Are Any Of Your Suppliers A Security Risk Waiting To Happen?

Uploaded on 2024-07-18 in TECHNOLOGY--Resilience, FREE TO VIEW

Organisations rely on scores of different vendors to provide and support the technical infrastructure that runs their daily operations. But what if there’s a weak link somewhere in the supply chain? 

In the case of something like the cyberattack-induced outage at managed IT services provider CTS, it could mean organisations relying on these third-party services experiencing costly downtime and exposing their assets and sensitive content to cyber criminals. In the case of something like the SolarWinds attack and the Log4j vulnerability, the weak link can lead to devastating breaches of confidential information at a global scale.

The very real risk presented by third-party vendors and suppliers shouldn’t be ignored – which is why it’s essential for CISOs and security teams to proactively take steps to manage supplier risk  to maintain a secure and protected environment.

A Smarter Approach To Screening

One of the ways organisations can help reduce risk is by better screening suppliers right at the outset.

Gathering all the different information required to properly screen vendors – everything from risk assessment questionnaires to corporate and financial data, to recent news events or Internet “chatter” that involves the vendor – has historically been a very time-consuming process. 

Fortunately, generative AI is lending a hand to this task, providing a faster way to extract information from questionnaires or corporate databases, analyse the data, and then provide a summary evaluation for a “human” review. This helps to quickly “triage” vendors into different groups, depending on their risk profile. 

Some vendors will automatically be weeded out if they don’t meet a certain benchmark, while others will clear that initial “hurdle” but warrant further, closer examination. Additionally, reporting can quickly be generated to provide the selection committee, the Board or the CFO, with the intelligence they need to make an informed decision.

The end result is an ability to more thoroughly screen vendors for risk right from the beginning – helping to eliminate potentially risky suppliers from becoming part of an organisation’s infrastructure in the first place. And this method can help to improve the ongoing risk assessment of suppliers, especially when dealing with a multitude of third-party vendors.

The Benefits Of Consolidation

It’s also worthwhile for organisations to seek ways to consolidate their existing vendors, to make sure they’re taking advantage of best-of-breed suppliers. 

As large tech companies – think here of Microsoft, Cisco, and the like – buy smaller companies to develop their own capabilities and expand their product portfolio, it becomes easier for organisations to consolidate on a single vendor for multiple aspects of a particular function, rather than relying on five or six different point solutions. 

In doing so, they can reduce the risk of potential vulnerabilities associated with using connected products that are on very different update cycles or that may not provide regular updates or patches due to limited R&D budgets.

Is The Supplier’s House In Order?

Organisations should also shine a spotlight on vendors and the policies, plans, and processes they have in place to manage risk.

For instance: When it comes to the data centres that are hosting cloud services, who has access to those data centers physically and remotely? 

Also, what does their business continuity and disaster recovery processes look like? Should any sort of disaster occur, how long will it take to restore data? And how often do they test these processes?

If there is a breach, what are the policies around incident notification? After a breach is detected, how long before the customer is notified? And how is the customer notified? By phone? By email? All these details should be crystal clear.

It’s not enough for these policies, plans, and processes to be documented and made available on demand: They should be readily accessible to any potential customer who wants to view them at any point in time. A compliance portal with 24/7 access would go a long way. Furthermore, these policy documents should be regularly refreshed with the most up-to-date information. Every 3-6 months is a good cadence to look for and ensures the documentation isn’t gathering cobwebs or becoming an increasingly irrelevant collection of out-of-date information.

Less Weak Links Means Less Risk

While supplier risk is impossible to eliminate entirely, a few key steps make it possible to significantly reduce it. Leveraging new technologies such as generative AI responsibly, can help to reduce a lot of the burden from manual evaluation.

Given that any organisation is only as strong as the weakest link in its supply chain, a conscious approach can help to strengthen its overall security and improve its risk profile by aiming to avoid potentially "at risk” third-party vendors and suppliers.

Manuel Sanchez is Information Security and Compliance Specialist at iManage

Image: tanit boonruen

You Might Also Read: 

Reducing The Risk Of Weak Links With Consolidation:   

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

 

« Warnings Over Cyber Security At The Paris Olympics
Large-Scale IT Outage Causing International Disruption »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

Information Security Systems (ISSCOM)

Information Security Systems (ISSCOM)

ISSCOM provide services to help companies implement Information Security Management Systems (ISMS) by providing consultancy and hands-on assistance.

SiteGuarding

SiteGuarding

SiteGuarding provide website security tools and services to protect your website against malware and hacker exploits.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

SafeLogic

SafeLogic

SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements.

Hack The Box

Hack The Box

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.

Drip7

Drip7

Drip7 is a micro-learning platform that is re-inventing the way companies train their employees and build lasting cultural change around the importance of cybersecurity.

YorCyberSec

YorCyberSec

YorCyberSec act as a trusted Cyber and Information Security broker and procurement specialist. We help companies to Reduce Risk, Increase Assurance and Improve Performance.

HunCERT

HunCERT

HunCERT's mission is to assist Hungarian Internet Service Providers in applying appropriate procedures to address the risks of computer network incidents and to respond to such incidents.

Mitigate Cyber

Mitigate Cyber

Mitigate Cyber (formerly Xyone Cyber Security) offer a range of cyber security solutions, from threat mitigation to penetration testing, training & much more.

MedSec

MedSec

MedSec is the only company of its type focused solely on cybersecurity for hospitals and medical device manufacturers, offering both a cybersecurity software solution and consulting services.

Paubox

Paubox

Paubox offers secure, HIPAA compliant email and marketing solutions to fit the needs of modern healthcare organizations of every size.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Fairdinkum Consulting

Fairdinkum Consulting

Fairdinkum is a leading full-service IT consulting firm with more than two decades of experience in the industry.

Uptime Institute

Uptime Institute

Uptime Institute is an unbiased advisory organization focused on improving the performance, efficiency, and reliability of business critical infrastructure.

Reco AI

Reco AI

Reco is an identity-centric SaaS security solution that empowers organizations with full visibility into every app, identity, and their actions to control risk in their SaaS ecosystem.