How To Check Out Suppliers Before You Commit

Uploaded on 2023-08-22 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Organisations are struggling to assess the risk supplier processes pose to their own operations, with many only doing so once a year after they’ve engaged a supplier. Only 13% of businesses assess the risk posed by their suppliers and only 8% of the wider supply chain, according to the UK government’s latest findings in the Cyber Security Breaches Survey 2023.

This is despite the fact that the threat posed by supply chain attacks is growing.

The State of the Software Supply Chain report from Sonatype  found attacks were up 633% in 2021 and Gartner predicts that 45% of organisations will have experienced a cyber-attack that stems from their suppliers by 2025. And, failing to do your due diligence can be costly, leading to loss of reputation, fines associated with failing to meet sector specific compliance obligations and loss of revenue. Gartner found that 83% of legal and compliance leaders had detected third party risks after they had onboarded suppliers, while a survey carried out in February showed 84% of missed third party risks resulted in operational disruption.

So, given these consequences, why aren’t businesses being more proactive over assessing supplier risk?

According to the government survey, most fail to undertake or do a formal review due to lack of time and money (32%) and an inability to get the information necessary from suppliers in order to carry out the checks (31% up from 28% the previous year). Other reasons given included not knowing what to check (25%) and not feeling they had the skills to do so (18%).

Getting The Intel

Extracting information from suppliers is the issue here and it can prove time-consuming, costly and may even jeopardise relations. It can make it much harder to manage the business relationship going forward because without this information, the business is having to make uninformed decisions and guesstimates over risk levels, making it nigh impossible to hold the supplier to account over any breach of the terms and conditions of the Service Level Agreement (SLA).

What many don’t realise is that there are ways to gain this information without needing to approach the supplier at all. There’s a wealth of data that can be mined to provide insights into the security posture of the supplier and this can be used to validate the relationship before the contract is signed, as well as on an ongoing basis throughout the duration of the partnership. 

A number of technologies have arisen that enable the monitoring of the external networks from External Attack Surface Management (EASM) to Digital Risk Protection (DRP) and Cyber Threat Intelligence (CTI). These have coalesced into a new field which analyst house Frost & Sullivan have dubbed External Risk Mitigation and Management (ERMM). 

Using ERMM technologies, it’s now possible to execute automatic searches that inventory the supplier’s digital presence, enabling the business to carry out third party management without the need for consent or input from the supplier. 

Risk Scoring Suppliers

A risk score can be created for each supplier the company is thinking of working with. This evaluates their vulnerabilities, level of exposure, IT hygiene and any instances of misconfiguration related to the supplier’s website, email, IP address and domain, giving a hacker’s perspective on how secure their processes are. As the evaluation doesn’t require the deployment or configuration of any software, it has no impact on either party.

If the business does decide to go ahead and engage with a supplier, the same technologies can be used to monitor any changes to the risk profile. This will look for changes such as chatter about the vendor, for instance, on the deep or dark web, in addition to the areas outlined above. This effectively allows the external monitoring inventory to be updated on a daily basis to give a continuous risk score so that, in the event of a breach, the business can quickly determine if any liability lies with the supplier.

The external risk score can be supplemented with an assessment of the supplier’s internal security through the usual method of a questionnaire submitted to the supplier. But the real risk will always tend to be external, because, like most organisations, suppliers have focused security resources on securing their internal networks and perimeter.

Going forward, there’s little doubt that organisations are going to need to become more proactive over how they risk assessing suppliers. The current economic climate is seeing more and more organisations outsource, with 71% saying their third party network now contains more suppliers than it did three years ago, according to Gartner.

But, relying on suppliers will always result in delays and missed information. By taking the matter into their own hands, organisations can gain better visibility and control over the risks posed and their third party management. 

Abdullah Mirza is Director at CTM360                                 Image: Cybrain

You Might Also Read: 

A 'Golden Pipeline' To Secure The Supply Chain:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« LinkedIn Accounts Hacked & Ransomed
Enrolment In Computing Degree Courses In Britain Increases »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CertiKit

CertiKit

CertiKit produce toolkit products that accelerate the adoption of ISO/IEC standards, including ISO 27001, helping organizations all over the world to realize the benefits as soon as possible.

Thales

Thales

Thales provides solutions, services and products that help its customers in the defence, aeronautics, space, transportation and digital identity and security markets to fulfil their critical missions.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Cambridge Intelligence

Cambridge Intelligence

Cambridge Intelligence are experts in network visualization and finding hidden trends in complex connected data. Applications include cybersecurity.

Raz-Lee Security

Raz-Lee Security

Raz-Lee Security is the leading security solution provider for IBM Power i, otherwise known as iSeries or AS/400 servers.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

Polyrize

Polyrize

The Polyrize continuous authorization platform for SaaS and IaaS stops tomorrow's public cloud cyber threats, today.

International Association of Security Awareness Professionals (IASAP)

International Association of Security Awareness Professionals (IASAP)

IASAP provides a members-only virtual sharing platform where security awareness professionals engage in a lively, year-round exchange of information and ideas.

DataSixth Security Consulting

DataSixth Security Consulting

DataSixth delivers Cybersecurity Intelligence. With our unique capabilities, we’re able to deliver value, deliver answers, and deliver actionable security intelligence.

Nomios

Nomios

Nomios develops innovative solutions for your security and network challenges. We design, secure and manage your digital infrastructure.

Cloudflare

Cloudflare

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

Technation

Technation

Technation proudly represents the Canadian technology companies that are furthering our nation and the world into the future through innovation, creativity and ingenuity.

Defendis

Defendis

Defendis develops AI-powered cybersecurity solutions for Government Agencies, Banks, and Businesses, designed to helps them contain data leaks, minimise damage, and proactively hunt for new threats.