Monthly Archives: December 2022

What’s At Stake With Ineffective Third Party Vendor Risk Management

ineffective vendor risk management

Virtually every business today has to outsource work to external vendors. By extension, it needs a plan to handle what Gartner calls vendor risk management, or VRM/TPRM. 

Working with third-party vendors exposes businesses to a variety of risks:

 

  • Reputational harm: Security mistakes made by third party vendors could harm your brand’s reputation. Even if your company wasn’t at fault, customers or partners might hold your business accountable because they believe you made the poor choice of working with a risky third-party vendor.
  • Operational damage: Problems with third-party vendors could disrupt your operations. For example, if a software product you depend on becomes vulnerable, your supply chain may cease to function until you find a replacement. Or your third party vendor may be hacked, leaving the door open to your organization for breaches or system failures.
  • Financial loss: Third party vendor risks that turn into operational disruptions can ultimately lead to revenue loss, exacerbating the operational fallout of the situation and costing your organization money.
  • Compliance challenges: You may be required to prove that your supply chain risk management complies with specific security or data privacy frameworks, and mistakes made by third party vendors could expose you to compliance failures. Like customers and partners, regulators aren’t likely to care whether the root cause of the issue lies with you or your vendor; all that matters to them is that you were non-compliant.

 

To respond to these challenges, especially considering the fact that 89% of businesses experiencing a supplier risk event in the past 5 years more needs to be done to develop an effective third party vendor risk management strategy. Developing that strategy starts with recognizing the mistaken assumptions that businesses often make when attempting to manage vendor risks.

 

Let’s look at those mistakes, why they’re dangerous and what businesses can do to avoid them.

 

1. Assuming All Vendors Are Covered

It can be easy to assume that as long as you have some kind of third party vendor risk management operation in place, it covers all of your vendors and gives you complete visibility into the risks associated with them.

 

The reality is that in many cases, TPRM programs overlook some vendors. The oversights most often result from relying on manual processes to identify and vet vendors, but you can also miss some vendors because your supplier list is always changing and you may not keep it up-to-date. 

Not only that, in many cases, coverage itself is partial. Modern supply chains are complex and because of this, long-tail vendors can be easily overlooked or ignored, exposing your organization and supply chain to huge risk.

The solution to these challenges is to rely on automation to track vendors. When you automate, it becomes much easier to find all third party vendors in your supply chain, and to keep your vendor inventory continuously up-to-date.

 

2. Overlooking Risk Assessment

Simply identifying vendors is only the first step in third-party vendor risk management. Equally important is assessing how much risk each vendor introduces to your supply chain. Risk assessments should reflect factors such as how much harm the vendor could cause to your reputation, operations, finances and so on. However, too often is the risk tolerance or risk appetite in an organization under-assessed so the true effects are unknown in the case of vulnerabilities in your supply chain.

 

Ideally, risk assessment should happen automatically. Whenever you introduce a new vendor into your supply chain, or when your relationship with a vendor changes, you should be able to determine automatically how the vendor impacts your overall risk and make a valid assessment of exactly what level of risk is acceptable to your organization.

 

3. Vendor Risk Management Ends With Onboarding Assessment

While risk assessment is important, it’s not the end of the third party vendor risk management process.

 

Your relationship with vendors may evolve in ways that change the types and extent of the risk that each vendor poses. For that reason, it’s important to be able to reassess risks on a continuous basis. Using automation, you can ensure that your risk assessments are constantly updated and that they remain relevant even as your vendor relationships evolve.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

4. Underestimating Vendor Compliance Needs

Sometimes, organizations assume that as long as they’ve met basic third party vendor risk management requirements, they’re covered against compliance mandates related to their supply chain and vendors.

 

In reality, compliance requirements tend to be complex and business-specific. For that reason, generic vendor risk management is not enough to guarantee compliance. Third party vendor risk management is a step toward compliance, but you also need to step back and assess the unique compliance requirements of your company and supply chain, then determine whether additional steps are needed to achieve compliance.



Simplify Third Party Vendor Risk Management With Findings

Findings takes the hard work out of vetting third party vendors. By automating the processes of identifying and assessing vendors across your supply chain, Findings makes it easy to maintain continuously updated visibility into where supply chain risks lie and how each vendor could harm your reputation, operations  finances and more.


See for yourself by requesting a demo at findings.co

Supply Chain Attacks Surged By 42% in 2022. Here’s Why.

Increase in supply chain attacks

There’s been a massive and recent increase in the awareness of supply chain attacks. Significant investment going to tools and strategies to protect supply chains against attack have been poured into business plans, but this isn’t helping. You would think that all of this time and effort would in turn bring a decline to these threats, but you’d be wrong.

 

Quite the contrary actually. According to research from PurpleSec, supply chain attacks rose by 42% in 2022, and 64% of businesses have now been affected by supply chain software attacks.

 

Recent Supply Chain Attacks

In the case of the SolarWinds attack, malicious code inside a popular IT monitoring platform gave hackers a back door into thousands of IT networks. Similar breaches occurred in the Colonial Pipeline attack, where a leaked password caused massive panic, and in the Kaseya and Log4j breaches, which were also examples of supply chain attacks in which breaches in third-party software tools exposed a large number of businesses to attack.
 

The Appeal Of Supply Chain Attacks

Exacerbating matters further is the fact that a single supply chain breach allows attackers to target hundreds or thousands of victims by seizing upon just one vulnerability and one attack technique. From the hacker’s perspective, the ROI on supply chain attacks is exponentially higher than a traditional attack, wherein a single business is placed at risk.

 

As TechTarget explains, “supply chain attacks are difficult to detect, as they rely on software that has already been trusted and can be widely distributed.

 

Why Supply Chain Attacks Continue To Rise

 

Both of these factors – the difficulty of preventing supply chain attacks and the advantages of supply chain attacks from an attackers perspective – help to explain why supply chain attacks remain so pervasive – to the point that supply chain attacks will increase by 400 percent, according to the European Union Agency for Cybersecurity (ENISA), which adds that “strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.”

In other words, traditional approaches to defending against cybersecurity risks – such as hardening servers against attack, enforcing strong access controls and deploying malware scanners – aren’t very effective in cases where the bad guys break in by breaching your supply chain. If your IT systems are configured to trust software delivered to them by third-party suppliers, no amount of access controls or virus scanners are going to protect against flaws within those third-party systems. Conventional security controls only protect against threats that originate internally, which means they don’t address supply chain attacks.

 

What You Can Do: How To Stop Supply Chain Attacks

 

Fortunately, there are practices that can help to prevent supply chain attacks, even for organizations with complex supply chains:

 

  1. Implement Zero Trust

Zero trust means configuring IT resources so that they do not trust any other resources –internal or external – by default. They only share data and interact with resources that are explicitly validated to be secure. Zero trust policies can help to mitigate supply chain attacks by ensuring that servers, applications and other resources only trust third-party software if that software has been scanned and vetted to be secure.

 

  1. Gain Asset Visibility

Visibility – specifically, visibility into which supply chain assets exist and which risks impact them – goes a long way toward preventing supply chain attacks. Businesses should be able to identify risky assets, determine the root cause of the risks and remediate risks in a proactive manner.

 


 

 

  1. Work With Suppliers

Effective supply chain security management means not just cutting off suppliers who might place the supply chain at risk, but working with them to identify potential breach points and ensure transparency in the face of risks. Vulnerability Disclosure Programs can help here by providing a systematic means of identifying and responding to supply chain attack risks.

 

 

 Findings can help with all of these initiatives by providing automated visibility into your entire supply chain so that you know when and where risks arise. In addition, Findings helps you assess vendor compliance and manage vulnerability disclosure policies, ensuring that you’re prepared to react quickly when your supply chain becomes vulnerable to attack.

 

 

Learn more about how to prevent supply chain attacks with Findings.

Slavery Still Exists?

Modern Slavery in your supply chain

Wait a second… What?


That was my exact reaction too. In fact, modern slavery is all around us. (More than you may think).

 

You’re probably wondering: Wasn’t slavery abolished internationally in 1948 when the United Nations adopted the Universal Declaration of Human Rights

 

Apparently not. 

 

It’s almost 2023 and we live in an age where approximately 50 million people, a quarter of which are children, are trapped in modern slavery. They are are forced to work and get married, and are being exploited sexually every single day. 

 

While modern day slavery is widespread, many of us are unaware of what’s going on and the different forms of slavery that exist. You might be surprised to find that a large portion of slavery in today’s day and age is facilitated through different corporations. Furthermore, it can be found in companies of all different industries and sizes, and in every stage of the supply chain – from raw materials to manufacturing to shipping.  Knowing about modern slavery is a responsibility every business should take on, because it is possible that you are working with suppliers who use slaves, without even realizing it. 

 

Today, there are over 27 million people forced into labor. Many would say their business doesn’t tolerate modern slavery, but, when hundreds or even thousands of suppliers are added into the picture, how can you be so sure they aren’t using forced labor? 


As explained by Anti-Slavery International, the oldest international human rights organization in the world, there are different forms of slavery today:

  • Human trafficking – “The use of violence, threats or coercion to transport, recruit or harbour people in order to exploit them for purposes such as forced prostitution, labour, criminality, marriage or organ removal.” 

  • Forced labor – “Any work or services people are forced to do against their will, usually under threat of punishment.”

  • Debt bondage/bonded labor – “The world’s most widespread form of slavery. People trapped in poverty borrow money and are forced to work to pay off the debt, losing control over both their employment conditions and the debt.”

  • Descent–based slavery – “A very old form of slavery, where people are treated as property, and their “slave” status has been passed down the maternal line.”

  • Child slavery – “When a child is exploited for someone else’s gain. This can include child trafficking, child soldiers, child marriage and child domestic slavery.”

  • Forced and early marriage – “When someone is married against their will and cannot leave. Most child marriages can be considered slavery”

  • Domestic servitude Domestic work and domestic servitude are not always slavery, and when properly regulated can be an important source of income for many people. However, when someone is working in another person’s home, they may be particularly vulnerable to abuses, exploitation, and slavery, as they might be hidden from sight and lack legal protection.”

Why should your company care?

First off, I don’t think any company would be proud to say they use slaves. But besides that point, imprisonment up to life imprisonment and heavy fines are amongst the penalties. In addition, more countries are enforcing modern day slavery regulations and companies will need to show proof of compliance as time goes on. Not complying to modern slavery regulations will in turn make your company unappealing to investors and ultimately the end user. For example, in the United Kingdom, the Modern Slavery Act of 2015 requires businesses to report on steps they have taken to reduce modern slavery in their supply chains. With modern slavery so rampant in the United Kingdom, the legislation applies to commercial organizations that:

  • are a body corporate or a partnership (described as an ‘organization’ in this service), wherever incorporated

  • carry on a business, or part of a business, in the UK 

  • supply goods or services

  • have an annual turnover of £36 million or more

Currently, many organizations provide a modern slavery statement voluntarily, but in the near future, the requirement will be extended to segments of the public sector as well.


Not sure where to start? Findings gives you a platform to show track your compliance. By doing so, you are demonstrating to other enterprises that they can trust doing business with you. In addition, Findings offers assessment tools that enable you to easily evaluate whether your business is staying compliant with modern slavery regulations. 



Findings is proud of the work we do and we fully support the Universal Declaration of Human Rights. Learn more about how we can help you address modern slavery here


Finally: Practical Guidance for Supply Chain Risk Management

Businesses are being bombarded with warnings from a variety of sources regarding supply chain risk management – ranging from media organizations like Forbes, to analyst firms like Gartner, and even to the White House, which notes that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure” through supply chain attacks.


However, actual advice for managing supply chain risks is harder to come by. Figuring out where risks lie and working to detect them is an exercise that often falls to individual businesses – which often struggle to put supply chain risk management into practice, given the fact that few organizations were closely focused on supply chain risks until just a couple of years ago, when incidents like the SolarWinds breach brought supply chain risks to the fore.


1. Optimize Supply Chain Visibility

The single most effective step businesses can take to manage supply chain risks is to achieve visibility into their supply chains. You can’t mitigate the risks you can’t see, and if you wait for the risks to impact your own IT environment, it’s too late to prevent them from causing a disruption.


That’s why you need visibility not only into where your software comes from, but also which checks and protections your software suppliers have in place. Believe it or not, vulnerabilities will come from your least expected vendors, and more often than not, your smaller vendors. When you identify vendors who fail to manage risks, you can remove them from your supply chain in order to protect your own organization. This is where continuous monitoring steps in and becomes invaluable to your team by getting ahead of issues before remediation steps are even needed. 


When it comes to supply chain visibility, the more information you have, the better. It’s often impossible to gain complete, definitive visibility into supply chain risks because the “probability and severity of many risks is difficult to ascertain,” as Tucker Bailey, McKinsey Partner notes. But the more information you have about who your suppliers are, how they build out their supply chain and which practices they follow to mitigate security risks, the greater your ability to find and respond to the most serious supply chain vulnerabilities

2. Build Supply Chain Risk Management Into Onboarding

While continuous visibility into the supply chain is one step toward identifying risks, it’s also important to establish a rigorous process for vetting vendors when you onboard them into your supply chain. Identify which specific security controls you expect vendors to have in place, then implement a process that assesses how well they adhere to those practices.


There is always a risk that vendors who meet your requirements during onboarding will become insecure over time, which is why you need to monitor continuously for new supply chain risks. The most common onboarding process would be to do an initial risk scan of the vendor and setting a score. However, the better and more effective method is to set a periodic scan that includes an action plan. 


But even with all these processes, it doesn’t mean you should skimp on vendor validation at onboarding time. Rooting out risky vendors before they even join your supply chain is more effective than identifying risks after the fact.

3. Plan For Supply Chain Changes

Actually removing risky vendors from a supply chain is hard to do if you depend on those vendors and have no alternatives.


That’s why it’s important to ensure that your supply chain is dynamic enough to accommodate sudden changes in vendors. Always have backup suppliers in mind to who you can turn to if you need to stop using one vendor due to cyber security risks.


Supply chains constantly fluctuate. Vendors that seem rock-solid one day may be in the news the next because they are the center of a major breach. You can’t control what your suppliers do, but you can control your ability to pivot to alternative suppliers quickly in order to mitigate supply chain risks.

4. Enforce Continuous Supply Chain Risk Management

Supply chain risk management should never be a one-and-done affair. Nor should you rely on periodic audits to find risks.


Instead, strive to monitor your supply chain continuously. Continuous monitoring means that you can identify vulnerable third-party software, as well as vendors who are no longer conforming to your security requirements, as soon as the risk emerges. That beats waiting until your next audit to identify a risk – or, worse, not identifying it at all because you vetted your suppliers initially and have no mechanism in place for determining when vendors who were once secure no longer are.


Ensure that the protections that your suppliers claim to have in place actually work. For example, as Jay Shaw explained during a recent LSEG event, don’t just take someone’s word for it that backups are in place. Instead, say “you’re going to get a phone call, And that phone call is going to say, ‘Bam, we’re now down, so do the backup plan. We want to see how long it takes you and how well it works.”


It might not be practical to vet every vendor in that way, but for high-stakes suppliers, it’s important to know that promises align with realities when it comes to supply chain security protections.

5. Automate Supply Chain Risk Management With Cyber Solutions

For most businesses, the rigorous, continuous supply chain monitoring and risk management practices described above are impossible to implement manually. They would require too much time, and too much effort on the part of employees who already have overfilled plates.


That’s why it’s critical to leverage cyber solutions that automate supply chain risk management. They can identify multiple types of threat within third-party software – including malware, phishing risks, ransomware and beyond – without requiring manual vetting. And they can do this continuously so that you’re aware immediately when a new risk arises.


Automated cyber solutions have the added benefit of reducing the risk of human error. Your supply chain management tools will operate consistently and reliably, enforcing the same assessment policies over each and every vendor. Humans typically don’t achieve that level of consistency, which means that manual supply chain assessment increases the chances that risks will fall through the cracks.

How Findings can help

As a fully automated platform for identifying and managing risks across your supply chain, Findings makes it easy to put supply chain risk management practices into operation. Findings delivers centralized, continuous visibility into supply chains across any industry, enabling businesses to find and respond to risks before they turn into cyber security incidents.

See for yourself by requesting a demo at Findings.co.

November Security Breach Round Up

November Security Breaches

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!