Tag Archives: supplychain

The Evolving Challenge of Supply Chain Compliance in the Banking Industry

Findings.co helps with supply chain compliance in the banking industry

Not often would one think to tie a bank and a supply chain together, but the supply chain is everywhere – even in the banking industry. 

 

Managing compliance risks in the banking industry has long been central to banking operations. But the nature of those risks has expanded and evolved – and so have the strategies that banks must adopt to stay ahead of both internal and external compliance challenges.

 

For example, banks today must grapple not just with conventional compliance risks, like an obligation to identify money laundering, but also with risks that originate from within the supply chain in the banking industry.

 

Compliance And Banking: The Traditional Approach

In the old days, compliance for banks was relatively simple. It included two key components:

 

  • External Compliance. This involved adhering to compliance rules set by regulators or other external groups. On this front, activities like anti-money laundering were banks’ main priority.

  • Internal Compliance. This meant the establishment of internal systems necessary to identify and adhere to regulatory risks. These internal systems typically weren’t specifically mandated by regulators, but banks implemented them as a means of complying with external regulations.

 

Whether externally or internally, banks’ traditional approach to compliance was essentially reactive. Businesses focused on detecting and responding to risks, rather than preventing them proactively.

 

The Challenges Of Banking Compliance And Supply Chain Management

Those days of traditional compliance for banks are over. Today’s compliance landscape within the banking industry looks quite different.

 

  • Terrorist Financing: As the IMF notes, “the international community has made the fight against money laundering and the financing of terrorism a priority.” This change has raised the stakes surrounding anti-money laundering compliance for banks and increased the pressure they face from regulators around the world in this area.

  • Bribery & Corruption: Along similar lines, “the past decade has seen the emergence of anti-corruption compliance systems in companies across the globe,” according to the OECD. Here again, banks face heightened pressure to establish compliance processes that can mitigate activities related to corruption.

  • Internal & External Fraud: These risks have seen an increase to the tune of 218 percent during 2022 alone, according to TransUnion.

  • Business Continuity Risks: The need to ensure that banks can remain operational in the face of unexpected disruptions – such as problems within the supply chain in the banking industry – has been a continued challenge for finance compliance officers to master.

  • Information & Cyber Security Risks: Last but not least, cyber security incidents continue to surge, creating a pervasive compliance challenge for banks.

 

For all of these reasons, banks today require compliance strategies that are capable of addressing a much broader range of risks than traditional money laundering. At the same time, they must be able to track and mitigate not just those risks that originate internally, but also risks that arise from within their supply chains – such as insecure software provided to banks to third-party vendors, or lack of compliance adherence by a bank’s partners.

 

Modernizing Compliance And Supply Chain Management In Banking

To meet those challenges, banks must turn to new practices that can supercharge their approach to compliance, such as:

 

  1. RegTech: RegTech refers to a new breed of IT tools – including supply chain risk management solutions like Findings – that can help banks to streamline and automate compliance operations.

  2. Proactive Compliance: Mandates like SEC Rule 30 require banks to think and act more proactively than they did in the past by establishing plans for dealing with risks ahead of time. Reactive compliance no longer cuts it.

  3. Risk Mitigation Playbooks: In a similar vein, banks should establish “playbooks” that spell out how they’ll react to particular compliance risks or incidents. By establishing playbooks ahead of time, banks can remediate problems much more efficiently when they arise.

  4. Next-generation AML: Anti-money laundering remains a pillar of banking compliance, but as noted above, modern AML must be more expansive than in the past. It must extend to domains like preventing terrorist financing and corruption – and not just among clients that banks deal with directly, but also within the banking industry supply chain.

  5. Reporting: Banks must double down on their approach to compliance reporting by ensuring that they have processes in place to disclose vulnerabilities through a VDP and violations promptly in order to comply with mandates like FINRA Rule 4530.

  6. Regulatory Penetration Testing: Regulatory penetration testing can help banks to identify risks proactively, rather than waiting for real-world violations to occur before they take action.

 

Put simply, modern banks must adopt more actionable, efficient and comprehensive compliance strategies, and they must ensure that they can enforce compliance across the entire banking industry supply chain.

 

Compliance solutions like Findings can help. By providing end-to-end visibility into supply chain operations and the compliance status of third-party vendors and suppliers, Findings makes it easy to detect risks in real time, then take action before the risks trigger compliance violations.



  Don’t be a stranger! Sign up at Findings.co today and see how Findings can help you showcase your compliance


December Security Breach Round Up

December security breaches

2023 is here and while I would love nothing more than to say that everything is awesome in the security world, I would be lying to all of you if I said there were no data breaches in the month of December. 

While most people usually wind down and enjoy the holiday season with family in December, the top dogs at the companies below probably had nothing but stress on their minds. 

Let’s dig in and see what mistakes were uncovered this month.


  1. LastPass:

Well this is a little awkward, isn’t it? Given that LastPass is a password manager, one would think that they would have strong measures in place to protect their consumer’s privacy; however, that does not seem to be the case. In a company notice, LastPass writes: “we recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” The threat actor copied information from a backup source that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The company continues to explain that “the threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.” It is important to note that many organizations and their employees use LastPass to store passwords. If you were not aware of this incident, it is time you look into protecting your accounts and changing your passwords.


  1. Uber:

When I found out about yet ANOTHER Uber breach, my reaction was a deep sigh of frustration. This time the breach resulted from a compromised third-party vendor. BleepingComputer reported about the incident and shared that “a threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees. While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.” After further investigations, Uber later shared with BleepingComputer that the threat actor stole its data in a recent breach on Teqtivity, which Uber uses for asset management and tracking services. Teqtivity informed that the threat actor was able to access device information such as serial number, make, models, and technical specs. Additionally, user information such as first name, last name, work email address, and work location details were accessed. 


  1. Five Guys:

I’ll be the first to admit that Five Guys is irresistible – especially on a cheat day. So of course I hate to be the bearer of bad news here, but alas, it has to be said. On December 29, 2022, Five Guys released a statement confirming a breach that occurred in September 2022 that exposed sensitive customer data by an unauthorized party who accessed a file server. The company writes: “The investigation identified unauthorized access to files on our file server that occurred on September 17, 2022. We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process.” Stolen data would include employee personally identifiable information (PII) such as names, social security numbers and driver’s license numbers. We see this time and time again where threat actors access sensitive information and companies do not inform victims until months later. In those months, the attackers can commit identity and credit fraud and sell user data on the dark web. That is one of the reasons why Findings is so useful – we continuously monitor your systems and the dark web to make sure that if an incident like this does ever occur, it will not take you months to find out.

 

  1. Sequoia:

For those who are unaware, Sequoia is a popular benefits and payroll management company. In a company notice, they stated: “Sequoia Benefits and Insurance Services LLC (“Company”) recently became aware that an unauthorized party may have accessed a cloud storage system that contained personal information provided in connection with the Company’s services to its clients, including your employer or, if you are a dependent, your family member’s employer.” Information accessed by the unauthorized party consists of personal information including demographic information such as name, address, date of birth, gender, marital status, employment status, social security number, work email address, member ID, wage data for benefits, attachments that may have been provided for advocate services, ID cards, and any COVID test results or vaccine card that may have been uploaded.

  1. Social Blade:

Social Blade is an analytics platform that provides statistical data for numerous social sites such as YouTube, Twitter, Twitch and Instagram. They confirmed that they suffered a data breach after their database was breached and put up for sale on a hacking forum. Social Blade monitors tens of millions of social media accounts and the hacker claims to have obtained 5.6 million records. The sample data that was posted by the hacker also suggests that many of the records contain user information. Users online were quick to share an email that was apparently sent privately to affected users. In the email, Social Blade confirms the breach and reports that the affected data includes email addresses, IP addresses, password hashes, client IDs and tokens for business API users, and authentication tokens for connected accounts. Other non-personal and internal data was also compromised. Roughly 0.1% of users also had their addresses leaked, but credit card information was not exposed. A similarity we see here in comparison to other breaches is that this was not Social Blade’s first breach. In 2016, the company also confirmed that it suffered a breach. Let’s see if the most recent breach will be the push they need to better protect their company and prevent future attacks. 

Image

source: twitter


Now that we are in 2023, we hope that companies will take the necessary steps to protect their systems. Findings has a few New Year’s resolutions we recommend companies take on to ensure that they are protecting their employees and consumers.

Attackers prey on those who don’t regularly change their passwords. In fact, it makes their jobs easier. Make sure your systems are secure with New Year’s Resolution # 1: Require your employees to change their passwords every 90 days.

With an increase in cyber attacks being committed against supply chains, it’s vital that every business implements mandatory cybersecurity training programs. Having employees that are aware of all things cyber security is beneficial in minimizing the risks associated with cyber attacks.


Staying vigilant and continuously assessing potential risks in your supply chain is an essential New Year’s Resolution that companies need to follow in 2023.



Updates are usually required for a reason, and many times it’s for security reasons. When systems are up to date, it makes it harder for hackers to attack and find loopholes in the system. 


If you haven’t heard of our continuous monitoring solution, you may want to consider looking into it.



Andddd that’s a wrap for this month!


Findings wishes you all a happy and healthy New Year.

 

We’re here for you. Learn more today.

What’s At Stake With Ineffective Third Party Vendor Risk Management

ineffective vendor risk management

Virtually every business today has to outsource work to external vendors. By extension, it needs a plan to handle what Gartner calls vendor risk management, or VRM/TPRM. 

Working with third-party vendors exposes businesses to a variety of risks:

 

  • Reputational harm: Security mistakes made by third party vendors could harm your brand’s reputation. Even if your company wasn’t at fault, customers or partners might hold your business accountable because they believe you made the poor choice of working with a risky third-party vendor.
  • Operational damage: Problems with third-party vendors could disrupt your operations. For example, if a software product you depend on becomes vulnerable, your supply chain may cease to function until you find a replacement. Or your third party vendor may be hacked, leaving the door open to your organization for breaches or system failures.
  • Financial loss: Third party vendor risks that turn into operational disruptions can ultimately lead to revenue loss, exacerbating the operational fallout of the situation and costing your organization money.
  • Compliance challenges: You may be required to prove that your supply chain risk management complies with specific security or data privacy frameworks, and mistakes made by third party vendors could expose you to compliance failures. Like customers and partners, regulators aren’t likely to care whether the root cause of the issue lies with you or your vendor; all that matters to them is that you were non-compliant.

 

To respond to these challenges, especially considering the fact that 89% of businesses experiencing a supplier risk event in the past 5 years more needs to be done to develop an effective third party vendor risk management strategy. Developing that strategy starts with recognizing the mistaken assumptions that businesses often make when attempting to manage vendor risks.

 

Let’s look at those mistakes, why they’re dangerous and what businesses can do to avoid them.

 

1. Assuming All Vendors Are Covered

It can be easy to assume that as long as you have some kind of third party vendor risk management operation in place, it covers all of your vendors and gives you complete visibility into the risks associated with them.

 

The reality is that in many cases, TPRM programs overlook some vendors. The oversights most often result from relying on manual processes to identify and vet vendors, but you can also miss some vendors because your supplier list is always changing and you may not keep it up-to-date. 

Not only that, in many cases, coverage itself is partial. Modern supply chains are complex and because of this, long-tail vendors can be easily overlooked or ignored, exposing your organization and supply chain to huge risk.

The solution to these challenges is to rely on automation to track vendors. When you automate, it becomes much easier to find all third party vendors in your supply chain, and to keep your vendor inventory continuously up-to-date.

 

2. Overlooking Risk Assessment

Simply identifying vendors is only the first step in third-party vendor risk management. Equally important is assessing how much risk each vendor introduces to your supply chain. Risk assessments should reflect factors such as how much harm the vendor could cause to your reputation, operations, finances and so on. However, too often is the risk tolerance or risk appetite in an organization under-assessed so the true effects are unknown in the case of vulnerabilities in your supply chain.

 

Ideally, risk assessment should happen automatically. Whenever you introduce a new vendor into your supply chain, or when your relationship with a vendor changes, you should be able to determine automatically how the vendor impacts your overall risk and make a valid assessment of exactly what level of risk is acceptable to your organization.

 

3. Vendor Risk Management Ends With Onboarding Assessment

While risk assessment is important, it’s not the end of the third party vendor risk management process.

 

Your relationship with vendors may evolve in ways that change the types and extent of the risk that each vendor poses. For that reason, it’s important to be able to reassess risks on a continuous basis. Using automation, you can ensure that your risk assessments are constantly updated and that they remain relevant even as your vendor relationships evolve.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

4. Underestimating Vendor Compliance Needs

Sometimes, organizations assume that as long as they’ve met basic third party vendor risk management requirements, they’re covered against compliance mandates related to their supply chain and vendors.

 

In reality, compliance requirements tend to be complex and business-specific. For that reason, generic vendor risk management is not enough to guarantee compliance. Third party vendor risk management is a step toward compliance, but you also need to step back and assess the unique compliance requirements of your company and supply chain, then determine whether additional steps are needed to achieve compliance.



Simplify Third Party Vendor Risk Management With Findings

Findings takes the hard work out of vetting third party vendors. By automating the processes of identifying and assessing vendors across your supply chain, Findings makes it easy to maintain continuously updated visibility into where supply chain risks lie and how each vendor could harm your reputation, operations  finances and more.


See for yourself by requesting a demo at findings.co

Supply Chain Attacks Surged By 42% in 2022. Here’s Why.

Increase in supply chain attacks

There’s been a massive and recent increase in the awareness of supply chain attacks. Significant investment going to tools and strategies to protect supply chains against attack have been poured into business plans, but this isn’t helping. You would think that all of this time and effort would in turn bring a decline to these threats, but you’d be wrong.

 

Quite the contrary actually. According to research from PurpleSec, supply chain attacks rose by 42% in 2022, and 64% of businesses have now been affected by supply chain software attacks.

 

Recent Supply Chain Attacks

In the case of the SolarWinds attack, malicious code inside a popular IT monitoring platform gave hackers a back door into thousands of IT networks. Similar breaches occurred in the Colonial Pipeline attack, where a leaked password caused massive panic, and in the Kaseya and Log4j breaches, which were also examples of supply chain attacks in which breaches in third-party software tools exposed a large number of businesses to attack.
 

The Appeal Of Supply Chain Attacks

Exacerbating matters further is the fact that a single supply chain breach allows attackers to target hundreds or thousands of victims by seizing upon just one vulnerability and one attack technique. From the hacker’s perspective, the ROI on supply chain attacks is exponentially higher than a traditional attack, wherein a single business is placed at risk.

 

As TechTarget explains, “supply chain attacks are difficult to detect, as they rely on software that has already been trusted and can be widely distributed.

 

Why Supply Chain Attacks Continue To Rise

 

Both of these factors – the difficulty of preventing supply chain attacks and the advantages of supply chain attacks from an attackers perspective – help to explain why supply chain attacks remain so pervasive – to the point that supply chain attacks will increase by 400 percent, according to the European Union Agency for Cybersecurity (ENISA), which adds that “strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.”

In other words, traditional approaches to defending against cybersecurity risks – such as hardening servers against attack, enforcing strong access controls and deploying malware scanners – aren’t very effective in cases where the bad guys break in by breaching your supply chain. If your IT systems are configured to trust software delivered to them by third-party suppliers, no amount of access controls or virus scanners are going to protect against flaws within those third-party systems. Conventional security controls only protect against threats that originate internally, which means they don’t address supply chain attacks.

 

What You Can Do: How To Stop Supply Chain Attacks

 

Fortunately, there are practices that can help to prevent supply chain attacks, even for organizations with complex supply chains:

 

  1. Implement Zero Trust

Zero trust means configuring IT resources so that they do not trust any other resources –internal or external – by default. They only share data and interact with resources that are explicitly validated to be secure. Zero trust policies can help to mitigate supply chain attacks by ensuring that servers, applications and other resources only trust third-party software if that software has been scanned and vetted to be secure.

 

  1. Gain Asset Visibility

Visibility – specifically, visibility into which supply chain assets exist and which risks impact them – goes a long way toward preventing supply chain attacks. Businesses should be able to identify risky assets, determine the root cause of the risks and remediate risks in a proactive manner.

 


 

 

  1. Work With Suppliers

Effective supply chain security management means not just cutting off suppliers who might place the supply chain at risk, but working with them to identify potential breach points and ensure transparency in the face of risks. Vulnerability Disclosure Programs can help here by providing a systematic means of identifying and responding to supply chain attack risks.

 

 

 Findings can help with all of these initiatives by providing automated visibility into your entire supply chain so that you know when and where risks arise. In addition, Findings helps you assess vendor compliance and manage vulnerability disclosure policies, ensuring that you’re prepared to react quickly when your supply chain becomes vulnerable to attack.

 

 

Learn more about how to prevent supply chain attacks with Findings.

Slavery Still Exists?

Modern Slavery in your supply chain

Wait a second… What?


That was my exact reaction too. In fact, modern slavery is all around us. (More than you may think).

 

You’re probably wondering: Wasn’t slavery abolished internationally in 1948 when the United Nations adopted the Universal Declaration of Human Rights

 

Apparently not. 

 

It’s almost 2023 and we live in an age where approximately 50 million people, a quarter of which are children, are trapped in modern slavery. They are are forced to work and get married, and are being exploited sexually every single day. 

 

While modern day slavery is widespread, many of us are unaware of what’s going on and the different forms of slavery that exist. You might be surprised to find that a large portion of slavery in today’s day and age is facilitated through different corporations. Furthermore, it can be found in companies of all different industries and sizes, and in every stage of the supply chain – from raw materials to manufacturing to shipping.  Knowing about modern slavery is a responsibility every business should take on, because it is possible that you are working with suppliers who use slaves, without even realizing it. 

 

Today, there are over 27 million people forced into labor. Many would say their business doesn’t tolerate modern slavery, but, when hundreds or even thousands of suppliers are added into the picture, how can you be so sure they aren’t using forced labor? 


As explained by Anti-Slavery International, the oldest international human rights organization in the world, there are different forms of slavery today:

  • Human trafficking – “The use of violence, threats or coercion to transport, recruit or harbour people in order to exploit them for purposes such as forced prostitution, labour, criminality, marriage or organ removal.” 

  • Forced labor – “Any work or services people are forced to do against their will, usually under threat of punishment.”

  • Debt bondage/bonded labor – “The world’s most widespread form of slavery. People trapped in poverty borrow money and are forced to work to pay off the debt, losing control over both their employment conditions and the debt.”

  • Descent–based slavery – “A very old form of slavery, where people are treated as property, and their “slave” status has been passed down the maternal line.”

  • Child slavery – “When a child is exploited for someone else’s gain. This can include child trafficking, child soldiers, child marriage and child domestic slavery.”

  • Forced and early marriage – “When someone is married against their will and cannot leave. Most child marriages can be considered slavery”

  • Domestic servitude Domestic work and domestic servitude are not always slavery, and when properly regulated can be an important source of income for many people. However, when someone is working in another person’s home, they may be particularly vulnerable to abuses, exploitation, and slavery, as they might be hidden from sight and lack legal protection.”

Why should your company care?

First off, I don’t think any company would be proud to say they use slaves. But besides that point, imprisonment up to life imprisonment and heavy fines are amongst the penalties. In addition, more countries are enforcing modern day slavery regulations and companies will need to show proof of compliance as time goes on. Not complying to modern slavery regulations will in turn make your company unappealing to investors and ultimately the end user. For example, in the United Kingdom, the Modern Slavery Act of 2015 requires businesses to report on steps they have taken to reduce modern slavery in their supply chains. With modern slavery so rampant in the United Kingdom, the legislation applies to commercial organizations that:

  • are a body corporate or a partnership (described as an ‘organization’ in this service), wherever incorporated

  • carry on a business, or part of a business, in the UK 

  • supply goods or services

  • have an annual turnover of £36 million or more

Currently, many organizations provide a modern slavery statement voluntarily, but in the near future, the requirement will be extended to segments of the public sector as well.


Not sure where to start? Findings gives you a platform to show track your compliance. By doing so, you are demonstrating to other enterprises that they can trust doing business with you. In addition, Findings offers assessment tools that enable you to easily evaluate whether your business is staying compliant with modern slavery regulations. 



Findings is proud of the work we do and we fully support the Universal Declaration of Human Rights. Learn more about how we can help you address modern slavery here


Finally: Practical Guidance for Supply Chain Risk Management

Businesses are being bombarded with warnings from a variety of sources regarding supply chain risk management – ranging from media organizations like Forbes, to analyst firms like Gartner, and even to the White House, which notes that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure” through supply chain attacks.


However, actual advice for managing supply chain risks is harder to come by. Figuring out where risks lie and working to detect them is an exercise that often falls to individual businesses – which often struggle to put supply chain risk management into practice, given the fact that few organizations were closely focused on supply chain risks until just a couple of years ago, when incidents like the SolarWinds breach brought supply chain risks to the fore.


1. Optimize Supply Chain Visibility

The single most effective step businesses can take to manage supply chain risks is to achieve visibility into their supply chains. You can’t mitigate the risks you can’t see, and if you wait for the risks to impact your own IT environment, it’s too late to prevent them from causing a disruption.


That’s why you need visibility not only into where your software comes from, but also which checks and protections your software suppliers have in place. Believe it or not, vulnerabilities will come from your least expected vendors, and more often than not, your smaller vendors. When you identify vendors who fail to manage risks, you can remove them from your supply chain in order to protect your own organization. This is where continuous monitoring steps in and becomes invaluable to your team by getting ahead of issues before remediation steps are even needed. 


When it comes to supply chain visibility, the more information you have, the better. It’s often impossible to gain complete, definitive visibility into supply chain risks because the “probability and severity of many risks is difficult to ascertain,” as Tucker Bailey, McKinsey Partner notes. But the more information you have about who your suppliers are, how they build out their supply chain and which practices they follow to mitigate security risks, the greater your ability to find and respond to the most serious supply chain vulnerabilities

2. Build Supply Chain Risk Management Into Onboarding

While continuous visibility into the supply chain is one step toward identifying risks, it’s also important to establish a rigorous process for vetting vendors when you onboard them into your supply chain. Identify which specific security controls you expect vendors to have in place, then implement a process that assesses how well they adhere to those practices.


There is always a risk that vendors who meet your requirements during onboarding will become insecure over time, which is why you need to monitor continuously for new supply chain risks. The most common onboarding process would be to do an initial risk scan of the vendor and setting a score. However, the better and more effective method is to set a periodic scan that includes an action plan. 


But even with all these processes, it doesn’t mean you should skimp on vendor validation at onboarding time. Rooting out risky vendors before they even join your supply chain is more effective than identifying risks after the fact.

3. Plan For Supply Chain Changes

Actually removing risky vendors from a supply chain is hard to do if you depend on those vendors and have no alternatives.


That’s why it’s important to ensure that your supply chain is dynamic enough to accommodate sudden changes in vendors. Always have backup suppliers in mind to who you can turn to if you need to stop using one vendor due to cyber security risks.


Supply chains constantly fluctuate. Vendors that seem rock-solid one day may be in the news the next because they are the center of a major breach. You can’t control what your suppliers do, but you can control your ability to pivot to alternative suppliers quickly in order to mitigate supply chain risks.

4. Enforce Continuous Supply Chain Risk Management

Supply chain risk management should never be a one-and-done affair. Nor should you rely on periodic audits to find risks.


Instead, strive to monitor your supply chain continuously. Continuous monitoring means that you can identify vulnerable third-party software, as well as vendors who are no longer conforming to your security requirements, as soon as the risk emerges. That beats waiting until your next audit to identify a risk – or, worse, not identifying it at all because you vetted your suppliers initially and have no mechanism in place for determining when vendors who were once secure no longer are.


Ensure that the protections that your suppliers claim to have in place actually work. For example, as Jay Shaw explained during a recent LSEG event, don’t just take someone’s word for it that backups are in place. Instead, say “you’re going to get a phone call, And that phone call is going to say, ‘Bam, we’re now down, so do the backup plan. We want to see how long it takes you and how well it works.”


It might not be practical to vet every vendor in that way, but for high-stakes suppliers, it’s important to know that promises align with realities when it comes to supply chain security protections.

5. Automate Supply Chain Risk Management With Cyber Solutions

For most businesses, the rigorous, continuous supply chain monitoring and risk management practices described above are impossible to implement manually. They would require too much time, and too much effort on the part of employees who already have overfilled plates.


That’s why it’s critical to leverage cyber solutions that automate supply chain risk management. They can identify multiple types of threat within third-party software – including malware, phishing risks, ransomware and beyond – without requiring manual vetting. And they can do this continuously so that you’re aware immediately when a new risk arises.


Automated cyber solutions have the added benefit of reducing the risk of human error. Your supply chain management tools will operate consistently and reliably, enforcing the same assessment policies over each and every vendor. Humans typically don’t achieve that level of consistency, which means that manual supply chain assessment increases the chances that risks will fall through the cracks.

How Findings can help

As a fully automated platform for identifying and managing risks across your supply chain, Findings makes it easy to put supply chain risk management practices into operation. Findings delivers centralized, continuous visibility into supply chains across any industry, enabling businesses to find and respond to risks before they turn into cyber security incidents.

See for yourself by requesting a demo at Findings.co.

November Security Breach Round Up

November Security Breaches

From grocery stores, to banks, and everything in between – November saw it all when it came to breaches. As I mentioned in September, hackers are not picky. Let’s just say, when an opportunity arises, they will swoop right in and overtake your systems and access any data they can get their e-hands on.

 

Be careful, and keep staying informed – our goal is to make sure no company ends up on this list next month. 

 

Let’s dive in. 

 

  1. WhatsApp


Whatsapp with this?! The app that we all know, love, and use, WhatsApp, has supposedly fallen victim to a massive data leak. And by massive, I mean nearly 500 million user records have been leaked online. So… what happened? On November 16, 2022, an ad on a well-known hacking community forum was posted by someone claiming to be selling a 2022 database of WhatsApp user mobile numbers. It is also claimed that 32 million users from the United States have been included. Although only phone numbers were leaked, it is important to note that leaked phone numbers are typically used for marketing purposes, phishing, impersonation, and fraud. 

 

  1. Bed Bath & Beyond

Ah, phishing at its finest. While almost anyone who enters Bed Bath & Beyond can get lost for hours browsing, no one likes hearing about breached data. The United States retail giant confirmed that unauthorized access to company data was accessed after an employee was phished. In an 8-K filing to the U.S Securities and Exchange Commission, Bed Bath & Beyond explained that data of the employee’s hard drive and other shared drives that the employee had access to were accessed. The company is still investigating whether the drives have any sensitive or personally identifiable information.

 

  1. DropBox


File hosting service, DropBox, also fell victim to a phishing incident. In a statement from the company, they explained the situation saying “We were recently the target of a phishing campaign that successfully accessed some of the code we store in GitHub. No one’s content, passwords, or payment information was accessed, and the issue was quickly resolved. Our core apps and infrastructure were also unaffected, as access to this code is even more limited and strictly controlled. We believe the risk to customers is minimal. Because we take our commitment to security, privacy, and transparency seriously, we have notified those affected.” The company goes on to explain that on October 14, GitHub alerted them that suspicious behavior was going on. DropBox found that a threat actor was pretending to be CircleCI and was able to access one of DropBox’s GitHub accounts. To date, their investigation has found that the code accessed by the threat actor contained some credentials, primarily, API keys used by Dropbox developers.

 

  1. TransUnion


Isn’t it ironic how an agency who determines your credit score, is the one that could be ruining your credit? There are three main credit bureaus in America – Experian, Equifax and TransUnion. Unfortunately, the consumer credit reporting agency, TransUnion, experienced a breach and began notifying individuals about the incident on November 7,2022. The company collects and assembles information on over 1 billion consumers worldwide, 200 million of those being Americans. The type of information that was exposed includes names, social security numbers, driver’s license numbers, and account numbers. 

 

  1. AirAsia


AirAsia, the largest airline in Malaysia with approximately 22,000 employees and worldwide operations, has unfortunately fallen victim to a supposed ransomware attack. The group behind this attack is known as the Daixin Ransomware Gang and they have supposedly stolen data of 5 million AirAsia passengers and employees. The Daixin team is known for disrupting operations with ransomware and stealing personally identifiable information. With this data, the cyber threat group threatens to release the stolen information unless a ransom is paid. In a tweet shared by Soufiane Tahiri, screenshots from the group can be seen that were posted on the dark web. The information applies to both employees and passengers. In these documents, information such as date of birth, country of birth, where the person is from, start of employment for employees and their secret question and answer used to secure their accounts could be found. 

 

  1. Sonder


In a company security update, Sonder, a hospitality company, notified the public that they became aware of unauthorized access to one of its systems that included guest records. Information that was accessed includes: 

  • Sonder.com username and encrypted password

  • Full name, phone number, date of birth, address, and email address

  • Certain guest transaction receipts, including the last 4 digits of credit card numbers and transaction amounts

  • Dates booked for stays at a Sonder property

  • Government issued identification such as driver’s licenses or passports

 

  1. Sobeys

This incident shows that ANY business can get breached. Even a supermarket. Incase you aren’t familiar, Sobeys is one of the two national grocery retailers in Canada. On November 7, 2022, Sobeys’ parent company wrote in a notice that the grocery stores were impacted by an IT systems issue. While the company hasn’t publicly confirmed a cyber attack on its systems, a local media outlet reported that “two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.” 

 

  1. Whoosh

Russian scooter sharing company known as Whoosh has confirmed that it too was breached. Hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Alleged stolen data on the hacking forum allegedly contains promotion codes that would allow someone to access the service for free, as well as partial user identification and payment card data. Included were email addresses, phone numbers, and first names. A russian news outlet, RIA Novosti was told by Whoosh that, “The leak of some of the personal data of customers of the Russian scooter rental service Whoosh at the beginning of November did indeed occur, but did not affect sensitive user data, such as access to accounts, transaction information or travel details” 

 

  1. Coinsquare:


Cryptocurrency is a sexy industry to talk about, but this incident is a little less appealing. To round up the month, a Canadian cryptocurrency exchange, Coinsquare has become the latest victim of a security breach. Data such as customer names, email addresses, residential addresses, phone numbers, dates of birth, device IDs, public wallet addresses, transaction history, and account balances were compromised. According to customer reports, Coinsquare allegedly contacted them via email and let them know that it had identified an intrusion and a database containing personal information accessed by an unintended third party. In a Tweet responding to an account sharing about the hack, Coinsquare wrote, “We have no evidence any of this information was viewed by the bad actor, but in an abundance of caution, we wanted to make our users aware. We notified all clients, but only identified 3 clients whose accounts were accessed.” 



Companies can get careless when it comes to securing their systems, their employees, and their customers. And while we are here to help you, the first step begins with you staying informed. Which we see you are since you made it this far! 


We’re here to help you. Contact us today

Your 2023 Supply Chain Security Conference Rundown

2023 supply chain security conferences

As every supply chain security and cyber security professional knows, there’s no such thing as taking a break from learning. Threats and cyber criminals are constantly evolving, and the only way to protect your organization and vital infrastructure is to stay one step ahead, by learning from the experiences, innovations, and insights of other experts. 

 

Here are the top supply chain security and cyber security conferences happening around the world this year, so open your calendar and plan your schedule now! 

 

1. Cybertech Global TLV

January 30 – February 1, 2023

Tel Aviv, Israel

Cybertech Global brings together top thought leaders from around the globe to share ideas and make connections about everything cyber. The three-day conference is an opportunity to hear from experts in the Middle East and beyond on the latest innovations, solutions, and emerging threats in the realm of cyber and supply chain security.

 

Speakers include Yodfat Buchris, Managing Director of Blumberg Capital, Yaroslav Rosomakho, Field CTO of Netskope, Eyal Cohen, CEO and Co-Founder of Cognifiber and many many more.

 

2. The Official Cyber Security Summit

February 10, 2023

Atlanta GA, USA

This one-day summit is short but impactful, offering an intensive day of learning about how to protect your business and networking with C-suite and senior executives. With keynote presentations from IBM Security and Huntress, it’s not one to miss. Schedule your trip now to attend sessions, swap ideas, and view demos of new solutions.  

 

3. CISO Sydney 2023

February 20-22, 2023

Sydney, Australia

The first CISO Sydney conference to take place in person since before the pandemic is packed full of informative sessions and networking opportunities. CISOs from numerous companies will join together to share intelligence, renew connections, and discover new approaches, methodologies, and tech products. The conference also features a focus day on Critical Infrastructure and DevSecOps. With a generous mix of focused talks, panel discussions and group discussions, there’s sure to be many points of interest for you. You can view the agenda here.

4. Women in Cyber Security (WiCyS)

March 16-18, 2023

Denver CO, USA

The Women in Cyber Security (WiCyS) conference is an event that strengthens the community of women working in cyber security while enabling attendees to connect, learn, and discover new concepts. This organization has been around for a decade and is dedicated to advancing the role of women in the field of cyber security. 

 

This event is focused on opportunities for women but is open to all genders. The conference includes resume clinics, mock interviews, and a career fair as well as workshops, keynote sessions, and lightning talks. 

 

5. Pharma Supply Chain & Security World 2023

March 28-29, 2023

London, UK

With counterfeiting on the rise, pharma companies are more concerned than ever with supply chain security and ensuring traceability and visibility. This year’s Pharma Supply Chain and Security World summit is rightly focusing on new solutions to ‘Building Resilient Pharma Supply Chain’, ‘Serialization and Track & Trace’, ‘Smart Packaging & Labeling’, and ‘De-Risking Supply Chain, Compliance and Contracts’. Speakers include Fausto Artico, Global R&D Tech Head and Director of Innovation and Data Science with GSK and Gianpiero Lorusso, Director, Head of Upstream Logistics with Healthcare Business of Merck. 

 

6. Third Party Vendor Risk Management for Financial Institutions

12-14 April, 2023

New York, NY, USA

This  three-day supply chain security conference is aimed at executives and cyber security heads who are concerned about minimizing supply chain risk. This year, the conference focuses on ideas and tools for monitoring third and fourth parties, increasing visibility into your extended supply chain, and improving risk management. 

 

7. RSA Conference 2023

April 24-27, 2023

San Francisco, CA, USA

The theme for this year’s RSAC is Stronger Together, with an emphasis on sharing information, ideas, and even failures. The RSA Conference offers four days of rich learning opportunities, including hands-on learning labs and Capture the Flag events, as well as keynotes and panel discussions, alongside an deas EXPO which can be explored in person or online. 

 

8. RiskWorld

April 30-May 3, 2023

Atlanta, GA, USA

The annual RiskWorld event is intended for everybody delivering risk management services, from across verticals and around the world. The conference offers four days of networking, insights, solutions, and educative sessions led by risk management leaders and disrupters.

 

Tracks for the event include Career Development, Cyber and Technology Risk, Risk Modification/Mitigation and Loss Control and many more. Register your interest to receive the agenda when it it released!

 

9. Cyber Security and Privacy Professionals Conference

May 1-3, 2023

Bellevue, WA, USA

A highly education-focused conference for cyber security and privacy professionals, this event offers opportunities for attendees to learn and discuss new challenges, emerging threats, and nascent solutions for their fields. The agenda will be released in early 2023, but if the 2022 agenda is anything to go by, this is not to be missed!

 

10. IMPACT 2023

May 3-4, 2023

Jersey City, NJ, USA

Run by the Ethics & Compliance Initiative (ECI), IMPACT 2023 opens up educational and networking sessions for everyone interested in compliance, regulatory policy, and enforcement. Leading experts and policy makers will share their ideas around strategy, risk, accountability, and ESG across sectors and verticals. Make sure to click through and sign up to their mailing list to be notified when early bird pricing drops! 

 

11. Third Party & Supply Chain Cyber Security Summit

May 4-5, 2023

Barcelona, Spain

Focusing on end to end cyber security practices, this year’s Summit brings together the latest case studies on cyber security implementation for discussion by professionals from leading companies. It’s a great opportunity to learn more about visibility, risk management, and supply chain security across your network. Some of the speakers you have to look forward to include Syed Ubaid Ali Jafri, Head of Cyber Defense & Offensive Security at Habib Bank Limited and Andrea Szeiler, Global CISO for Transcom Worldwide AB.

 

12. Gartner Supply Chain Symposium / Xpo

May 8-10, 2023

Orlando, FA, USA

As you’d expect, the Gartner Supply Chain Symposium brings together some of the top names in supply chain security to explore and investigate big ideas, small details, and actionable insights. The symposium aims to address new and existing disruptions, resilient strategies, and tech investments to minimize risk and maximize rewards. Join David Gonzalez, Conference Chair and VP Analyst and get ready to develop agile and resilient supply chain strategies, learn how to mitigate risk and respond to disruption, how to pursue digital initiatives that drive business growth, and so much more!

 

13. Black Hat Asia

May 9-12, 2023

Marina Bay Sands, Singapore

Black Hat trainings, briefings, and seminars are highly respected events, and Black Hat Asia is no exception. Held over four days in Singapore, Black Hat Asia 2023 invites all cyber security professionals to learn from researchers, educators, and experimenters in all the fields of cyber security and risk. 

 

14. American Supply Chain Summit

May 16-16, 2023

Dallas, TX, USA

The American Supply Chain Summit is one of the top supply chain security conferences for leaders and executives, bringing together supply chain security chiefs from leading brands like IKEA, Unilever, and Kroger to share case studies, swap methodologies and strategies, and prepare to meet the next threat. Key themes this year include profitability and risk management, cost optimization, workforce management, and disruptive supply chain tech. Key speakers include Chuck Graham, VP of Microsoft Cloud Sourcing, Tanja Dysli, Chief Supply Chain Officer for IKEA and Supply Chain and Andrew Rendich, Chief Supply Chain Officer for Peloton Interactive.

 

15. 2023 FINRA Annual Conference

May 16-18, 2023

Washington, DC, USA

Located this year in the Marriott Marquis in Washington, the annual FINRA conference is a highly-regarded opportunity for cyber security, supply chain security, and risk management professionals to learn about current trends and regulatory issues that affect their roles. Speakers come from both the public and private sector as well as academia. 

 

16. Cybertech Asia 2023

May 2023

Marina Bay Sands, Singapore

Cybertech Asia returns this year, after the 2022 conference had to be postponed due to COVID-19 restrictions. Expectations are high and preparations have been lengthy for this highly anticipated event! Participants can look forward to in-depth discussion about cyber threats and solutions across the sector, including an extensive exhibition center for multinational companies and SMBs alike.

 

17. Gartner Security & Risk Management Summit

June 5-7, 2023

National Harbor, MD, USA

Aimed at CISOs, risk management leaders, and people in various cyber security positions, the Gartner Security & Risk Management Summit is an arena for learning new ways to protect your organization while making new connections and discovering new insights. Get ready to hear the latest insights from Gartner’s top VP Analysts, such as Patrick Hevesi and Christie Struckman.

 

18. International Conference on Cyber Security and Resilience (ICCR2023)

July 17-18, 2023

Digital

The ICCR is a research-focused conference that brings together leading scholars and researchers to share their work and ideas about cyber security and resilience. Although it’s aimed at academics, security professionals can learn valuable insights and practical solutions to cyber security, supply chain security, and risk management challenges. 

 

19. Black Hat USA

August 6-11, 2023

Las Vegas, NV, USA / Virtual

Black Hat USA is one of the few cyber security conferences in 2023  that’s still striving to offer a rich hybrid experience. The six-day event includes four days of live, interactive and hybrid trainings, as well as a two-day hybrid conference including keynote speakers and panel discussions to be announced at a later date.

 

20. National Cyber Summit

September 20-21, 2023

Huntsville, AL, USA

The National Cyber Summit bills itself as the most innovative cyber security-technology event in the US, with a range of focus areas, leading speakers, and unique collaborative opportunities. The agenda and speakers are yet to be announced but you can view previous years on the event website and sign up for notifications for when tickets go on sale. 

 

21. InfoSec World

September 25-27, 2023

Lake Buena Vista, FL, USA

Now in its 28th year, this year’s InfoSec World offers an opportunity to meet and learn from CISOs and business security experts from a diverse range of top brands, including the NFL, Salesforce, and Carnegie Mellon University. Conference themes include Critical Infrastructure, Hackers & Threats, Identity, and Risk Mitigation, so there’s something to suit everyone. 

 

22. International Cyber Expo

September 26-27, 2023

London, UK

The International Cyber Expo brings together cyber security experts from a range of sectors, including government officials, CISOs, and leading university researchers. Cyber security and supply chain security professionals will take away plenty of new ideas, solutions, and insights so make sure to register your interest ahead of time. 

 

23. Cybertech Europe

October 3-4, 2023

Rome, Italy

Cybertech Europe offers an opportunity to listen to experiences, research, and case studies from leading cyber security experts in the public and private sectors. Attendees can join keynote sessions, workshops, and panel discussions on a broad range of topics. 

 

24. Cyber Security World Asia

October 11-12, 2023

Marina Bay Sands, Singapore

 

Cyber Security World Asia is a headline event, bringing together thought leaders from top technology companies across Asia to swap intelligence and strategies and present their innovations. They strive to lead the charge in addressing the most pertinent and compelling issues in cyber security so they should definitely be one to add to your calendar for 2023.

 

25. Insider Threat Summit

Date TBC

Location TBC

The Insider Threat Summit aims to raise the standard of cyber security across all industries and around the world by working together. It focuses on vulnerability, security, and risk management, with a number of government officials among the speakers and attendees. 

 

 

Phew! There is a lot of incredible events coming up in 2023 and you’ll definitely see our Findings team across the globe speaking at a number of these events. Make sure to bookmark this page and check back for discount codes on tickets throughout the year. 

Waiting for that next conference and eager to learn more about automating your supply chain security? Request a demo.

The New Breed of Cyber Security Threats Coming for CISOs in 2023

The New Breed of Cyber Security Threats Coming for CISOs in 2023

Traditional challenges, like ransomware and software supply chain threats, have not gone away. But as we enter 2023, they’re being exacerbated by additional challenges, such as government-sponsored cyberattacks, the increased number of supply chain attacks, new types of phishing exploits and even the possibility that quantum computers will totally invalidate most of the core cyber security tools that businesses rely on today.

 

Those and other trends were the subject of an excellent webinar hosted recently by the London Stock Exchange Group (LSEG), moderated by Charles Clarke, Head of Security Architecture at LSEG, which brought together industry leaders including:

  • Kobi Freedman, CEO and cofounder of Findings.
  • Reuven Aronashvili, founder and CEO of CYE.
  • Alan Platt, COO at CyberHive.
  • Jay Shaw, CEO of Praxonomy.
  • Alan Moffat, CISO & Director of Business and Cyber Security Services for Sapphire.

 

This diverse mix of companies and sectors, spent the morning discussing what they see as the most pressing cyber security challenges for 2023 and beyond. Although their insights gave CISOs – and businesses in general – plenty of problems to worry about, they also pointed toward solutions that forward-thinking organizations should be adopting in order to protect their operations against cyberthreats.

 

Key Cyber Security Trends for 2023

Although there was consensus that major trends in cyber security for 2023 will vary somewhat between different industries, the overall takeaway from speakers’ comments was that 2023 will see the continued emergence of a new breed of cyber security threats – or new takes on familiar ones.

 

Quantum Computing

Quantum computers – which use quantum mechanics to supercharge the processing of data – have been in the news for a long time as scientists come closer to developing quantum machines that are actually usable for real-world tasks.

 

As Alan Platt pointed out, the fact that quantum computing isn’t practical today doesn’t mean businesses shouldn’t be aware of the potential concerns. The reason why is that the sensitive data that businesses are generating today and protecting using encryption may become readable by quantum computers a few years from now.

 

“Most of the internet at the moment runs on RSA-2048 public key cryptography,” Platt said. “Breaking that using a conventional computer is estimated to take about 13.7

billion years, but a quantum computer doing exactly that same piece of cryptography would be able to crack it in just 42 minutes.”

 

The point here is that, in the not-so-distant future, security practices that CISOs rely on today to secure sensitive data may become obsolete. They’ll need to work even harder to prevent sensitive information from falling into the wrong hands in the first place, because even if the data is encrypted, quantum computers may be able to defeat the encryption with ease.

 

Increased State-Sponsored Cyberattacks

Platt also warned that the days may be coming to an end where malicious hackers seeking financial gain are the only people out to ruin a CISO’s day. Increasingly, he said, “the name of the game is about tightening security…against more complex and more damaging attacks that could take out critical infrastructure” – as opposed to threats like ransomware, which can be financially harmful but don’t usually impact physical infrastructure.

 

This new challenge reflects an increase in cyberattacks by nation-state actors seeking to use cyberwarfare as a means of harming their enemies. Although that practice is not completely new, the war in Ukraine has demonstrated an eagerness by both sides to extend traditional war into the cyber realm, heightening the security challenges faced not just by governments, but also individual businesses, who may be targeted by state-sponsored actors in order to harm countries in which businesses are based.

 

Lingering Covid Security Challenges

The Covid pandemic may effectively be over, but its impact on supply chain security and cyber security is not, according to Alan Moffat.

 

Covid forced companies to invest more of their IT spending in technologies that enable remote work and distributed workforces, as a result “less budget can be put into cyber security.” Due to the speed that companies had to be ready for the work-from-home/hybrid working models, mistakes in the initial set up are still being shored up by security leaders. These challenges are exacerbated by the fact that remote work infrastructure is often harder to secure because it involves IT assets that exist beyond a company’s corporate firewall and network, and lack the type of physical security protections that exist in a traditional office environment.

 

This means that CISOs need to do even more with even less budget – which makes strategies like automation and early detection of threats more important than ever.

 

Looking for a step-by-step VDP security roadmap? We’ve got you covered

 

VPNs Are No Longer Up To Snuff

Although VPNs – which are intended to protect sensitive data by encrypting packets as it flows between central IT infrastructure and remote locations, like the PCs used by workers who operate from outside the office – don’t make networks less secure, they don’t necessarily make them more secure, either. Beyond the risk that quantum computers, as noted above, could be used to break the cryptographic keys that secure VPN traffic, VPNs are complicated to administer, and they can cause problems for remote users who need to access business resources (like SaaS platforms) that aren’t actually hosted on the corporate network.

 

Instead of placing blind trust in VPNs, companies should be turning to other strategies – like zero-trust access controls – to secure their networks. Zero trust works even in a world where quantum computing may kill cryptography as we know it.

 

New Types of Supply Chain Security Threats

Supply chain security challenges have received a lot of attention in recent years, and many CISOs have begun investing in initiatives to protect their supply chains, as well as to disclose supply chain vulnerabilities efficiently. But they need to do a lot more, according to Kobi Freedman, CEO and CoFounder of Findings, to get a real handle on the risk.

 

“Looking forward, we see a dramatic increase in attacks which are driven by the IoT” and that target “IoT and industrial environment” systems, our CEO added. Supply chain security strategies that address just the conventional elements of the software supply chain – like server-side applications – aren’t enough. Businesses also need to be able to understand and secure their IoT and operational technology assets.

 

Kobi added that businesses need what he called “long-tail” visibility into the supply chain. He was referring to the ability to understand not just which suppliers a business depends on directly, but also who supplies them, and how supplier relationships evolve over time. Simply compiling a software bill of materials and calling it a day won’t be enough to achieve the deep visibility necessary to secure modern supply chains.

 

And businesses will need to do all of this, Kobi pointed out, with budgets that are likely to remain constrained at least through 2023. As a result, they’ll need to make heavier use of supply chain security automation than ever.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Evolving Phishing Threats

Kobi Freedman also pointed out that the nature of phishing attacks is changing. Businesses have seen an increase in targeted phishing initiatives, known as spear phishing attacks, that target high-level employees rather than ordinary, in-the-trenches workers. These attacks are more sophisticated, resulting in higher levels of success.

 

To correct against this, businesses need to understand that humans are often the weakest link in cyber security. “90% of the risk for spear phishing attacks and other exploits comes from the human factor in the organization,” he said. The more businesses know about what their employees have access to, the better they can defend against risks like spear phishing.

 

Thriving In The Face Of 2023 Cyber Security Challenges

Faced with threats like these – as well as traditional challenges, like ransomware – what’s a CISO to do?

 

Part of the answer, the panelists agreed, is to transform cyber security within their organizations from a cost center to a “business enabler,” as Reuven Aronashvili put it. In other words, CISOs should strive to demonstrate to other executives how investments in cyber security can save money by reducing the risk of revenue loss due to IT disruptions. Viewed from that perspective, it’s easier to explain and justify continued spending on initiatives like supply chain security, even in financially tight times.

 

Relatedly, CISOs should align their agendas with overall business needs. That strategy will help to achieve even more buy-in for cyber security investment from a board. One way to do that is by focusing on how cyber security can increase overall visibility into the organization. Cyber security tools protect all parts of the IT estate and extend to all facets of the business, which makes them an excellent resource for understanding what is happening across the company as a whole. They’re not just ways to identify threats, but to gain end-to-end visibility, which businesses can in turn leverage to support continued investment in cyber security initiatives.

 

“What are my crown jewels? What are the lines of business that we need to defend? How will that translate into direct investments into tools and technologies and projects and processes and so on” to keep assets safe? Those are the types of questions CISOs should be asking to keep cyber security in alignment with broader business needs, our CEO said.

 

Planning For Breaches

Beyond the issue of investing in cyber security, Freedman underlined the importance of also ]actively preparing for breaches. After all, it’s not a matter of if a breach will occur, but when. No matter how many fancy, next-gen cyber security tools you deploy, it’s likely that you will be attacked successfully at some point.

 

Preparation against this risk starts with ensuring that the basic tools and protections are in place to detect attacks and begin the response process. From there, CISOs should ensure that their organizations can execute mitigation plans that minimize the impact of a breach. They should also practice addressing the root cause of attacks in order to identify and shut down  breaches as quickly as possible.

 

The Changing Role Of The CISO

Ultimately, the net result of the new generation of cyber security challenges that businesses face is that the role of the CISO is changing. Today, the CISO is not just someone who has the last word on cyber security. Instead, as Aronashvili put it, the CISO is now “the middleman between the technical teams and management,” which means that CISOs need to get buy-in from other executives in order to deploy effective cyber security strategies.

 

To that end, CISOs must now focus on communicating the value of cyber security to management. They need to show that cyber security spending actually saves money, and that security doesn’t just support, but actually enables, the operations of the business as a whole.

 

Preparing For The Future With Findings

As CISOs grapple with a new wave of cyber security threats, one challenge they shouldn’t struggle to solve is supply chain security. Findings delivers end-to-end visibility into supply chain security risks and compliance by automatically compiling a profile of your business’s supply chain and helping you understand where your supply chain security challenges lie. No matter how complicated supply chain security may become, Findings makes it easy to conquer the challenge.

 

See for yourself by requesting a demo at Findings.co.

Supply Chain Compliance Strategies for an Economic Downturn

Supply-Chain-Economic-Downturn

Economists debate whether stubbornly high inflation, combined with interest rate hikes by central banks, have actually created a recession.

But what’s not up for debate are the ways in which the current economic downtown complicates supply chain management. From less consistency within the supply chain, to fewer available resources for manually tracking supply chain compliance issues, the economic environment is imposing significant challenges on businesses. 

 

The Economy’s Impact on Compliance and Security

Economic uncertainty affects supply chain compliance initiatives in many ways – some obvious, and some less so.

 

1. The Bullwhip Effect and Lower Profitability

One of the most significant impacts results from what economists call the bullwhip effect. The term refers to the way in which mistaken assumptions about consumer demand tend to reverberate across the supply chain. For instance, if suppliers interpret a temporary uptick in demand for a product as a permanent trend, they may overinvest in production of the product. In turn, suppliers will then experience lower profit margins because they end up having to sell the product for less, due to lower-than-anticipated demand. Many economists blame the bullwhip effect as one reason why inflation has surged and corporate profits have dropped.

From the perspective of supply chain compliance, the bullwhip effect means that organizations across the supply chain face especially high pressure to squeeze profits out of their products in any way they can – including cutting corners, in some cases. For example, software companies may skimp on security monitoring or trade compliance for their products, placing organizations within their supply chain at risk. This makes the ability to detect supply chain compliance issues more important than ever in the present economic climate.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

2. Labor and Fuel Cost Increases Across the Supply Chain

Factors like higher labor costs in regions where suppliers could historically find cheap workers  and the increased cost of fuel only exacerbate the challenges faced by organizations. 

It’s not only product manufacturers who are impacted by higher costs for labor and fuel. These costs flow down the supply chain to affect organizations of all types. A company that develops software is likely paying more for the hardware its developers use, due to the increased labor and shipping costs associated with producing that hardware. So the software company, too, is squeezed by economic challenges that don’t relate directly to software production.

 

 

3. Skimping on Cyber Insurance

The third trend that impacts supply chain compliance – and one that is easy to overlook – are the lower rates of cyber insurance uptake.

In good economic times, organizations would buy cyber insurance in a bid to protect themselves against cyberattacks. Such insurance doesn’t always guarantee solvency following an attack, but it may help in certain situations.

“Insurers have also been hit by the downturn, says Peter Mansfield, a partner at Reynolds Porter Chamberlain in London. “Policyholders will look to make savings, which may include buying less insurance or better insurance.

With less money to spend, organizations choose to forgo cyber insurance or purchase less comprehensive coverage. In doing so, they place not only themselves, but also companies within their supply chain, at risk. A software company that suffers a cyberattack and doesn’t have sufficient insurance to recover will go out of business, leaving its products unsupported and insecure – a major risk for customers of those products.

 

Read here: Cyber insurance is great but you need to invest in additional tools that help detect and respond to risks

 

Supply Chain Compliance Opportunities

The good news is that it’s possible to get ahead of supply chain compliance issues by taking advantage of tools that can manage supply chain risk efficiently, regardless of the economic environment.

A healthy supply chain compliance strategy for the economic downturn hinges on visibility. Visibility into how your supply chain works and how it impacts your organization is critical for making informed decisions about supply chain compliance issues. It can also help companies manage costs. As Ed Winterschladen, executive vice president Europe at Proxima, puts it, “In a volatile supply market, running towards cheaper options won’t necessarily deliver value – identifying waste and spending better will prove more effective than reducing costs in areas of essential spend.”

Smart organizations will achieve the visibility they need using AI tools. With the help of AI tools, companies can “make supply chain planning and sourcing more cost efficient through real-time analytics and insights to help drive efficiency and productivity through its supply chain,” according to GEP. GEP also reports that two-thirds of executives identify enhanced supply chain visibility as a top priority for mitigating disruptions in 2022.


The value of improved supply chain visibility extends beyond controlling costs and supply chain compliance issues. It’s also a way of demonstrating to partners, investors and customers that your organization can thrive through times of challenge. As Accenture notes, “Consumers, investors, governments and communities may ultimately judge companies on how they respond to this period of disruption.

 

Harden your supply chain against uncertainty

In short, now is the time for organization’s to invest in efficient, comprehensive supply chain visibility and risk management. The threat of non-compliance within supply chains increases during times of economic uncertainty. AI-assisted supply chain visibility solutions make this challenge easy to meet without breaking the bank or burdening risk management teams with manual effort.


Contact Findings to learn more about how we can help protect your supply chain – in both the best and worst of economic times.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!