Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

6 Tips for Supply Chain Risk Management in 2022

Forrester recently predicted that in 2022, 60% of security incidents would involve third parties. Yikes! 

With such a large percentage of incidents taking place outside the confines of their organizations, corporate leaders need to know what to do to protect their business. So, here is a list of items to address to succeed at supply chain risk (SCR) management. 

1. Know Your Suppliers

It sounds simple, but many organizations we work with don't know who their suppliers are. 

You can start with procurement and ask them for a list, but you'll often have to scan IT suppliers in detail, as well as everything from financial providers to courier companies. Many procurement departments vet suppliers only on service or supply charge levels, and small-dollar value suppliers don't reach the threshold. Maybe some of them should (like the printer of your annual corporate gifts who has your entire customer list). One large organization we worked with had over 12,000 suppliers! This organization was probably unaware of this volume of suppliers' risk and used it as an opportunity to prune! 

2. Triage the List

Working out which suppliers matter to your business and assessing the impact of any cyber incident they experience might have on you is the next step. Many consultants say to group vendors by criticality, but this can be harder than it seems. Read this article by Phil Venables, CISO of Google, and you'll understand how outrage can push seemingly innocuous suppliers into the higher-risk tiers. Does that vendor have access to company systems, classified data, or PII? Assess their criticality – how it relates to your business, and how an incident would cause problems for your boardmanagement team, or business operations – if you have to pull the plug on a vendor, does your business stop too?

3. Ask the Correct Assessment Questions and Obtain Evidence

Your assessment framework should cover a variety of cybersecurity standards and best practices, e.g., from the National Institute of Standards and Technology (NIST) or CIS Critical Security Controls (formerly SANS). Questions range from the supplier's ability to encrypt data, whether it uses MFA, the supplier's password policies, patching program management, architecture and segmentation, cloud usage, and many more. A best practice is to balance your assessment questions. Too few and you won't know what's actually going on too many and you'll be lucky to get a response from your suppliers. Trustwave has 23 primary domains addressed in our assessment, which we think is the right amount. More importantly, assessment questionnaires are just the start. Ask for evidence, such as their security policy, penetration test reports, certifications like ISO 27001 and SOC2 reports. Note: A supplier can fake these reports, so make sure they are legit.  

4. Interpret the Results with an Eagle Eye

The assessment is only as good as the tool or the human analysis behind it. We recommend you know which parameters impact a vendor's risk rating and how that vulnerability may impact your business. For example, will SSL vulnerabilities in that vendor pose a risk to your business? Perhaps if they're storing your client data on a public-facing system, this will be a problem, and a high-risk one at that, but if they're providing flowers at your front desk, it likely will not be an issue. 

I'd be asking the person conducting the interpretation of the results of questionnaires, "is this your core competency?" The skill level and time needed to interpret the variety of cybersecurity reports, certs, scans and rich text responses to questions requires a span of knowledge that most IT or audit generalists just don't have, and AI-based security scans can't process with accuracy. If you're outsourcing this task, ask if this is an area in which the vendor specializes. You're paying for their time, so they should be experts with speed at this task. They should also provide you with actionable intelligence – recommendations on actions to address gaps with high-risk suppliers. 

5. Use Automated Scanning Tools with Care

These tools have their place, albeit the licensing cost is often considerable, particularly if you haven't done step 2 and you're scanning every vendor! Vendor scanning tools give a security profile as seen from outside the target vendor's organization – the public-facing systems, websites, servers, connection protocols, and publicly available data are compiled to produce a final score. This choice may be good enough for low-risk suppliers. However, it's not enough to predict whether a supplier will pose a problem for you in six months. For example, if the vendor does not have a patching program, this is likely to be a risk that's going to bite when an attacker rolls out zero-day attack. Scans today won't tell you that, whereas an assessment by an experienced analyst is predictive and will let you know the capability of each vendor to deal with events as they arise. 

6. Threat Detection Should be Part of Your SCR Strategy

In our opinion, no amount of risk assessment would protect you from a potential nation-state attack, as the Solar Winds vulnerability posed. However, a threat detection service or capability will alert you to incidents and breaches in real-time. At minimumit will enable you to respond quickly when the worst happens, or at most, stop the threat before it reaches your critical systems. 

If you're looking to improve resilience against supply chain risks, you can talk to us. Our Supply Chain Risk Diagnostic Service is ready to shorten the time needed to get your SCR management program up and running. 

Alternatively, when revisiting your in-house cyber risk assessments, or looking for a more efficient third party to do this for your business, look here for a description of our Managed Vendor Risk Assessment Service


Managed Vendor Risk Assessment

Trustwave offers Managed Vendor Risk Assessments (MVRAs) to help organizations assess and manage their cybersecurity supply chain risks with consistent, predictable, affordable, and scalable services. By understanding the risks vendors pose to sensitive data and operations, you can potentially save time and money, and improve business resilience.


Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More