Tag Archives: vendor risk management

Finally: Practical Guidance for Supply Chain Risk Management

Businesses are being bombarded with warnings from a variety of sources regarding supply chain risk management – ranging from media organizations like Forbes, to analyst firms like Gartner, and even to the White House, which notes that “foreign governments and criminal syndicates are regularly seeking ways to compromise our digital infrastructure” through supply chain attacks.


However, actual advice for managing supply chain risks is harder to come by. Figuring out where risks lie and working to detect them is an exercise that often falls to individual businesses – which often struggle to put supply chain risk management into practice, given the fact that few organizations were closely focused on supply chain risks until just a couple of years ago, when incidents like the SolarWinds breach brought supply chain risks to the fore.


1. Optimize Supply Chain Visibility


The single most effective step businesses can take to manage supply chain risks is to achieve visibility into their supply chains. You can’t mitigate the risks you can’t see, and if you wait for the risks to impact your own IT environment, it’s too late to prevent them from causing a disruption.


That’s why you need visibility not only into where your software comes from, but also which checks and protections your software suppliers have in place. Believe it or not, vulnerabilities will come from your least expected vendors, and more often than not, your smaller vendors. When you identify vendors who fail to manage risks, you can remove them from your supply chain in order to protect your own organization. This is where continuous monitoring steps in and becomes invaluable to your team by getting ahead of issues before remediation steps are even needed. 


When it comes to supply chain visibility, the more information you have, the better. It’s often impossible to gain complete, definitive visibility into supply chain risks because the “probability and severity of many risks is difficult to ascertain,” as Tucker Bailey, McKinsey Partner notes. But the more information you have about who your suppliers are, how they build out their supply chain and which practices they follow to mitigate security risks, the greater your ability to find and respond to the most serious supply chain vulnerabilities


2. Build Supply Chain Risk Management Into Onboarding


While continuous visibility into the supply chain is one step toward identifying risks, it’s also important to establish a rigorous process for vetting vendors when you onboard them into your supply chain. Identify which specific security controls you expect vendors to have in place, then implement a process that assesses how well they adhere to those practices.


There is always a risk that vendors who meet your requirements during onboarding will become insecure over time, which is why you need to monitor continuously for new supply chain risks. The most common onboarding process would be to do an initial risk scan of the vendor and setting a score. However, the better and more effective method is to set a periodic scan that includes an action plan. 


But even with all these processes, it doesn’t mean you should skimp on vendor validation at onboarding time. Rooting out risky vendors before they even join your supply chain is more effective than identifying risks after the fact.


3. Plan For Supply Chain Changes


Actually removing risky vendors from a supply chain is hard to do if you depend on those vendors and have no alternatives.


That’s why it’s important to ensure that your supply chain is dynamic enough to accommodate sudden changes in vendors. Always have backup suppliers in mind to who you can turn to if you need to stop using one vendor due to cyber security risks.


Supply chains constantly fluctuate. Vendors that seem rock-solid one day may be in the news the next because they are the center of a major breach. You can’t control what your suppliers do, but you can control your ability to pivot to alternative suppliers quickly in order to mitigate supply chain risks.


4. Enforce Continuous Supply Chain Risk Management


Supply chain risk management should never be a one-and-done affair. Nor should you rely on periodic audits to find risks.


Instead, strive to monitor your supply chain continuously. Continuous monitoring means that you can identify vulnerable third-party software, as well as vendors who are no longer conforming to your security requirements, as soon as the risk emerges. That beats waiting until your next audit to identify a risk – or, worse, not identifying it at all because you vetted your suppliers initially and have no mechanism in place for determining when vendors who were once secure no longer are.


Ensure that the protections that your suppliers claim to have in place actually work. For example, as Jay Shaw explained during a recent LSEG event, don’t just take someone’s word for it that backups are in place. Instead, say “you’re going to get a phone call, And that phone call is going to say, ‘Bam, we’re now down, so do the backup plan. We want to see how long it takes you and how well it works.”


It might not be practical to vet every vendor in that way, but for high-stakes suppliers, it’s important to know that promises align with realities when it comes to supply chain security protections.


5. Automate Supply Chain Risk Management With Cyber Solutions


For most businesses, the rigorous, continuous supply chain monitoring and risk management practices described above are impossible to implement manually. They would require too much time, and too much effort on the part of employees who already have overfilled plates.


That’s why it’s critical to leverage cyber solutions that automate supply chain risk management. They can identify multiple types of threat within third-party software – including malware, phishing risks, ransomware and beyond – without requiring manual vetting. And they can do this continuously so that you’re aware immediately when a new risk arises.


Automated cyber solutions have the added benefit of reducing the risk of human error. Your supply chain management tools will operate consistently and reliably, enforcing the same assessment policies over each and every vendor. Humans typically don’t achieve that level of consistency, which means that manual supply chain assessment increases the chances that risks will fall through the cracks.

How Findings can help

As a fully automated platform for identifying and managing risks across your supply chain, Findings makes it easy to put supply chain risk management practices into operation. Findings delivers centralized, continuous visibility into supply chains across any industry, enabling businesses to find and respond to risks before they turn into cyber security incidents.


See for yourself by requesting a demo at Findings.co.

The New Breed of Cyber Security Threats Coming for CISOs in 2023

The New Breed of Cyber Security Threats Coming for CISOs in 2023

Traditional challenges, like ransomware and software supply chain threats, have not gone away. But as we enter 2023, they’re being exacerbated by additional challenges, such as government-sponsored cyberattacks, the increased number of supply chain attacks, new types of phishing exploits and even the possibility that quantum computers will totally invalidate most of the core cyber security tools that businesses rely on today.

 

Those and other trends were the subject of an excellent webinar hosted recently by the London Stock Exchange Group (LSEG), moderated by Charles Clarke, Head of Security Architecture at LSEG, which brought together industry leaders including:

  • Kobi Freedman, CEO and cofounder of Findings.
  • Reuven Aronashvili, founder and CEO of CYE.
  • Alan Platt, COO at CyberHive.
  • Jay Shaw, CEO of Praxonomy.
  • Alan Moffat, CISO & Director of Business and Cyber Security Services for Sapphire.

 

This diverse mix of companies and sectors, spent the morning discussing what they see as the most pressing cyber security challenges for 2023 and beyond. Although their insights gave CISOs – and businesses in general – plenty of problems to worry about, they also pointed toward solutions that forward-thinking organizations should be adopting in order to protect their operations against cyberthreats.

 

Key Cyber Security Trends for 2023

Although there was consensus that major trends in cyber security for 2023 will vary somewhat between different industries, the overall takeaway from speakers’ comments was that 2023 will see the continued emergence of a new breed of cyber security threats – or new takes on familiar ones.

 

Quantum Computing

Quantum computers – which use quantum mechanics to supercharge the processing of data – have been in the news for a long time as scientists come closer to developing quantum machines that are actually usable for real-world tasks.

 

As Alan Platt pointed out, the fact that quantum computing isn’t practical today doesn’t mean businesses shouldn’t be aware of the potential concerns. The reason why is that the sensitive data that businesses are generating today and protecting using encryption may become readable by quantum computers a few years from now.

 

“Most of the internet at the moment runs on RSA-2048 public key cryptography,” Platt said. “Breaking that using a conventional computer is estimated to take about 13.7

billion years, but a quantum computer doing exactly that same piece of cryptography would be able to crack it in just 42 minutes.”

 

The point here is that, in the not-so-distant future, security practices that CISOs rely on today to secure sensitive data may become obsolete. They’ll need to work even harder to prevent sensitive information from falling into the wrong hands in the first place, because even if the data is encrypted, quantum computers may be able to defeat the encryption with ease.

 

Increased State-Sponsored Cyberattacks

Platt also warned that the days may be coming to an end where malicious hackers seeking financial gain are the only people out to ruin a CISO’s day. Increasingly, he said, “the name of the game is about tightening security…against more complex and more damaging attacks that could take out critical infrastructure” – as opposed to threats like ransomware, which can be financially harmful but don’t usually impact physical infrastructure.

 

This new challenge reflects an increase in cyberattacks by nation-state actors seeking to use cyberwarfare as a means of harming their enemies. Although that practice is not completely new, the war in Ukraine has demonstrated an eagerness by both sides to extend traditional war into the cyber realm, heightening the security challenges faced not just by governments, but also individual businesses, who may be targeted by state-sponsored actors in order to harm countries in which businesses are based.

 

Lingering Covid Security Challenges

The Covid pandemic may effectively be over, but its impact on supply chain security and cyber security is not, according to Alan Moffat.

 

Covid forced companies to invest more of their IT spending in technologies that enable remote work and distributed workforces, as a result “less budget can be put into cyber security.” Due to the speed that companies had to be ready for the work-from-home/hybrid working models, mistakes in the initial set up are still being shored up by security leaders. These challenges are exacerbated by the fact that remote work infrastructure is often harder to secure because it involves IT assets that exist beyond a company’s corporate firewall and network, and lack the type of physical security protections that exist in a traditional office environment.

 

This means that CISOs need to do even more with even less budget – which makes strategies like automation and early detection of threats more important than ever.

 

Looking for a step-by-step VDP security roadmap? We’ve got you covered

 

VPNs Are No Longer Up To Snuff

Although VPNs – which are intended to protect sensitive data by encrypting packets as it flows between central IT infrastructure and remote locations, like the PCs used by workers who operate from outside the office – don’t make networks less secure, they don’t necessarily make them more secure, either. Beyond the risk that quantum computers, as noted above, could be used to break the cryptographic keys that secure VPN traffic, VPNs are complicated to administer, and they can cause problems for remote users who need to access business resources (like SaaS platforms) that aren’t actually hosted on the corporate network.

 

Instead of placing blind trust in VPNs, companies should be turning to other strategies – like zero-trust access controls – to secure their networks. Zero trust works even in a world where quantum computing may kill cryptography as we know it.

 

New Types of Supply Chain Security Threats

Supply chain security challenges have received a lot of attention in recent years, and many CISOs have begun investing in initiatives to protect their supply chains, as well as to disclose supply chain vulnerabilities efficiently. But they need to do a lot more, according to Kobi Freedman, CEO and CoFounder of Findings, to get a real handle on the risk.

 

“Looking forward, we see a dramatic increase in attacks which are driven by the IoT” and that target “IoT and industrial environment” systems, our CEO added. Supply chain security strategies that address just the conventional elements of the software supply chain – like server-side applications – aren’t enough. Businesses also need to be able to understand and secure their IoT and operational technology assets.

 

Kobi added that businesses need what he called “long-tail” visibility into the supply chain. He was referring to the ability to understand not just which suppliers a business depends on directly, but also who supplies them, and how supplier relationships evolve over time. Simply compiling a software bill of materials and calling it a day won’t be enough to achieve the deep visibility necessary to secure modern supply chains.

 

And businesses will need to do all of this, Kobi pointed out, with budgets that are likely to remain constrained at least through 2023. As a result, they’ll need to make heavier use of supply chain security automation than ever.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Evolving Phishing Threats

Kobi Freedman also pointed out that the nature of phishing attacks is changing. Businesses have seen an increase in targeted phishing initiatives, known as spear phishing attacks, that target high-level employees rather than ordinary, in-the-trenches workers. These attacks are more sophisticated, resulting in higher levels of success.

 

To correct against this, businesses need to understand that humans are often the weakest link in cyber security. “90% of the risk for spear phishing attacks and other exploits comes from the human factor in the organization,” he said. The more businesses know about what their employees have access to, the better they can defend against risks like spear phishing.

 

Thriving In The Face Of 2023 Cyber Security Challenges

Faced with threats like these – as well as traditional challenges, like ransomware – what’s a CISO to do?

 

Part of the answer, the panelists agreed, is to transform cyber security within their organizations from a cost center to a “business enabler,” as Reuven Aronashvili put it. In other words, CISOs should strive to demonstrate to other executives how investments in cyber security can save money by reducing the risk of revenue loss due to IT disruptions. Viewed from that perspective, it’s easier to explain and justify continued spending on initiatives like supply chain security, even in financially tight times.

 

Relatedly, CISOs should align their agendas with overall business needs. That strategy will help to achieve even more buy-in for cyber security investment from a board. One way to do that is by focusing on how cyber security can increase overall visibility into the organization. Cyber security tools protect all parts of the IT estate and extend to all facets of the business, which makes them an excellent resource for understanding what is happening across the company as a whole. They’re not just ways to identify threats, but to gain end-to-end visibility, which businesses can in turn leverage to support continued investment in cyber security initiatives.

 

“What are my crown jewels? What are the lines of business that we need to defend? How will that translate into direct investments into tools and technologies and projects and processes and so on” to keep assets safe? Those are the types of questions CISOs should be asking to keep cyber security in alignment with broader business needs, our CEO said.

 

Planning For Breaches

Beyond the issue of investing in cyber security, Freedman underlined the importance of also ]actively preparing for breaches. After all, it’s not a matter of if a breach will occur, but when. No matter how many fancy, next-gen cyber security tools you deploy, it’s likely that you will be attacked successfully at some point.

 

Preparation against this risk starts with ensuring that the basic tools and protections are in place to detect attacks and begin the response process. From there, CISOs should ensure that their organizations can execute mitigation plans that minimize the impact of a breach. They should also practice addressing the root cause of attacks in order to identify and shut down  breaches as quickly as possible.

 

The Changing Role Of The CISO

Ultimately, the net result of the new generation of cyber security challenges that businesses face is that the role of the CISO is changing. Today, the CISO is not just someone who has the last word on cyber security. Instead, as Aronashvili put it, the CISO is now “the middleman between the technical teams and management,” which means that CISOs need to get buy-in from other executives in order to deploy effective cyber security strategies.

 

To that end, CISOs must now focus on communicating the value of cyber security to management. They need to show that cyber security spending actually saves money, and that security doesn’t just support, but actually enables, the operations of the business as a whole.

 

Preparing For The Future With Findings

As CISOs grapple with a new wave of cyber security threats, one challenge they shouldn’t struggle to solve is supply chain security. Findings delivers end-to-end visibility into supply chain security risks and compliance by automatically compiling a profile of your business’s supply chain and helping you understand where your supply chain security challenges lie. No matter how complicated supply chain security may become, Findings makes it easy to conquer the challenge.

 

See for yourself by requesting a demo at Findings.co.

Supply Chain Compliance Strategies for an Economic Downturn

Supply-Chain-Economic-Downturn

Economists debate whether stubbornly high inflation, combined with interest rate hikes by central banks, have actually created a recession.

But what’s not up for debate are the ways in which the current economic downtown complicates supply chain management. From less consistency within the supply chain, to fewer available resources for manually tracking supply chain compliance issues, the economic environment is imposing significant challenges on businesses. 

 

The Economy’s Impact on Compliance and Security

Economic uncertainty affects supply chain compliance initiatives in many ways – some obvious, and some less so.

 

1. The Bullwhip Effect and Lower Profitability

One of the most significant impacts results from what economists call the bullwhip effect. The term refers to the way in which mistaken assumptions about consumer demand tend to reverberate across the supply chain. For instance, if suppliers interpret a temporary uptick in demand for a product as a permanent trend, they may overinvest in production of the product. In turn, suppliers will then experience lower profit margins because they end up having to sell the product for less, due to lower-than-anticipated demand. Many economists blame the bullwhip effect as one reason why inflation has surged and corporate profits have dropped.

From the perspective of supply chain compliance, the bullwhip effect means that organizations across the supply chain face especially high pressure to squeeze profits out of their products in any way they can – including cutting corners, in some cases. For example, software companies may skimp on security monitoring or trade compliance for their products, placing organizations within their supply chain at risk. This makes the ability to detect supply chain compliance issues more important than ever in the present economic climate.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

2. Labor and Fuel Cost Increases Across the Supply Chain

Factors like higher labor costs in regions where suppliers could historically find cheap workers  and the increased cost of fuel only exacerbate the challenges faced by organizations. 

It’s not only product manufacturers who are impacted by higher costs for labor and fuel. These costs flow down the supply chain to affect organizations of all types. A company that develops software is likely paying more for the hardware its developers use, due to the increased labor and shipping costs associated with producing that hardware. So the software company, too, is squeezed by economic challenges that don’t relate directly to software production.

 

 

3. Skimping on Cyber Insurance

The third trend that impacts supply chain compliance – and one that is easy to overlook – are the lower rates of cyber insurance uptake.

In good economic times, organizations would buy cyber insurance in a bid to protect themselves against cyberattacks. Such insurance doesn’t always guarantee solvency following an attack, but it may help in certain situations.

“Insurers have also been hit by the downturn, says Peter Mansfield, a partner at Reynolds Porter Chamberlain in London. “Policyholders will look to make savings, which may include buying less insurance or better insurance.

With less money to spend, organizations choose to forgo cyber insurance or purchase less comprehensive coverage. In doing so, they place not only themselves, but also companies within their supply chain, at risk. A software company that suffers a cyberattack and doesn’t have sufficient insurance to recover will go out of business, leaving its products unsupported and insecure – a major risk for customers of those products.

 

Read here: Cyber insurance is great but you need to invest in additional tools that help detect and respond to risks

 

Supply Chain Compliance Opportunities

The good news is that it’s possible to get ahead of supply chain compliance issues by taking advantage of tools that can manage supply chain risk efficiently, regardless of the economic environment.

A healthy supply chain compliance strategy for the economic downturn hinges on visibility. Visibility into how your supply chain works and how it impacts your organization is critical for making informed decisions about supply chain compliance issues. It can also help companies manage costs. As Ed Winterschladen, executive vice president Europe at Proxima, puts it, “In a volatile supply market, running towards cheaper options won’t necessarily deliver value – identifying waste and spending better will prove more effective than reducing costs in areas of essential spend.”

Smart organizations will achieve the visibility they need using AI tools. With the help of AI tools, companies can “make supply chain planning and sourcing more cost efficient through real-time analytics and insights to help drive efficiency and productivity through its supply chain,” according to GEP. GEP also reports that two-thirds of executives identify enhanced supply chain visibility as a top priority for mitigating disruptions in 2022.


The value of improved supply chain visibility extends beyond controlling costs and supply chain compliance issues. It’s also a way of demonstrating to partners, investors and customers that your organization can thrive through times of challenge. As Accenture notes, “Consumers, investors, governments and communities may ultimately judge companies on how they respond to this period of disruption.

 

Harden your supply chain against uncertainty

In short, now is the time for organization’s to invest in efficient, comprehensive supply chain visibility and risk management. The threat of non-compliance within supply chains increases during times of economic uncertainty. AI-assisted supply chain visibility solutions make this challenge easy to meet without breaking the bank or burdening risk management teams with manual effort.


Contact Findings to learn more about how we can help protect your supply chain – in both the best and worst of economic times.

Supply Chain Risk Management: Your Black Friday Weakest Link

Supply Chain Risk Management: Your Black Friday Weakest Link

Black Friday is the time of year that is bound to put stress on many businesses’ supply chains. With demand soaring for items across the board, supply chains have already come under pressure from the effects of the past two years, and these delays are becoming more evident every day. So what does this mean for your risk management?

 

Unfortunately, not all risks originate internally. As you know, risks can also arise from within your supply chain. With increased strain (American consumers spent $8.9 billion online during Black Friday 2021), comes increased focus on your business’s reputation and possible fast tracking vetting of alternative vendors in your supply chain to keep up with demand. But thorough vetting should not be sidestepped. 

 

The Consequences Of Poor Supply Chain Risk Management On Black Friday Sales

 

Supply Chain Risk Management strategies that focus only on internal threats and ignore the supply chain fall short for 2 main reasons:

More threat opportunities

The threats that impact internal systems represent only a subset of all threats. But within your supply chain, attack vectors are far broader and numerous. You can’t always control the types of security exposures that your vendors or suppliers introduce to their products. And the last thing you want is this impacting your Black Friday sales. 


Lack of efficiency

If supply chain risk management isn’t part and parcel of your broader risk management strategy, it’s hard to manage supply chain risks efficiently. If you protect against supply chain threats at all, it ends up being through one-off audits or action against isolated threats.


At one of the busiest times of year, time and efficiency take center stage and It’s much more efficient to monitor for and address all types of risks – internal and external – through centralized tools and processes.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Major Holidays Leave The Door Open For Major Attacks

Retailers are particularly vulnerable to client-side attacks. Many online retail sites are built on CMS frameworks with a plethora of third-party plug-ins, from blog posting to popups to SEO maintenance. On average, 31 JavaScript resources are used per site, making retailers vulnerable to many forms of supply chain fraud such as formjacking, data-skimming and Magecart attacks.


Kaseya Attack Affecting the Supply Chain

Though initially thought to only affect 40 of its clients, it was further discovered that over 1,000 downstream companies were affected by this 4th July attack by Russian group, REvil. With over 40,000 organizations worldwide using at least one Kaseya software solution, the potential impact of this supply chain attack was massive. By exploiting zero day vulnerabilities in Kaseya’s software, it caused a major Swedish grocery store to completely shut for 24 hours as well as 11 schools in New Zealand. 


Magento Magecart Attack Prevented in 2021

With millions of transactions being carried out over the Black Friday period, it’s no surprise that this is a key target for threat actor’s to leverage vulnerabilities in the supply chain. In fact the UK’s National Cyber Security Centre (NCSC) notified small businesses about the risk of magecart attacks on and around Black Friday last year. They’re unique because they exploit third party scripts on companies’ websites. Because highly critical services, like Adobe’s Magento, are trusted and there are not many services like them, these attacks can impact 1000s of sites simultaneously. When the NCSC notified these businesses over 4000 were at risk.


A Better Approach To Supply Chain Risk Management And Intelligence

How do businesses avoid those shortcomings this Black Friday? How can they implement risk management that addresses both internal and external threats?

The answer is to deploy risk management processes and tools that provide the following features:

  • Continuous, real-time intelligence: Businesses need to know – immediately, before performance and security is affected – whenever a risk emerges within any internal or external asset.
  • Complete supply chain risk management: It’s crucial to identify risks that exist at any point in the supply chain. This includes risks introduced not just by third-party vendors with whom you do business directly, but also “fourth-party” vendors, meaning those who supply your direct vendors. Risks can arise from these vendors, too.
  • Automated, scalabile compliance: Checking for risks manually doesn’t scale (and takes away precious time, when time is a short commodity). Whether you have one vendor or one thousand, you need automation to ensure that you can detect all potential risks across all internal and external assets – and that nothing falls through the cracks.
  • Centralized compliance: Risk management is inherently fragmented because risks come in many forms and affect many types of systems. Nonetheless, businesses should be able to manage all risks comprehensively using a platform that works across the enterprise. When you centralize risk management, you save time and maximize risk coverage.


The Findings Difference

With Findings, you are provided with an automated, comprehensive supply chain risk management solution that empowers businesses to manage supply chain risks proactively by getting ahead of issues before they happen. Instead of treating the supply chain as a black box from the perspective of compliance, leverage Findings to implement centralized, enterprise-wide supply chain risk management for both internal and external threats. 

Don’t get caught out this Black Friday (or any day!). Get started at Findings.co.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!