Organizations rely on many different vendors to provide and support the technical infrastructure that runs their daily operations. But what if there’s a weak link somewhere in the supply chain? In the case of something like the cyberattack-induced outage at managed IT services provider CTS, it could mean organizations relying on these third-party services experiencing costly downtime and exposing their assets and sensitive content to cyber criminals. In the case of something like the SolarWinds attack and the Log4j vulnerability, the weak link can lead to devastating breaches of confidential information at a global scale.
The very real risk presented by third-party vendors and suppliers should not be underestimated which is why it is critical for CISOs and security teams to proactively take steps to manage supplier risk to maintain a secure and protected environment. One of the ways organizations can help reduce risk is by better screening suppliers right at the outset.
Gathering all the different information required to properly screen vendors everything from risk assessment questionnaires to corporate and financial data, to recent news events or Internet “chatter” that involves the vendor has historically been a very time-consuming process. Fortunately, generative AI is aiding this task, providing a faster way to extract information from questionnaires or corporate databases, analyze the data, and then provide a summary evaluation for a “human” review. This helps to quickly “triage” vendors into different groups, depending on their risk profile.
Some vendors will automatically be weeded out if they do not meet a certain benchmark, while others will clear that initial “hurdle” but warrant further, closer examination. Additionally, reporting can quickly be generated to provide the selection committee, the Board or the CFO, with the intelligence they need to make an informed decision.
The result is an ability to more thoroughly screen vendors for risk right from the beginning – helping to eliminate potentially risky suppliers from becoming part of an organization’s infrastructure in the first place. And this method can help to improve the ongoing risk assessment of suppliers, especially when dealing with a multitude of third-party vendors.
As large tech companies such as Microsoft, Cisco buy smaller companies to develop their own capabilities and expand their product portfolio, it becomes easier for organizations to consolidate on a single vendor for multiple aspects of a particular function, rather than relying on five or six different point solutions.
The result is that they can reduce the risk of potential vulnerabilities associated with using connected products that are on very different update cycles or that may not provide regular updates or patches due to limited R&D budgets.
When it comes to the data centers that are hosting cloud services, who has access to those data centers physically and remotely? And what does their business continuity and disaster recovery processes look like? Should any sort of disaster occur, how long will it take to restore data? How often do they test these processes? If there is a breach, what are the policies around incident notification? After a breach is detected, how long before the customer is notified? And how is the customer notified? By phone? By email? All these details should be documented.
This documentation should be readily accessible to any potential and current customer who wants to view them at any point in time. A compliance portal with 24/7 access would go a long way. These policy documents should be regularly refreshed with the most up-to-date information. Every 3-6 months is a good time frame to look for and ensures the documentation is out of date.
While supplier risk is impossible to eliminate entirely, a few key steps make it possible to significantly reduce it. Leveraging new technologies such as generative AI responsibly, can help to reduce a lot of the burden from manual evaluation. Given that any organization is only as strong as the weakest link in its supply chain, a conscious approach can help to strengthen its overall security and improve its risk profile by aiming to avoid potentially "at risk” third-party vendors and suppliers.
Jim McKee, CEO of Red Sky Alliance added, “In addition to the above, a great way to monitor your own supply chain is to review cyber threats against your vendors daily using RedXray, a daily cyber threat notification service. Please visit: https://redskyalliance.com/supply-chain for details. Red Sky Alliance can report on any domain in the world without the targeted domain being aware of the investigation.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments