Category Archives: Supply Chain Security

Cyber Attacks, ESG, Supply Chain Security

Is Chat-GPT a real cybersecurity threat? Here are 7 potential cybersecurity risks in using AIs

Posted on by Yogev Kimor
7 Potential cybersecurity risks in using AIs | Findings.co
13
Mar

AI is everywhere, from Chat-GPT to Midjourney – But have you thought about the potential cyber risk in using it?

I recently sat with Jonathan Perry, CTO and Co-Founder of Findings.co to hear a PRO point-of-view. So here are 7 potential cyber risks in using AIs, such as ChatGPT:

WATCH THE VIDEO:

 

ChatGPT and cyber security – Is there a real, actual threat in there or is it just a big fuss that everyone talks about?

I think with regard to Chat GPT, it’s important to remember that the knowledge that ChatGPT gives is based on the sum of all available knowledge and data across the entire web.

And relying blindly on such information can create real security hazards.

So, security experts, and security engineers should not rely on such tools blindly. It’s only an advisory tool. And I think there Is a real threat of ChatGPT and similars.

It’s interesting to mention it because in marketing, we experienced more and more people saying that this is just a tool that is meant to help us create something and not something that’s supposed to be, instead of a marketer of any kind.

 

Would you agree on the same?

Definitely.

I think it’s really easy to fall into the charm of a chatbot just presenting you on a golden plate whatever you need to do and just follow it,

But that encompasses a real threat. 

You don’t know if the output of the data you see is relevant, you don’t know if it’s secure enough.

It’s extremely important not to rely on it blindly.

 

Can anyone even ensure that ChatGPT is secure? Against these threats or secure at all?

I mean, once you enter something into Chat GPT and ask him to create something, can we even know that this data that you entered is secure enough, in your opinion?

Definitely NOT.. And the reason is it’s an extremely complex data set, unrealistic to think that humans can verify and make sure that the output you see is secure enough, it’s even fit for your purpose.

You don’t know if it even answered the question that you asked him at the first place. So I think common sense and just having the right experience are probably the best answer.

 

Any Cybersecurity attacks so for, using ChatGPT?

So we haven’t seen any real attack using Chat GPT so far, and I guess the reason is because it’s quite new, but I personally would believe that we will see complex attacks, uses and utilize AI technologies in general, not only ChatGPT, smart attack against industries and corporations. So, yeah, definitely.

 

How do you see ChatGPT affecting supply chain security?

It’s a good question. So we thought about it a lot here at Findings and I think we will eventually see organizations, companies and others utilizing Chat- GPT and AI in general to address supply chain supply chain questionnaires and to assess their vendors as well.

 

How do you protect against the risk of supply chain attacks using Chat- GPT or any AI available out there?

Not a specific checklist that you need to do in order to protect against such things; I think the general rule of thumb is just to take precautions, don’t rely on everything that you see and do.

It’s a good rule of thumb to life in general, but I think it definitely applies here in this topic as well. 

And last question, out of your extensive experience in cybersecurity,

 

How do you keep informed? How do you know about new trends? What would be your best tip?

So, blog posts, and articles are a good thing, but I think the best tip I can give regarding staying informed is to have good connections and good networks because the best know-how and the best tips I’ve got, I’ve gotten from good friends from the industry.

I think having a good social and professional network is the best way to stay current.

All right, thank you so much for your time. Thank you. Thank you for watching.

Thank you for watching. And I’ll see you soon on our next video.

Cyber Attacks, security compliance, Supply Chain Security

Why Security Assessments Are Essential

Posted on by Or Kadosh
Findings discusses why security assessments are essential to your company
06
Mar

Security Assessments and Why They Are Essential

Security assessments are essential tools for businesses of all sizes.

They provide an important way to identify and address any vulnerabilities in networks, systems, and applications, to protect the business from potential cyber threats. This blog post will discuss the importance of security assessments and how businesses can incorporate them into their security strategy.

Why Are Security Assessments Important?

Security assessments are important for businesses because they objectively evaluate the security of their networks, systems, and applications.

They can identify potential security flaws, weak points, and risk areas and help businesses develop plans to address any vulnerabilities.

Additionally, security assessments help businesses understand the current security landscape and identify gaps in their security measures.

This can be an invaluable process for businesses, as it can help them determine any additional security measures that need to be implemented to ensure that their networks, systems, and applications remain safe and secure.

By reviewing and assessing current security measures, businesses can ensure that their policies and procedures are optimal for their organization and that their systems are as safe and secure as possible. It can also help evaluate the effectiveness of existing security measures

Types of Security Assessments

There are a variety of different types of security assessments.

Common types of assessments include penetration testing, vulnerability scanning, and application security testing.

  1. Penetration testing is a process of attempting to exploit any vulnerabilities in a system to gain access and gain further access to the system.

  2. In contrast, vulnerability scanning is a process that identifies any potential security flaws or weaknesses in a system.

  3. Application security testing is a process of testing the security of an application by analyzing the system for any potential security flaws or weaknesses.

Security assessments can also be tailored to specific needs, such as cloud security assessments focusing on the security of cloud-based systems and applications.

Why do it?

Security assessments are essential for businesses of all sizes, large and small, as they are critical in identifying and remedying potential vulnerabilities in networks, systems, and applications.

By conducting such assessments, businesses can create a comprehensive security strategy to help them keep their systems secure and protected from potential cyber threats.

Furthermore, such assessments can also provide valuable insights into potential areas of improvement, allowing businesses to remain one step ahead of any potential security risks.

You Need Automation

By automating your assessments, you can save time and money that would otherwise be spent on manual data entry and analysis.

Automation also makes it easier to quickly assess large amounts of data, which is especially helpful when dealing with complex problems or large datasets.

With automated assessment, you can also ensure more accurate and reliable results, as the software eliminates the potential for human error. Additionally, automated assessment can provide valuable insights into the data that can be used to inform your decision-making.


With Findings, digitize your assessments with ZERO effort and automate your assessment response in seconds – learn more about how Findings can help here

Cyber Attacks, Supply Chain Security

February Data Breach Round Up

Posted on by Or Kadosh
Findings.co february data breach round up. Companies like reddit, lastpass, and godaddy made the list.
02
Mar

Well, it’s that time of the year again! 

No, I won’t be talking about the Superbowl or Valentine’s Day, or even Groundhog Day for that matter – it’s time for our monthly roundup of data breaches. February 2023 brought us a smorgasbord of security mishaps. It seems like even the big players in the industry can’t catch a break these days. But fear not, dear reader, I’m  here to break down what happened so that your company can protect itself along with your supply chain. Grab a cup of coffee and let’s dive in!

  1. Reddit:

Reddit had a bit of a scare recently… On February 5, 2023, Reddit discovered a phishing campaign that targeted its employees. In an update from the company, they write “as we all know, the human is often the weakest part of the security chain.” In an attempt to steal credentials and second-factor tokens, an attacker sent out plausible-sounding prompts pointing Reddit employees to a website that cloned the behavior of Reddit’s intranet gateway. The attacker was then able to obtain an employee’s credentials, and in turn, was able to  access internal documents, code, and some internal dashboards and business systems. Limited contact information for company contacts and employees, as well as limited advertiser information, were exposed. In the meantime, they’re urging users to protect themselves by setting up two-factor authentication and using a password manager. Stay safe out there, Redditors!

  1. LastPass:

You’re probably thinking to yourself, “hold on  didn’t LastPass JUST announce a breach in December?” They did indeed, which I informed you all about. However, the company disclosed that there was a second incident. In a company notice, LastPass writes, “Despite high confidence in the outcomes of our investigation and actions taken in response to the first incident, the threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack. The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources.” In this second incident, the attacker targeted an employee. The attacker obtained access to a DevOps engineer’s LastPass vault by capturing their master password after the employee had authenticated with MFA. The attacker then exported the contents of shared folders, which contained encrypted secure notes with access and decryption keys to access AWS S3 LastPass production backups, other cloud-based storage resources, and some critical database backups.


  1. Weee!:

I  have some not-so-tasty news for you all you foodies out there. Weee!, the U.S. online grocery delivery service specializing in Asian and Hispanic foods, recently informed the public that it experienced a data breach. Unfortunately, the breach resulted in cybercriminals stealing a year’s worth of customer data, including names, addresses, email addresses, phone numbers, order numbers, and order comments (like where to leave groceries). While the company is still investigating who is behind the breach, it’s been reported that 1.1 million customer email addresses were compromised. 

  1. GoDaddy:

Uh oh! GoDaddy, the popular web hosting company, suffered a multi-year cyberattack. The company explained, “an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites.” GoDaddy discovered the breach after customers reported that their sites were being redirected to random domains. The company says that previous breaches in November 2021 and March 2020 are linked to this multi-year campaign. Further information about this attack can be found in a 10-K filed by the company. 

  1. A10 Networks:

A10 Networks is a California-based company that specializes in producing hardware and software for application delivery, identity management, bandwidth management, and cybersecurity services. The company’s customers include a number of well-known tech companies and organizations, such as Twitter, LinkedIn, Samsung, and Uber, among others. In an 8-K filing, A10 Networks disclosed that on January 23, 2023, they identified a cyber-security incident in its corporate IT infrastructure. A sneaky gang known as Play Ransomware is claiming responsibility for this attack. After investigation, it was determined that the threat actors managed to gain access to shared drives, deployed malware, and ‘compromised’ data related to human resources, finance, and legal functions.

Companies must continue to prioritize cybersecurity and take proactive measures to protect themselves. While data breaches can be scary, being aware of what happened and taking the necessary precautions can help prevent further damage.

Cyber Attacks, Privacy, Supply Chain Security

January Security Breach Round Up

Posted on by Or Kadosh
Findings.co reveals the top breaches in January 2023
02
Feb

While a new year is supposed to bring in new and exciting opportunities, quite the opposite happened to these companies after they had their resolutions spoiled by hackers. Let’s review some of the most interesting data breaches that happened in January..


PayPal:


Yes, even massive financial companies like PayPal fall victim to breaches. On January 18, 2023, PayPal informed customers that unauthorized parties were able to access PayPal customer accounts using their login credentials. In the company notice, PayPal writes, “the personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.” After an incident like this, it is extremely important that users change their passwords for other online accounts as well as activate two-factor authentication, which can prevent hackers from accessing their other accounts. 


T-Mobile:

Another breach? This time, 37 million people were apparently affected. On January 19th, 2023, T-Mobile released a statement writing, “We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.” Obtained information includes name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. T-Mobile further writes, “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.” While we hope that T-Mobile does indeed strengthen their cybersecurity program, we’d like to note that the telecommunications giant has suffered several security incidents in the past few years. 


Google Fi:

Think of a domino effect here. When one goes down, so can the next. It is alleged that Google Fi’s security incident is connected to the T-Mobile incident right above this one. Google Fi is a mobile virtual network operator that uses T-Mobile’s network for the majority of its connections. It is believed that hackers may have accessed customer information such as phone numbers, SIM card serial numbers, account status, and mobile service plan data. To explain the aftermath of this, BleepingComputer explained that, “the exposed technical SIM data allowed threat actors to conduct SIM swap attacks on some Google Fi customers, with one customer reporting that the hackers gaining access to their Authy MFA account. SIM swapping attacks are when threat actors convince mobile carriers to port a customer’s phone number to a mobile SIM card under the attacker’s control.” After the SIM swapping attacks, hackers can access a person’s email, accounts registered with the phone number, and authentication apps. 


Mailchimp:


Don’t be that person – always think twice before opening links from people you don’t know. On January 11, 2023, Mailchimp discovered that an unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors. By doing so, the hacker was able to obtain access to select Mailchimp accounts using employee credentials compromised in that attack. The hacker accessed a tool used by Mailchimp customer-facing teams for customer support and account administration. In a company notice explaining the situation, Mailchimp confirms, “this targeted incident has been limited to 133 Mailchimp accounts.”


JDSports: 


JDSports, a British sports-fashion retail company based in England also unfortunately fell victim to an attack in January. JDSports notified customers via email explaining the situation, pictured below.  


Photo Source:




The sports company warns that the attack resulted in unauthorized access to a system containing customer information for orders placed between November 2018 and October 2020. Information such as full names, billing details, delivery addresses, email addresses, phone numbers, order details, and final four digits of payment cards were accessed.



 

Before wrapping up for the month, did you hear about SwiftSlicer, a new data wiping malware that aims to overwrite crucial files used by the Windows operating system? BleepingComputer explains that it allows “domain admins to execute scripts and commands throughout all of the devices in the Windows network.  SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.” Researchers at a cybersecurity company, ESET, say that SwiftSlicer has the ability to overwrite data using 4096 bytes blocks and then the malware can reboot the system. Since this is a new discovery, it’s important that companies continue using the most up-to-date antivirus softwares. 





Learn About Our Continuous Monitoring Solution

Cyber Attacks, Privacy, Supply Chain Security

December Security Breach Round Up

Posted on by Or Kadosh
December security breaches
09
Jan

2023 is here and while I would love nothing more than to say that everything is awesome in the security world, I would be lying to all of you if I said there were no data breaches in the month of December. 

While most people usually wind down and enjoy the holiday season with family in December, the top dogs at the companies below probably had nothing but stress on their minds. 

Let’s dig in and see what mistakes were uncovered this month.


  1. LastPass:

Well this is a little awkward, isn’t it? Given that LastPass is a password manager, one would think that they would have strong measures in place to protect their consumer’s privacy; however, that does not seem to be the case. In a company notice, LastPass writes: “we recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” The threat actor copied information from a backup source that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The company continues to explain that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” It is important to note that many organizations and their employees use LastPass to store passwords. If you were not aware of this incident, it is time you look into protecting your accounts and changing your passwords.


  1. Uber:

When I found out about yet ANOTHER Uber breach, my reaction was a deep sigh of frustration. This time the breach resulted from a compromised third-party vendor. BleepingComputer reported about the incident and shared that “a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees. While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.” After further investigations, Uber later shared with BleepingComputer that the threat actor stole its data in a recent breach on Teqtivity, which Uber uses for asset management and tracking services. Teqtivity informed that the threat actor was able to access device information such as serial number, make, models, and technical specs. Additionally, user information such as first name, last name, work email address, and work location details were accessed. 


  1. Five Guys:

I’ll be the first to admit that Five Guys is irresistible – especially on a cheat day. So of course I hate to be the bearer of bad news here, but alas, it has to be said. On December 29, 2022, Five Guys released a statement confirming a breach that occurred in September 2022 that exposed sensitive customer data by an unauthorized party who accessed a file server. The company writes: “The investigation identified unauthorized access to files on our file server that occurred on September 17, 2022. We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process.” Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver’s license numbers. We see this time and time again where threat actors access sensitive information and companies do not inform victims until months later. In those months, the attackers can commit identity and credit fraud and sell user data on the dark web. That is one of the reasons why Findings is so useful – we continuously monitor your systems and the dark web to make sure that if an incident like this does ever occur, it will not take you months to find out.

 

  1. Sequoia:

For those who are unaware, Sequoia is a popular benefits and payroll management company. In a company notice, they stated: “Sequoia Benefits and Insurance Services LLC (“Company”) recently became aware that an unauthorized party may have accessed a cloud storage system that contained personal information provided in connection with the Company’s services to its clients, including your employer or, if you are a dependent, your family member’s employer.” Information accessed by the unauthorized party consists of personal information including demographic information such as name, address, date of birth, gender, marital status, employment status, social security number, work email address, member ID, wage data for benefits, attachments that may have been provided for advocate services, ID cards, and any COVID test results or vaccine card that may have been uploaded.

  1. Social Blade:

Social Blade is an analytics platform that provides statistical data for numerous social sites such as YouTube, Twitter, Twitch and Instagram. They confirmed that they suffered a data breach after their database was breached and put up for sale on a hacking forum. Social Blade monitors tens of millions of social media accounts and the hacker claims to have obtained 5.6 million records. The sample data that was posted by the hacker also suggests that many of the records contain user information. Users online were quick to share an email that was apparently sent privately to affected users. In the email, Social Blade confirms the breach and reports that the affected data includes email addresses, IP addresses, password hashes, client IDs and tokens for business API users, and authentication tokens for connected accounts. Other non-personal and internal data was also compromised. Roughly 0.1% of users also had their addresses leaked, but credit card information was not exposed. A similarity we see here in comparison to other breaches is that this was not Social Blade’s first breach. In 2016, the company also confirmed that it suffered a breach. Let’s see if the most recent breach will be the push they need to better protect their company and prevent future attacks. 

Image

source: twitter


Now that we are in 2023, we hope that companies will take the necessary steps to protect their systems. Findings has a few New Year’s resolutions we recommend companies take on to ensure that they are protecting their employees and consumers.

Attackers prey on those who don’t regularly change their passwords. In fact, it makes their jobs easier. Make sure your systems are secure with New Year’s Resolution # 1: Require your employees to change their passwords every 90 days.

With an increase in cyber attacks being committed against supply chains, it’s vital that every business implements mandatory cybersecurity training programs. Having employees that are aware of all things cyber security is beneficial in minimizing the risks associated with cyber attacks.


Staying vigilant and continuously assessing potential risks in your supply chain is an essential New Year’s Resolution that companies need to follow in 2023.



Updates are usually required for a reason, and many times it’s for security reasons. When systems are up to date, it makes it harder for hackers to attack and find loopholes in the system. 


If you haven’t heard of our continuous monitoring solution, you may want to consider looking into it.



Andddd that’s a wrap for this month!


Findings wishes you all a happy and healthy New Year.

 

We’re here for you. Learn more today.

Supply Chain Security, Vendor Risk Management

What’s At Stake With Ineffective Third Party Vendor Risk Management

Posted on by Yogev Kimor
ineffective vendor risk management
28
Dec

Virtually every business today has to outsource work to external vendors. By extension, it needs a plan to handle what Gartner calls vendor risk management, or VRM/TPRM. 

Working with third-party vendors exposes businesses to a variety of risks:

 

  • Reputational harm: Security mistakes made by third party vendors could harm your brand’s reputation. Even if your company wasn’t at fault, customers or partners might hold your business accountable because they believe you made the poor choice of working with a risky third-party vendor.
  • Operational damage: Problems with third-party vendors could disrupt your operations. For example, if a software product you depend on becomes vulnerable, your supply chain may cease to function until you find a replacement. Or your third party vendor may be hacked, leaving the door open to your organization for breaches or system failures.
  • Financial loss: Third party vendor risks that turn into operational disruptions can ultimately lead to revenue loss, exacerbating the operational fallout of the situation and costing your organization money.
  • Compliance challenges: You may be required to prove that your supply chain risk management complies with specific security or data privacy frameworks, and mistakes made by third party vendors could expose you to compliance failures. Like customers and partners, regulators aren’t likely to care whether the root cause of the issue lies with you or your vendor; all that matters to them is that you were non-compliant.

 

To respond to these challenges, especially considering the fact that 89% of businesses experiencing a supplier risk event in the past 5 years more needs to be done to develop an effective third party vendor risk management strategy. Developing that strategy starts with recognizing the mistaken assumptions that businesses often make when attempting to manage vendor risks.

 

Let’s look at those mistakes, why they’re dangerous and what businesses can do to avoid them.

 

1. Assuming All Vendors Are Covered

It can be easy to assume that as long as you have some kind of third party vendor risk management operation in place, it covers all of your vendors and gives you complete visibility into the risks associated with them.

 

The reality is that in many cases, TPRM programs overlook some vendors. The oversights most often result from relying on manual processes to identify and vet vendors, but you can also miss some vendors because your supplier list is always changing and you may not keep it up-to-date. 

Not only that, in many cases, coverage itself is partial. Modern supply chains are complex and because of this, long-tail vendors can be easily overlooked or ignored, exposing your organization and supply chain to huge risk.

The solution to these challenges is to rely on automation to track vendors. When you automate, it becomes much easier to find all third party vendors in your supply chain, and to keep your vendor inventory continuously up-to-date.

 

2. Overlooking Risk Assessment

Simply identifying vendors is only the first step in third-party vendor risk management. Equally important is assessing how much risk each vendor introduces to your supply chain. Risk assessments should reflect factors such as how much harm the vendor could cause to your reputation, operations, finances and so on. However, too often is the risk tolerance or risk appetite in an organization under-assessed so the true effects are unknown in the case of vulnerabilities in your supply chain.

 

Ideally, risk assessment should happen automatically. Whenever you introduce a new vendor into your supply chain, or when your relationship with a vendor changes, you should be able to determine automatically how the vendor impacts your overall risk and make a valid assessment of exactly what level of risk is acceptable to your organization.

 

3. Vendor Risk Management Ends With Onboarding Assessment

While risk assessment is important, it’s not the end of the third party vendor risk management process.

 

Your relationship with vendors may evolve in ways that change the types and extent of the risk that each vendor poses. For that reason, it’s important to be able to reassess risks on a continuous basis. Using automation, you can ensure that your risk assessments are constantly updated and that they remain relevant even as your vendor relationships evolve.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

4. Underestimating Vendor Compliance Needs

Sometimes, organizations assume that as long as they’ve met basic third party vendor risk management requirements, they’re covered against compliance mandates related to their supply chain and vendors.

 

In reality, compliance requirements tend to be complex and business-specific. For that reason, generic vendor risk management is not enough to guarantee compliance. Third party vendor risk management is a step toward compliance, but you also need to step back and assess the unique compliance requirements of your company and supply chain, then determine whether additional steps are needed to achieve compliance.



Simplify Third Party Vendor Risk Management With Findings

Findings takes the hard work out of vetting third party vendors. By automating the processes of identifying and assessing vendors across your supply chain, Findings makes it easy to maintain continuously updated visibility into where supply chain risks lie and how each vendor could harm your reputation, operations  finances and more.


See for yourself by requesting a demo at findings.co

Supply Chain Security, Vendor Risk Management

Finally: Practical Guidance for Supply Chain Risk Management

Posted on by Or Kadosh
04
Dec

Businesses are being bombarded with warnings from a variety of sources regarding supply chain risk management – ranging from media organizations like Forbes, to analyst firms like Gartner, and even to the White House, which notes that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure” through supply chain attacks.


However, actual advice for managing supply chain risks is harder to come by. Figuring out where risks lie and working to detect them is an exercise that often falls to individual businesses – which often struggle to put supply chain risk management into practice, given the fact that few organizations were closely focused on supply chain risks until just a couple of years ago, when incidents like the SolarWinds breach brought supply chain risks to the fore.


1. Optimize Supply Chain Visibility

The single most effective step businesses can take to manage supply chain risks is to achieve visibility into their supply chains. You can’t mitigate the risks you can’t see, and if you wait for the risks to impact your own IT environment, it’s too late to prevent them from causing a disruption.


That’s why you need visibility not only into where your software comes from, but also which checks and protections your software suppliers have in place. Believe it or not, vulnerabilities will come from your least expected vendors, and more often than not, your smaller vendors. When you identify vendors who fail to manage risks, you can remove them from your supply chain in order to protect your own organization. This is where continuous monitoring steps in and becomes invaluable to your team by getting ahead of issues before remediation steps are even needed. 


When it comes to supply chain visibility, the more information you have, the better. It’s often impossible to gain complete, definitive visibility into supply chain risks because the “probability and severity of many risks is difficult to ascertain,” as Tucker Bailey, McKinsey Partner notes. But the more information you have about who your suppliers are, how they build out their supply chain and which practices they follow to mitigate security risks, the greater your ability to find and respond to the most serious supply chain vulnerabilities

2. Build Supply Chain Risk Management Into Onboarding

While continuous visibility into the supply chain is one step toward identifying risks, it’s also important to establish a rigorous process for vetting vendors when you onboard them into your supply chain. Identify which specific security controls you expect vendors to have in place, then implement a process that assesses how well they adhere to those practices.


There is always a risk that vendors who meet your requirements during onboarding will become insecure over time, which is why you need to monitor continuously for new supply chain risks. The most common onboarding process would be to do an initial risk scan of the vendor and setting a score. However, the better and more effective method is to set a periodic scan that includes an action plan. 


But even with all these processes, it doesn’t mean you should skimp on vendor validation at onboarding time. Rooting out risky vendors before they even join your supply chain is more effective than identifying risks after the fact.

3. Plan For Supply Chain Changes

Actually removing risky vendors from a supply chain is hard to do if you depend on those vendors and have no alternatives.


That’s why it’s important to ensure that your supply chain is dynamic enough to accommodate sudden changes in vendors. Always have backup suppliers in mind to who you can turn to if you need to stop using one vendor due to cyber security risks.


Supply chains constantly fluctuate. Vendors that seem rock-solid one day may be in the news the next because they are the center of a major breach. You can’t control what your suppliers do, but you can control your ability to pivot to alternative suppliers quickly in order to mitigate supply chain risks.

4. Enforce Continuous Supply Chain Risk Management

Supply chain risk management should never be a one-and-done affair. Nor should you rely on periodic audits to find risks.


Instead, strive to monitor your supply chain continuously. Continuous monitoring means that you can identify vulnerable third-party software, as well as vendors who are no longer conforming to your security requirements, as soon as the risk emerges. That beats waiting until your next audit to identify a risk – or, worse, not identifying it at all because you vetted your suppliers initially and have no mechanism in place for determining when vendors who were once secure no longer are.


Ensure that the protections that your suppliers claim to have in place actually work. For example, as Jay Shaw explained during a recent LSEG event, don’t just take someone’s word for it that backups are in place. Instead, say “you’re going to get a phone call, And that phone call is going to say, ‘Bam, we’re now down, so do the backup plan. We want to see how long it takes you and how well it works.”


It might not be practical to vet every vendor in that way, but for high-stakes suppliers, it’s important to know that promises align with realities when it comes to supply chain security protections.

5. Automate Supply Chain Risk Management With Cyber Solutions

For most businesses, the rigorous, continuous supply chain monitoring and risk management practices described above are impossible to implement manually. They would require too much time, and too much effort on the part of employees who already have overfilled plates.


That’s why it’s critical to leverage cyber solutions that automate supply chain risk management. They can identify multiple types of threat within third-party software – including malware, phishing risks, ransomware and beyond – without requiring manual vetting. And they can do this continuously so that you’re aware immediately when a new risk arises.


Automated cyber solutions have the added benefit of reducing the risk of human error. Your supply chain management tools will operate consistently and reliably, enforcing the same assessment policies over each and every vendor. Humans typically don’t achieve that level of consistency, which means that manual supply chain assessment increases the chances that risks will fall through the cracks.

How Findings can help

As a fully automated platform for identifying and managing risks across your supply chain, Findings makes it easy to put supply chain risk management practices into operation. Findings delivers centralized, continuous visibility into supply chains across any industry, enabling businesses to find and respond to risks before they turn into cyber security incidents.

See for yourself by requesting a demo at Findings.co.

Cyber Attacks, Privacy, Supply Chain Security

November Security Breach Round Up

Posted on by Or Kadosh
November Security Breaches
01
Dec

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

Supply Chain Security

Your 2023 Supply Chain Security Conference Rundown

Posted on by Yogev Kimor
2023 supply chain security conferences
28
Nov

As every supply chain security and cyber security professional knows, there’s no such thing as taking a break from learning. Threats and cyber criminals are constantly evolving, and the only way to protect your organization and vital infrastructure is to stay one step ahead, by learning from the experiences, innovations, and insights of other experts. 

 

Here are the top supply chain security and cyber security conferences happening around the world this year, so open your calendar and plan your schedule now! 

 

1. Cybertech Global TLV

January 30 – February 1, 2023

Tel Aviv, Israel

Cybertech Global brings together top thought leaders from around the globe to share ideas and make connections about everything cyber. The three-day conference is an opportunity to hear from experts in the Middle East and beyond on the latest innovations, solutions, and emerging threats in the realm of cyber and supply chain security.

 

Speakers include Yodfat Buchris, Managing Director of Blumberg Capital, Yaroslav Rosomakho, Field CTO of Netskope, Eyal Cohen, CEO and Co-Founder of Cognifiber and many many more.

 

2. The Official Cyber Security Summit

February 10, 2023

Atlanta GA, USA

This one-day summit is short but impactful, offering an intensive day of learning about how to protect your business and networking with C-suite and senior executives. With keynote presentations from IBM Security and Huntress, it’s not one to miss. Schedule your trip now to attend sessions, swap ideas, and view demos of new solutions.  

 

3. CISO Sydney 2023

February 20-22, 2023

Sydney, Australia

The first CISO Sydney conference to take place in person since before the pandemic is packed full of informative sessions and networking opportunities. CISOs from numerous companies will join together to share intelligence, renew connections, and discover new approaches, methodologies, and tech products. The conference also features a focus day on Critical Infrastructure and DevSecOps. With a generous mix of focused talks, panel discussions and group discussions, there’s sure to be many points of interest for you. You can view the agenda here.

4. Women in Cyber Security (WiCyS)

March 16-18, 2023

Denver CO, USA

The Women in Cyber Security (WiCyS) conference is an event that strengthens the community of women working in cyber security while enabling attendees to connect, learn, and discover new concepts. This organization has been around for a decade and is dedicated to advancing the role of women in the field of cyber security. 

 

This event is focused on opportunities for women but is open to all genders. The conference includes resume clinics, mock interviews, and a career fair as well as workshops, keynote sessions, and lightning talks. 

 

5. Pharma Supply Chain & Security World 2023

March 28-29, 2023

London, UK

With counterfeiting on the rise, pharma companies are more concerned than ever with supply chain security and ensuring traceability and visibility. This year’s Pharma Supply Chain and Security World summit is rightly focusing on new solutions to ‘Building Resilient Pharma Supply Chain’, ‘Serialization and Track & Trace’, ‘Smart Packaging & Labeling’, and ‘De-Risking Supply Chain, Compliance and Contracts’. Speakers include Fausto Artico, Global R&D Tech Head and Director of Innovation and Data Science with GSK and Gianpiero Lorusso, Director, Head of Upstream Logistics with Healthcare Business of Merck. 

 

6. Third Party Vendor Risk Management for Financial Institutions

12-14 April, 2023

New York, NY, USA

This  three-day supply chain security conference is aimed at executives and cyber security heads who are concerned about minimizing supply chain risk. This year, the conference focuses on ideas and tools for monitoring third and fourth parties, increasing visibility into your extended supply chain, and improving risk management. 

 

7. RSA Conference 2023

April 24-27, 2023

San Francisco, CA, USA

The theme for this year’s RSAC is Stronger Together, with an emphasis on sharing information, ideas, and even failures. The RSA Conference offers four days of rich learning opportunities, including hands-on learning labs and Capture the Flag events, as well as keynotes and panel discussions, alongside an deas EXPO which can be explored in person or online. 

 

8. RiskWorld

April 30-May 3, 2023

Atlanta, GA, USA

The annual RiskWorld event is intended for everybody delivering risk management services, from across verticals and around the world. The conference offers four days of networking, insights, solutions, and educative sessions led by risk management leaders and disrupters.

 

Tracks for the event include Career Development, Cyber and Technology Risk, Risk Modification/Mitigation and Loss Control and many more. Register your interest to receive the agenda when it it released!

 

9. Cyber Security and Privacy Professionals Conference

May 1-3, 2023

Bellevue, WA, USA

A highly education-focused conference for cyber security and privacy professionals, this event offers opportunities for attendees to learn and discuss new challenges, emerging threats, and nascent solutions for their fields. The agenda will be released in early 2023, but if the 2022 agenda is anything to go by, this is not to be missed!

 

10. IMPACT 2023

May 3-4, 2023

Jersey City, NJ, USA

Run by the Ethics & Compliance Initiative (ECI), IMPACT 2023 opens up educational and networking sessions for everyone interested in compliance, regulatory policy, and enforcement. Leading experts and policy makers will share their ideas around strategy, risk, accountability, and ESG across sectors and verticals. Make sure to click through and sign up to their mailing list to be notified when early bird pricing drops! 

 

11. Third Party & Supply Chain Cyber Security Summit

May 4-5, 2023

Barcelona, Spain

Focusing on end to end cyber security practices, this year’s Summit brings together the latest case studies on cyber security implementation for discussion by professionals from leading companies. It’s a great opportunity to learn more about visibility, risk management, and supply chain security across your network. Some of the speakers you have to look forward to include Syed Ubaid Ali Jafri, Head of Cyber Defense & Offensive Security at Habib Bank Limited and Andrea Szeiler, Global CISO for Transcom Worldwide AB.

 

12. Gartner Supply Chain Symposium / Xpo

May 8-10, 2023

Orlando, FA, USA

As you’d expect, the Gartner Supply Chain Symposium brings together some of the top names in supply chain security to explore and investigate big ideas, small details, and actionable insights. The symposium aims to address new and existing disruptions, resilient strategies, and tech investments to minimize risk and maximize rewards. Join David Gonzalez, Conference Chair and VP Analyst and get ready to develop agile and resilient supply chain strategies, learn how to mitigate risk and respond to disruption, how to pursue digital initiatives that drive business growth, and so much more!

 

13. Black Hat Asia

May 9-12, 2023

Marina Bay Sands, Singapore

Black Hat trainings, briefings, and seminars are highly respected events, and Black Hat Asia is no exception. Held over four days in Singapore, Black Hat Asia 2023 invites all cyber security professionals to learn from researchers, educators, and experimenters in all the fields of cyber security and risk. 

 

14. American Supply Chain Summit

May 16-16, 2023

Dallas, TX, USA

The American Supply Chain Summit is one of the top supply chain security conferences for leaders and executives, bringing together supply chain security chiefs from leading brands like IKEA, Unilever, and Kroger to share case studies, swap methodologies and strategies, and prepare to meet the next threat. Key themes this year include profitability and risk management, cost optimization, workforce management, and disruptive supply chain tech. Key speakers include Chuck Graham, VP of Microsoft Cloud Sourcing, Tanja Dysli, Chief Supply Chain Officer for IKEA and Supply Chain and Andrew Rendich, Chief Supply Chain Officer for Peloton Interactive.

 

15. 2023 FINRA Annual Conference

May 16-18, 2023

Washington, DC, USA

Located this year in the Marriott Marquis in Washington, the annual FINRA conference is a highly-regarded opportunity for cyber security, supply chain security, and risk management professionals to learn about current trends and regulatory issues that affect their roles. Speakers come from both the public and private sector as well as academia. 

 

16. Cybertech Asia 2023

May 2023

Marina Bay Sands, Singapore

Cybertech Asia returns this year, after the 2022 conference had to be postponed due to COVID-19 restrictions. Expectations are high and preparations have been lengthy for this highly anticipated event! Participants can look forward to in-depth discussion about cyber threats and solutions across the sector, including an extensive exhibition center for multinational companies and SMBs alike.

 

17. Gartner Security & Risk Management Summit

June 5-7, 2023

National Harbor, MD, USA

Aimed at CISOs, risk management leaders, and people in various cyber security positions, the Gartner Security & Risk Management Summit is an arena for learning new ways to protect your organization while making new connections and discovering new insights. Get ready to hear the latest insights from Gartner’s top VP Analysts, such as Patrick Hevesi and Christie Struckman.

 

18. International Conference on Cyber Security and Resilience (ICCR2023)

July 17-18, 2023

Digital

The ICCR is a research-focused conference that brings together leading scholars and researchers to share their work and ideas about cyber security and resilience. Although it’s aimed at academics, security professionals can learn valuable insights and practical solutions to cyber security, supply chain security, and risk management challenges. 

 

19. Black Hat USA

August 6-11, 2023

Las Vegas, NV, USA / Virtual

Black Hat USA is one of the few cyber security conferences in 2023  that’s still striving to offer a rich hybrid experience. The six-day event includes four days of live, interactive and hybrid trainings, as well as a two-day hybrid conference including keynote speakers and panel discussions to be announced at a later date.

 

20. National Cyber Summit

September 20-21, 2023

Huntsville, AL, USA

The National Cyber Summit bills itself as the most innovative cyber security-technology event in the US, with a range of focus areas, leading speakers, and unique collaborative opportunities. The agenda and speakers are yet to be announced but you can view previous years on the event website and sign up for notifications for when tickets go on sale. 

 

21. InfoSec World

September 25-27, 2023

Lake Buena Vista, FL, USA

Now in its 28th year, this year’s InfoSec World offers an opportunity to meet and learn from CISOs and business security experts from a diverse range of top brands, including the NFL, Salesforce, and Carnegie Mellon University. Conference themes include Critical Infrastructure, Hackers & Threats, Identity, and Risk Mitigation, so there’s something to suit everyone. 

 

22. International Cyber Expo

September 26-27, 2023

London, UK

The International Cyber Expo brings together cyber security experts from a range of sectors, including government officials, CISOs, and leading university researchers. Cyber security and supply chain security professionals will take away plenty of new ideas, solutions, and insights so make sure to register your interest ahead of time. 

 

23. Cybertech Europe

October 3-4, 2023

Rome, Italy

Cybertech Europe offers an opportunity to listen to experiences, research, and case studies from leading cyber security experts in the public and private sectors. Attendees can join keynote sessions, workshops, and panel discussions on a broad range of topics. 

 

24. Cyber Security World Asia

October 11-12, 2023

Marina Bay Sands, Singapore

 

Cyber Security World Asia is a headline event, bringing together thought leaders from top technology companies across Asia to swap intelligence and strategies and present their innovations. They strive to lead the charge in addressing the most pertinent and compelling issues in cyber security so they should definitely be one to add to your calendar for 2023.

 

25. Insider Threat Summit

Date TBC

Location TBC

The Insider Threat Summit aims to raise the standard of cyber security across all industries and around the world by working together. It focuses on vulnerability, security, and risk management, with a number of government officials among the speakers and attendees. 

 

 

Phew! There is a lot of incredible events coming up in 2023 and you’ll definitely see our Findings team across the globe speaking at a number of these events. Make sure to bookmark this page and check back for discount codes on tickets throughout the year. 

Waiting for that next conference and eager to learn more about automating your supply chain security? Request a demo.

Supply Chain Security, Vendor Risk Management

The New Breed of Cyber Security Threats Coming for CISOs in 2023

Posted on by Yogev Kimor
The New Breed of Cyber Security Threats Coming for CISOs in 2023
21
Nov

Traditional challenges, like ransomware and software supply chain threats, have not gone away. But as we enter 2023, they’re being exacerbated by additional challenges, such as government-sponsored cyberattacks, the increased number of supply chain attacks, new types of phishing exploits and even the possibility that quantum computers will totally invalidate most of the core cyber security tools that businesses rely on today.

 

Those and other trends were the subject of an excellent webinar hosted recently by the London Stock Exchange Group (LSEG), moderated by Charles Clarke, Head of Security Architecture at LSEG, which brought together industry leaders including:

  • Kobi Freedman, CEO and cofounder of Findings.
  • Reuven Aronashvili, founder and CEO of CYE.
  • Alan Platt, COO at CyberHive.
  • Jay Shaw, CEO of Praxonomy.
  • Alan Moffat, CISO & Director of Business and Cyber Security Services for Sapphire.

 

This diverse mix of companies and sectors, spent the morning discussing what they see as the most pressing cyber security challenges for 2023 and beyond. Although their insights gave CISOs – and businesses in general – plenty of problems to worry about, they also pointed toward solutions that forward-thinking organizations should be adopting in order to protect their operations against cyberthreats.

 

Key Cyber Security Trends for 2023

Although there was consensus that major trends in cyber security for 2023 will vary somewhat between different industries, the overall takeaway from speakers’ comments was that 2023 will see the continued emergence of a new breed of cyber security threats – or new takes on familiar ones.

 

Quantum Computing

Quantum computers – which use quantum mechanics to supercharge the processing of data – have been in the news for a long time as scientists come closer to developing quantum machines that are actually usable for real-world tasks.

 

As Alan Platt pointed out, the fact that quantum computing isn’t practical today doesn’t mean businesses shouldn’t be aware of the potential concerns. The reason why is that the sensitive data that businesses are generating today and protecting using encryption may become readable by quantum computers a few years from now.

 

“Most of the internet at the moment runs on RSA-2048 public key cryptography,” Platt said. “Breaking that using a conventional computer is estimated to take about 13.7

billion years, but a quantum computer doing exactly that same piece of cryptography would be able to crack it in just 42 minutes.”

 

The point here is that, in the not-so-distant future, security practices that CISOs rely on today to secure sensitive data may become obsolete. They’ll need to work even harder to prevent sensitive information from falling into the wrong hands in the first place, because even if the data is encrypted, quantum computers may be able to defeat the encryption with ease.

 

Increased State-Sponsored Cyberattacks

Platt also warned that the days may be coming to an end where malicious hackers seeking financial gain are the only people out to ruin a CISO’s day. Increasingly, he said, “the name of the game is about tightening security…against more complex and more damaging attacks that could take out critical infrastructure” – as opposed to threats like ransomware, which can be financially harmful but don’t usually impact physical infrastructure.

 

This new challenge reflects an increase in cyberattacks by nation-state actors seeking to use cyberwarfare as a means of harming their enemies. Although that practice is not completely new, the war in Ukraine has demonstrated an eagerness by both sides to extend traditional war into the cyber realm, heightening the security challenges faced not just by governments, but also individual businesses, who may be targeted by state-sponsored actors in order to harm countries in which businesses are based.

 

Lingering Covid Security Challenges

The Covid pandemic may effectively be over, but its impact on supply chain security and cyber security is not, according to Alan Moffat.

 

Covid forced companies to invest more of their IT spending in technologies that enable remote work and distributed workforces, as a result “less budget can be put into cyber security.” Due to the speed that companies had to be ready for the work-from-home/hybrid working models, mistakes in the initial set up are still being shored up by security leaders. These challenges are exacerbated by the fact that remote work infrastructure is often harder to secure because it involves IT assets that exist beyond a company’s corporate firewall and network, and lack the type of physical security protections that exist in a traditional office environment.

 

This means that CISOs need to do even more with even less budget – which makes strategies like automation and early detection of threats more important than ever.

 

Looking for a step-by-step VDP security roadmap? We’ve got you covered

 

VPNs Are No Longer Up To Snuff

Although VPNs – which are intended to protect sensitive data by encrypting packets as it flows between central IT infrastructure and remote locations, like the PCs used by workers who operate from outside the office – don’t make networks less secure, they don’t necessarily make them more secure, either. Beyond the risk that quantum computers, as noted above, could be used to break the cryptographic keys that secure VPN traffic, VPNs are complicated to administer, and they can cause problems for remote users who need to access business resources (like SaaS platforms) that aren’t actually hosted on the corporate network.

 

Instead of placing blind trust in VPNs, companies should be turning to other strategies – like zero-trust access controls – to secure their networks. Zero trust works even in a world where quantum computing may kill cryptography as we know it.

 

New Types of Supply Chain Security Threats

Supply chain security challenges have received a lot of attention in recent years, and many CISOs have begun investing in initiatives to protect their supply chains, as well as to disclose supply chain vulnerabilities efficiently. But they need to do a lot more, according to Kobi Freedman, CEO and CoFounder of Findings, to get a real handle on the risk.

 

“Looking forward, we see a dramatic increase in attacks which are driven by the IoT” and that target “IoT and industrial environment” systems, our CEO added. Supply chain security strategies that address just the conventional elements of the software supply chain – like server-side applications – aren’t enough. Businesses also need to be able to understand and secure their IoT and operational technology assets.

 

Kobi added that businesses need what he called “long-tail” visibility into the supply chain. He was referring to the ability to understand not just which suppliers a business depends on directly, but also who supplies them, and how supplier relationships evolve over time. Simply compiling a software bill of materials and calling it a day won’t be enough to achieve the deep visibility necessary to secure modern supply chains.

 

And businesses will need to do all of this, Kobi pointed out, with budgets that are likely to remain constrained at least through 2023. As a result, they’ll need to make heavier use of supply chain security automation than ever.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Evolving Phishing Threats

Kobi Freedman also pointed out that the nature of phishing attacks is changing. Businesses have seen an increase in targeted phishing initiatives, known as spear phishing attacks, that target high-level employees rather than ordinary, in-the-trenches workers. These attacks are more sophisticated, resulting in higher levels of success.

 

To correct against this, businesses need to understand that humans are often the weakest link in cyber security. “90% of the risk for spear phishing attacks and other exploits comes from the human factor in the organization,” he said. The more businesses know about what their employees have access to, the better they can defend against risks like spear phishing.

 

Thriving In The Face Of 2023 Cyber Security Challenges

Faced with threats like these – as well as traditional challenges, like ransomware – what’s a CISO to do?

 

Part of the answer, the panelists agreed, is to transform cyber security within their organizations from a cost center to a “business enabler,” as Reuven Aronashvili put it. In other words, CISOs should strive to demonstrate to other executives how investments in cyber security can save money by reducing the risk of revenue loss due to IT disruptions. Viewed from that perspective, it’s easier to explain and justify continued spending on initiatives like supply chain security, even in financially tight times.

 

Relatedly, CISOs should align their agendas with overall business needs. That strategy will help to achieve even more buy-in for cyber security investment from a board. One way to do that is by focusing on how cyber security can increase overall visibility into the organization. Cyber security tools protect all parts of the IT estate and extend to all facets of the business, which makes them an excellent resource for understanding what is happening across the company as a whole. They’re not just ways to identify threats, but to gain end-to-end visibility, which businesses can in turn leverage to support continued investment in cyber security initiatives.

 

“What are my crown jewels? What are the lines of business that we need to defend? How will that translate into direct investments into tools and technologies and projects and processes and so on” to keep assets safe? Those are the types of questions CISOs should be asking to keep cyber security in alignment with broader business needs, our CEO said.

 

Planning For Breaches

Beyond the issue of investing in cyber security, Freedman underlined the importance of also ]actively preparing for breaches. After all, it’s not a matter of if a breach will occur, but when. No matter how many fancy, next-gen cyber security tools you deploy, it’s likely that you will be attacked successfully at some point.

 

Preparation against this risk starts with ensuring that the basic tools and protections are in place to detect attacks and begin the response process. From there, CISOs should ensure that their organizations can execute mitigation plans that minimize the impact of a breach. They should also practice addressing the root cause of attacks in order to identify and shut down  breaches as quickly as possible.

 

The Changing Role Of The CISO

Ultimately, the net result of the new generation of cyber security challenges that businesses face is that the role of the CISO is changing. Today, the CISO is not just someone who has the last word on cyber security. Instead, as Aronashvili put it, the CISO is now “the middleman between the technical teams and management,” which means that CISOs need to get buy-in from other executives in order to deploy effective cyber security strategies.

 

To that end, CISOs must now focus on communicating the value of cyber security to management. They need to show that cyber security spending actually saves money, and that security doesn’t just support, but actually enables, the operations of the business as a whole.

 

Preparing For The Future With Findings

As CISOs grapple with a new wave of cyber security threats, one challenge they shouldn’t struggle to solve is supply chain security. Findings delivers end-to-end visibility into supply chain security risks and compliance by automatically compiling a profile of your business’s supply chain and helping you understand where your supply chain security challenges lie. No matter how complicated supply chain security may become, Findings makes it easy to conquer the challenge.

 

See for yourself by requesting a demo at Findings.co.

Findings.co
Company
Products
Solutions
Media Room
Guides
Company
About
Privacy Policy
Terms of Use
Contact Us
FAQs
Sitemap
Products
Vendors
Enterprise
Partners
Vendors index
Solutions
Cyber security
ESG
Cloud Monitoring
Continuous Monitoring
Media Room
Blogs
Press Room
Guides
What is vendor risk management?
The Findings CMMC compliance checklist
4 ESG Best Practices for Energy Efficiency
Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Claim your free account Trial
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
less
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Claim your free account trail
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!