Tag Archives: vendor risk management

Virtually every business today has to outsource work to external vendors. By extension, it needs a plan to handle what Gartner calls vendor risk management, or VRM/TPRM. 

Working with third-party vendors exposes businesses to a variety of risks:

• Reputational harm: Security mistakes made by third party vendors could harm your brand’s reputation. Even if your company wasn’t at fault, customers or partners might hold your business accountable because they believe you made the poor choice of working with a risky third-party vendor.
• Operational damage: Problems with third-party vendors could disrupt your operations. For example, if a software product you depend on becomes vulnerable, your supply chain may cease to function until you find a replacement. Or your third party vendor may be hacked, leaving the door open to your organization for breaches or system failures.
• Financial loss: Third party vendor risks that turn into operational disruptions can ultimately lead to revenue loss, exacerbating the operational fallout of the situation and costing your organization money.
• Compliance challenges: You may be required to prove that your supply chain risk management complies with specific security or data privacy frameworks, and mistakes made by third party vendors could expose you to compliance failures. Like customers and partners, regulators aren’t likely to care whether the root cause of the issue lies with you or your vendor; all that matters to them is that you were non-compliant.

To respond to these challenges, especially considering the fact that 89% of businesses experiencing a supplier risk event in the past 5 years more needs to be done to develop an effective third party vendor risk management strategy. Developing that strategy starts with recognizing the mistaken assumptions that businesses often make when attempting to manage vendor risks.

Let’s look at those mistakes, why they’re dangerous and what businesses can do to avoid them.

1. Assuming All Vendors Are Covered

It can be easy to assume that as long as you have some kind of third party vendor risk management operation in place, it covers all of your vendors and gives you complete visibility into the risks associated with them.

The reality is that in many cases, TPRM programs overlook some vendors. The oversights most often result from relying on manual processes to identify and vet vendors, but you can also miss some vendors because your supplier list is always changing and you may not keep it up-to-date. 

Not only that, in many cases, coverage itself is partial. Modern supply chains are complex and because of this, long-tail vendors can be easily overlooked or ignored, exposing your organization and supply chain to huge risk.

The solution to these challenges is to rely on automation to track vendors. When you automate, it becomes much easier to find all third party vendors in your supply chain, and to keep your vendor inventory continuously up-to-date.

2. Overlooking Risk Assessment

Simply identifying vendors is only the first step in third-party vendor risk management. Equally important is assessing how much risk each vendor introduces to your supply chain. Risk assessments should reflect factors such as how much harm the vendor could cause to your reputation, operations, finances and so on. However, too often is the risk tolerance or risk appetite in an organization under-assessed so the true effects are unknown in the case of vulnerabilities in your supply chain.

Ideally, risk assessment should happen automatically. Whenever you introduce a new vendor into your supply chain, or when your relationship with a vendor changes, you should be able to determine automatically how the vendor impacts your overall risk and make a valid assessment of exactly what level of risk is acceptable to your organization.

3. Vendor Risk Management Ends With Onboarding Assessment

While risk assessment is important, it’s not the end of the third party vendor risk management process.

Your relationship with vendors may evolve in ways that change the types and extent of the risk that each vendor poses. For that reason, it’s important to be able to reassess risks on a continuous basis. Using automation, you can ensure that your risk assessments are constantly updated and that they remain relevant even as your vendor relationships evolve.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

4. Underestimating Vendor Compliance Needs

Sometimes, organizations assume that as long as they’ve met basic third party vendor risk management requirements, they’re covered against compliance mandates related to their supply chain and vendors.

In reality, compliance requirements tend to be complex and business-specific. For that reason, generic vendor risk management is not enough to guarantee compliance. Third party vendor risk management is a step toward compliance, but you also need to step back and assess the unique compliance requirements of your company and supply chain, then determine whether additional steps are needed to achieve compliance.

Simplify Third Party Vendor Risk Management With Findings

Findings takes the hard work out of vetting third party vendors. By automating the processes of identifying and assessing vendors across your supply chain, Findings makes it easy to maintain continuously updated visibility into where supply chain risks lie and how each vendor could harm your reputation, operations  finances and more.

See for yourself by requesting a demo at findings.co

Traditional challenges, like ransomware and software supply chain threats, have not gone away. But as we enter 2023, they’re being exacerbated by additional challenges, such as government-sponsored cyberattacks, the increased number of supply chain attacks, new types of phishing exploits and even the possibility that quantum computers will totally invalidate most of the core cyber security tools that businesses rely on today.

Those and other trends were the subject of an excellent webinar hosted recently by the London Stock Exchange Group (LSEG), moderated by Charles Clarke, Head of Security Architecture at LSEG, which brought together industry leaders including:

• Kobi Freedman, CEO and cofounder of Findings.
• Reuven Aronashvili, founder and CEO of CYE.
• Alan Platt, COO at CyberHive.
• Jay Shaw, CEO of Praxonomy.
• Alan Moffat, CISO & Director of Business and Cyber Security Services for Sapphire.

This diverse mix of companies and sectors, spent the morning discussing what they see as the most pressing cyber security challenges for 2023 and beyond. Although their insights gave CISOs – and businesses in general – plenty of problems to worry about, they also pointed toward solutions that forward-thinking organizations should be adopting in order to protect their operations against cyberthreats.

Key Cyber Security Trends for 2023

Although there was consensus that major trends in cyber security for 2023 will vary somewhat between different industries, the overall takeaway from speakers’ comments was that 2023 will see the continued emergence of a new breed of cyber security threats – or new takes on familiar ones.

Quantum Computing

Quantum computers – which use quantum mechanics to supercharge the processing of data – have been in the news for a long time as scientists come closer to developing quantum machines that are actually usable for real-world tasks.

As Alan Platt pointed out, the fact that quantum computing isn’t practical today doesn’t mean businesses shouldn’t be aware of the potential concerns. The reason why is that the sensitive data that businesses are generating today and protecting using encryption may become readable by quantum computers a few years from now.

“Most of the internet at the moment runs on RSA-2048 public key cryptography,” Platt said. “Breaking that using a conventional computer is estimated to take about 13.7

billion years, but a quantum computer doing exactly that same piece of cryptography would be able to crack it in just 42 minutes.”

The point here is that, in the not-so-distant future, security practices that CISOs rely on today to secure sensitive data may become obsolete. They’ll need to work even harder to prevent sensitive information from falling into the wrong hands in the first place, because even if the data is encrypted, quantum computers may be able to defeat the encryption with ease.

Increased State-Sponsored Cyberattacks

Platt also warned that the days may be coming to an end where malicious hackers seeking financial gain are the only people out to ruin a CISO’s day. Increasingly, he said, “the name of the game is about tightening security…against more complex and more damaging attacks that could take out critical infrastructure” – as opposed to threats like ransomware, which can be financially harmful but don’t usually impact physical infrastructure.

This new challenge reflects an increase in cyberattacks by nation-state actors seeking to use cyberwarfare as a means of harming their enemies. Although that practice is not completely new, the war in Ukraine has demonstrated an eagerness by both sides to extend traditional war into the cyber realm, heightening the security challenges faced not just by governments, but also individual businesses, who may be targeted by state-sponsored actors in order to harm countries in which businesses are based.

Lingering Covid Security Challenges

The Covid pandemic may effectively be over, but its impact on supply chain security and cyber security is not, according to Alan Moffat.

Covid forced companies to invest more of their IT spending in technologies that enable remote work and distributed workforces, as a result “less budget can be put into cyber security.” Due to the speed that companies had to be ready for the work-from-home/hybrid working models, mistakes in the initial set up are still being shored up by security leaders. These challenges are exacerbated by the fact that remote work infrastructure is often harder to secure because it involves IT assets that exist beyond a company’s corporate firewall and network, and lack the type of physical security protections that exist in a traditional office environment.

This means that CISOs need to do even more with even less budget – which makes strategies like automation and early detection of threats more important than ever.

Looking for a step-by-step VDP security roadmap? We’ve got you covered

VPNs Are No Longer Up To Snuff

Although VPNs – which are intended to protect sensitive data by encrypting packets as it flows between central IT infrastructure and remote locations, like the PCs used by workers who operate from outside the office – don’t make networks less secure, they don’t necessarily make them more secure, either. Beyond the risk that quantum computers, as noted above, could be used to break the cryptographic keys that secure VPN traffic, VPNs are complicated to administer, and they can cause problems for remote users who need to access business resources (like SaaS platforms) that aren’t actually hosted on the corporate network.

Instead of placing blind trust in VPNs, companies should be turning to other strategies – like zero-trust access controls – to secure their networks. Zero trust works even in a world where quantum computing may kill cryptography as we know it.

New Types of Supply Chain Security Threats

Supply chain security challenges have received a lot of attention in recent years, and many CISOs have begun investing in initiatives to protect their supply chains, as well as to disclose supply chain vulnerabilities efficiently. But they need to do a lot more, according to Kobi Freedman, CEO and CoFounder of Findings, to get a real handle on the risk.

“Looking forward, we see a dramatic increase in attacks which are driven by the IoT” and that target “IoT and industrial environment” systems, our CEO added. Supply chain security strategies that address just the conventional elements of the software supply chain – like server-side applications – aren’t enough. Businesses also need to be able to understand and secure their IoT and operational technology assets.

Kobi added that businesses need what he called “long-tail” visibility into the supply chain. He was referring to the ability to understand not just which suppliers a business depends on directly, but also who supplies them, and how supplier relationships evolve over time. Simply compiling a software bill of materials and calling it a day won’t be enough to achieve the deep visibility necessary to secure modern supply chains.

And businesses will need to do all of this, Kobi pointed out, with budgets that are likely to remain constrained at least through 2023. As a result, they’ll need to make heavier use of supply chain security automation than ever.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

Evolving Phishing Threats

Kobi Freedman also pointed out that the nature of phishing attacks is changing. Businesses have seen an increase in targeted phishing initiatives, known as spear phishing attacks, that target high-level employees rather than ordinary, in-the-trenches workers. These attacks are more sophisticated, resulting in higher levels of success.

To correct against this, businesses need to understand that humans are often the weakest link in cyber security. “90% of the risk for spear phishing attacks and other exploits comes from the human factor in the organization,” he said. The more businesses know about what their employees have access to, the better they can defend against risks like spear phishing.

Thriving In The Face Of 2023 Cyber Security Challenges

Faced with threats like these – as well as traditional challenges, like ransomware – what’s a CISO to do?

Part of the answer, the panelists agreed, is to transform cyber security within their organizations from a cost center to a “business enabler,” as Reuven Aronashvili put it. In other words, CISOs should strive to demonstrate to other executives how investments in cyber security can save money by reducing the risk of revenue loss due to IT disruptions. Viewed from that perspective, it’s easier to explain and justify continued spending on initiatives like supply chain security, even in financially tight times.

Relatedly, CISOs should align their agendas with overall business needs. That strategy will help to achieve even more buy-in for cyber security investment from a board. One way to do that is by focusing on how cyber security can increase overall visibility into the organization. Cyber security tools protect all parts of the IT estate and extend to all facets of the business, which makes them an excellent resource for understanding what is happening across the company as a whole. They’re not just ways to identify threats, but to gain end-to-end visibility, which businesses can in turn leverage to support continued investment in cyber security initiatives.

“What are my crown jewels? What are the lines of business that we need to defend? How will that translate into direct investments into tools and technologies and projects and processes and so on” to keep assets safe? Those are the types of questions CISOs should be asking to keep cyber security in alignment with broader business needs, our CEO said.

Planning For Breaches

Beyond the issue of investing in cyber security, Freedman underlined the importance of also ]actively preparing for breaches. After all, it’s not a matter of if a breach will occur, but when. No matter how many fancy, next-gen cyber security tools you deploy, it’s likely that you will be attacked successfully at some point.

Preparation against this risk starts with ensuring that the basic tools and protections are in place to detect attacks and begin the response process. From there, CISOs should ensure that their organizations can execute mitigation plans that minimize the impact of a breach. They should also practice addressing the root cause of attacks in order to identify and shut down  breaches as quickly as possible.

The Changing Role Of The CISO

Ultimately, the net result of the new generation of cyber security challenges that businesses face is that the role of the CISO is changing. Today, the CISO is not just someone who has the last word on cyber security. Instead, as Aronashvili put it, the CISO is now “the middleman between the technical teams and management,” which means that CISOs need to get buy-in from other executives in order to deploy effective cyber security strategies.

To that end, CISOs must now focus on communicating the value of cyber security to management. They need to show that cyber security spending actually saves money, and that security doesn’t just support, but actually enables, the operations of the business as a whole.

Preparing For The Future With Findings

As CISOs grapple with a new wave of cyber security threats, one challenge they shouldn’t struggle to solve is supply chain security. Findings delivers end-to-end visibility into supply chain security risks and compliance by automatically compiling a profile of your business’s supply chain and helping you understand where your supply chain security challenges lie. No matter how complicated supply chain security may become, Findings makes it easy to conquer the challenge.

See for yourself by requesting a demo at Findings.co.

Black Friday is the time of year that is bound to put stress on many businesses’ supply chains. With demand soaring for items across the board, supply chains have already come under pressure from the effects of the past two years, and these delays are becoming more evident every day. So what does this mean for your risk management?

Unfortunately, not all risks originate internally. As you know, risks can also arise from within your supply chain. With increased strain (American consumers spent $8.9 billion online during Black Friday 2021), comes increased focus on your business’s reputation and possible fast tracking vetting of alternative vendors in your supply chain to keep up with demand. But thorough vetting should not be sidestepped. 

The Consequences Of Poor Supply Chain Risk Management On Black Friday Sales

Supply Chain Risk Management strategies that focus only on internal threats and ignore the supply chain fall short for 2 main reasons:

More threat opportunities

The threats that impact internal systems represent only a subset of all threats. But within your supply chain, attack vectors are far broader and numerous. You can’t always control the types of security exposures that your vendors or suppliers introduce to their products. And the last thing you want is this impacting your Black Friday sales. 

Lack of efficiency

If supply chain risk management isn’t part and parcel of your broader risk management strategy, it’s hard to manage supply chain risks efficiently. If you protect against supply chain threats at all, it ends up being through one-off audits or action against isolated threats.

At one of the busiest times of year, time and efficiency take center stage and It’s much more efficient to monitor for and address all types of risks – internal and external – through centralized tools and processes.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

Major Holidays Leave The Door Open For Major Attacks

Retailers are particularly vulnerable to client-side attacks. Many online retail sites are built on CMS frameworks with a plethora of third-party plug-ins, from blog posting to popups to SEO maintenance. On average, 31 JavaScript resources are used per site, making retailers vulnerable to many forms of supply chain fraud such as formjacking, data-skimming and Magecart attacks.

Kaseya Attack Affecting the Supply Chain

Though initially thought to only affect 40 of its clients, it was further discovered that over 1,000 downstream companies were affected by this 4th July attack by Russian group, REvil. With over 40,000 organizations worldwide using at least one Kaseya software solution, the potential impact of this supply chain attack was massive. By exploiting zero day vulnerabilities in Kaseya’s software, it caused a major Swedish grocery store to completely shut for 24 hours as well as 11 schools in New Zealand. 

Magento Magecart Attack Prevented in 2021

With millions of transactions being carried out over the Black Friday period, it’s no surprise that this is a key target for threat actor’s to leverage vulnerabilities in the supply chain. In fact the UK’s National Cyber Security Centre (NCSC) notified small businesses about the risk of magecart attacks on and around Black Friday last year. They’re unique because they exploit third party scripts on companies’ websites. Because highly critical services, like Adobe’s Magento, are trusted and there are not many services like them, these attacks can impact 1000s of sites simultaneously. When the NCSC notified these businesses over 4000 were at risk.

A Better Approach To Supply Chain Risk Management And Intelligence

How do businesses avoid those shortcomings this Black Friday? How can they implement risk management that addresses both internal and external threats?

The answer is to deploy risk management processes and tools that provide the following features:

• Continuous, real-time intelligence: Businesses need to know – immediately, before performance and security is affected – whenever a risk emerges within any internal or external asset.
• Complete supply chain risk management: It’s crucial to identify risks that exist at any point in the supply chain. This includes risks introduced not just by third-party vendors with whom you do business directly, but also “fourth-party” vendors, meaning those who supply your direct vendors. Risks can arise from these vendors, too.
• Automated, scalabile compliance: Checking for risks manually doesn’t scale (and takes away precious time, when time is a short commodity). Whether you have one vendor or one thousand, you need automation to ensure that you can detect all potential risks across all internal and external assets – and that nothing falls through the cracks.
• Centralized compliance: Risk management is inherently fragmented because risks come in many forms and affect many types of systems. Nonetheless, businesses should be able to manage all risks comprehensively using a platform that works across the enterprise. When you centralize risk management, you save time and maximize risk coverage.

The Findings Difference

With Findings, you are provided with an automated, comprehensive supply chain risk management solution that empowers businesses to manage supply chain risks proactively by getting ahead of issues before they happen. Instead of treating the supply chain as a black box from the perspective of compliance, leverage Findings to implement centralized, enterprise-wide supply chain risk management for both internal and external threats. 

Don’t get caught out this Black Friday (or any day!). Get started at Findings.co.