chain security can contribute to a more secure, efficient flow of goods that can recover quickly from disruptions.”

In other words, the fact that supply chain security is impossible to guarantee completely is not an excuse for ignoring it. It’s absolutely critical to take not only basic steps for defending your supply chain, but also implementing advanced measures — such as practicing responses and automating supply chain visibility as much as possible — that can bring your risks as close as possible to zero.

Start Now For Free

 

security compliance

Meeting the CMMC Compliance Challenge Head-On

Posted on by Yogev Kimor
Meeting the CMMC Compliance Challenge Head-On | Findings.co | Supply chain risk managment
21
Nov

Unless you’re already in business with the US Department of Defense (DoD), you may not have thought much about the Cybersecurity Maturity Model Certification, or CMMC. Until recently, the CMMC was a U.S. federal government compliance framework that only applied to companies who sell to the DoD.

But that changed in late 2020 when the federal government announced all government contractors should begin preparing for CMMC compliance. At the same time, the DoD has embarked on an update of the CMMC rules, adding more complexity to the challenge of complying with CMMC.

Thus, while it was possible to say a year ago that “the CMMC is coming,” we must now recognize that “the future of CMMC is here” already. Compliance strategies that sufficed in the past may no longer be enough. Now is the time to prepare if you plan to do business with U.S. government agencies of any type.

What are the CMMC levels?

As compliance frameworks go, the CMMC is relatively easy to understand. It consists of five main components, known in CMMC parlance as “levels.” Each level defines a set of cybersecurity requirements that businesses must meet.

The nature of the work your business does and the sensitivity of the government data or processes it handles determine which CMMC level you need to comply with. The engagement specifies which compliance level companies need to achieve in order to meet given contract requirements.

Here’s a breakdown of the CMMC, starting with the most basic. Note that the levels are cumulative. Level 2 compliance also requires level 1 compliance, level 3 compliance also implies levels 1 and 2, and so on.

Level 1

Level 1 requires “basic cyber hygiene,” which is defined in the CMMC as adhering to specific procedures that protect against data theft and mitigate the risk of major cyberattacks. However, level 1 doesn’t require businesses to implement these processes in a particular way or to document their compliance. Thus, level 1 compliance is the easiest to achieve.

Level 2

Level 2, which mandates “intermediate cyber hygiene,” includes somewhat more rigid cybersecurity processes and controls than level 1. Importantly, level 2 also requires businesses to establish a consistent, documented set of policies to enforce cybersecurity. You can’t approach cybersecurity in an ad hoc fashion to achieve level 2 compliance.

Level 3

To achieve level 3 compliance, you need not just document a cybersecurity plan but also be able to demonstrate that you are achieving it. In addition, level 3 adds nearly two dozen cybersecurity controls, which are part of the “good cyber hygiene” requirements of the CMMC.

Level 4

Level 4, which requires a “proactive” approach to cybersecurity, mandates that businesses review their cybersecurity practices, identify weaknesses and take steps to correct them — in addition to documenting and demonstrating compliance, as the lower levels require.

Level 5

Level 5, which requires “advanced/proactive” cybersecurity, is the toughest CMMC compliance level to meet. It mandates that businesses do not just review and improve their cybersecurity practices, but also that they optimize them on a proactive basis. The goal is to anticipate and block threats before they materialize.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Preparing for CMMC compliance: Why and how

Given the significant changes that the CMMC is currently undergoing — in terms of both which businesses the rules apply to, and what the rules include — many companies understandably aren’t sure where to start when it comes to preparing for CMMC compliance.

That’s one reason why it’s wise to work with a CMMC consultant, who understands the complexities of the framework and can guide you in establishing a plan to meet them.

Achieving CMMC certification

Even if you don’t need to be CMMC-compliant today, you may in the future if you choose to work with government agencies that adopt the CMMC as a requirement for their contractors.


And beyond compliance itself, CMMC certification is beneficial because it helps you establish a stronger security posture — a critical consideration in a world where cybercrime on your supply chain, email or ransomware attacks, and many other breaches now costs nearly 1 trillion dollars annually or more than 1 percent of global GDP.

End-to-end supply chain security

It’s worth noting, too, that CMMC is only one of the numerous compliance frameworks that are either just coming online or are being overhauled. You’ve probably heard of others, like NIST, CCPA/CPRA, and SHIELD, which also have implications for businesses doing business with other companies or agencies in various industries.

Given all of this change and complexity surrounding compliance, it’s a best practice to build automated compliance controls into your operational pipelines using a tool like Findings. Compliance is only going to grow more complicated over the coming years, which is why it’s critical to identify risks across your entire supply chain — and to prove to your customers that you’re managing risks effectively.

 

All of the above means that many businesses have a mandate to overhaul their compliance and risk management strategies. Even if the CMMC specifically doesn’t apply to your business, chances are that other new compliance rules will. Bricking risk detection and management into your entire operational pipeline — including your supply chain — is crucial for meeting these new challenges.

          Learn how Findings can help secure your supply chain                              

Start Now For Free

Findings.co
Company
Products
Solutions
Media Room
Guides
Company
About
Privacy Policy
Terms of Use
Contact Us
FAQs
Sitemap
Products
Vendors
Enterprise
Partners
Vendors index
Solutions
Cyber security
ESG
Cloud Monitoring
Continuous Monitoring
Media Room
Blogs
Press Room
Guides
What is vendor risk management?
The Findings CMMC compliance checklist
4 ESG Best Practices for Energy Efficiency
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Claim your free account Trial
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
less
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Claim your free account trail
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!