fbpx

Tag Archives: supplychain

October Security Breach Round Up

October was Cyber Security Awareness Month, and yet, another month, another breach. In a month that is geared towards helping organizations protect themselves, large companies have yet again fallen victim to these heinous attacks. One after the other, many companies and their consumers are now wondering when these breaches will stop. 

 

Here are our top October 2022 know-worthy incidents:

 

Toyota:

    • Toyota is no stranger to data breaches. And by the looks of it, it seems as though the company hasn’t learned from past mistakes (remember the 2019 breach that affected over 3 million of Toyota’s customers?). On October 7, 2022, Toyota issued an apology after nearly 300,000 people who used T-Connect, a telematics service that connects vehicles via a network, were exposed. The Japanese car giant explained that personal data was leaked when an access key was publicly made available on GitHub for almost five years. Email addresses and customer control numbers may have been exposed since 2017.


Microsoft:

    • Another tech giant hit yet again. On October 19, 2022, Microsoft addressed the public after security researchers at SOCRadar informed Microsoft of a misconfigured Microsoft endpoint. After the discovery, Microsoft explained that the researchers exaggerated the entire situation. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers. Information about planning or potential implementation and provisioning of Microsoft services was involved. In addition, the data that was potentially compromised includes names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. 


Verizon:

    • In a notice, the company confirms, “we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice.” 


Carousell:

    • On October 14, Carousell Singapore disclosed that it experienced a breach. And this wasn’t a small breach either – almost 2 million accounts were compromised. The company explains, “it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number,” but it is believed that emails were compromised. 


Medibank:

    • Bad news for Medibank, one of the largest Australian private health insurance providers. On October 12, 2022 the company discovered that customer information may have been compromised after a hack on their systems. It was thought that the original hack only affected certain customers, but after this week, the company is assuming that all 3.9 million customers were affected. The company said it had received a series of files from the alleged hacker, and they found the files included 100 ahm policy records, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data. The records provided to the company include names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.


Twilio:

    • Sometimes companies just can’t catch a break. Cloud communications company, Twilio, disclosed a new data breach stemming from a June 2022 security incident. After a lengthy investigation, the company concluded that 209 customers and 93 Authy end users had accounts that were impacted by the incident. 

 

Don’t let your company end up on this list. See how findings can help you here.

Supply Chain Risk Management: Your Black Friday Weakest Link

Supply Chain Risk Management: Your Black Friday Weakest Link

Black Friday is the time of year that is bound to put stress on many businesses’ supply chains. With demand soaring for items across the board, supply chains have already come under pressure from the effects of the past two years, and these delays are becoming more evident every day. So what does this mean for your risk management?

 

Unfortunately, not all risks originate internally. As you know, risks can also arise from within your supply chain. With increased strain (American consumers spent $8.9 billion online during Black Friday 2021), comes increased focus on your business’s reputation and possible fast tracking vetting of alternative vendors in your supply chain to keep up with demand. But thorough vetting should not be sidestepped. 

 

The Consequences Of Poor Supply Chain Risk Management On Black Friday Sales

 

Supply Chain Risk Management strategies that focus only on internal threats and ignore the supply chain fall short for 2 main reasons:

More threat opportunities

The threats that impact internal systems represent only a subset of all threats. But within your supply chain, attack vectors are far broader and numerous. You can’t always control the types of security exposures that your vendors or suppliers introduce to their products. And the last thing you want is this impacting your Black Friday sales. 


Lack of efficiency

If supply chain risk management isn’t part and parcel of your broader risk management strategy, it’s hard to manage supply chain risks efficiently. If you protect against supply chain threats at all, it ends up being through one-off audits or action against isolated threats.


At one of the busiest times of year, time and efficiency take center stage and It’s much more efficient to monitor for and address all types of risks – internal and external – through centralized tools and processes.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Major Holidays Leave The Door Open For Major Attacks

Retailers are particularly vulnerable to client-side attacks. Many online retail sites are built on CMS frameworks with a plethora of third-party plug-ins, from blog posting to popups to SEO maintenance. On average, 31 JavaScript resources are used per site, making retailers vulnerable to many forms of supply chain fraud such as formjacking, data-skimming and Magecart attacks.


Kaseya Attack Affecting the Supply Chain

Though initially thought to only affect 40 of its clients, it was further discovered that over 1,000 downstream companies were affected by this 4th July attack by Russian group, REvil. With over 40,000 organizations worldwide using at least one Kaseya software solution, the potential impact of this supply chain attack was massive. By exploiting zero day vulnerabilities in Kaseya’s software, it caused a major Swedish grocery store to completely shut for 24 hours as well as 11 schools in New Zealand. 


Magento Magecart Attack Prevented in 2021

With millions of transactions being carried out over the Black Friday period, it’s no surprise that this is a key target for threat actor’s to leverage vulnerabilities in the supply chain. In fact the UK’s National Cyber Security Centre (NCSC) notified small businesses about the risk of magecart attacks on and around Black Friday last year. They’re unique because they exploit third party scripts on companies’ websites. Because highly critical services, like Adobe’s Magento, are trusted and there are not many services like them, these attacks can impact 1000s of sites simultaneously. When the NCSC notified these businesses over 4000 were at risk.


A Better Approach To Supply Chain Risk Management And Intelligence

How do businesses avoid those shortcomings this Black Friday? How can they implement risk management that addresses both internal and external threats?

The answer is to deploy risk management processes and tools that provide the following features:

  • Continuous, real-time intelligence: Businesses need to know – immediately, before performance and security is affected – whenever a risk emerges within any internal or external asset.
  • Complete supply chain risk management: It’s crucial to identify risks that exist at any point in the supply chain. This includes risks introduced not just by third-party vendors with whom you do business directly, but also “fourth-party” vendors, meaning those who supply your direct vendors. Risks can arise from these vendors, too.
  • Automated, scalabile compliance: Checking for risks manually doesn’t scale (and takes away precious time, when time is a short commodity). Whether you have one vendor or one thousand, you need automation to ensure that you can detect all potential risks across all internal and external assets – and that nothing falls through the cracks.
  • Centralized compliance: Risk management is inherently fragmented because risks come in many forms and affect many types of systems. Nonetheless, businesses should be able to manage all risks comprehensively using a platform that works across the enterprise. When you centralize risk management, you save time and maximize risk coverage.


The Findings Difference

With Findings, you are provided with an automated, comprehensive supply chain risk management solution that empowers businesses to manage supply chain risks proactively by getting ahead of issues before they happen. Instead of treating the supply chain as a black box from the perspective of compliance, leverage Findings to implement centralized, enterprise-wide supply chain risk management for both internal and external threats. 

Don’t get caught out this Black Friday (or any day!). Get started at Findings.co.

5 Critical Steps In Maintaining A Vulnerability Disclosure Policy

5 critical steps vulnerability disclosure policy

Once upon a time, the vendors that your company chose to work with were your own business. There was little pressure to disclose supply chain vendors to the world at large.

 

Those days are gone. Today, businesses face pressure from a variety of sources to establish a vendor and vulnerability disclosure policy in order to maintain a transparent supply chain.

 

Government regulators are demanding vulnerability disclosure policies in the wake of initiatives like the White House’s call for more stringent supply chain cybersecurity protections. Partners expect transparency, too – which is why companies like Palo Alto Networks and Nestlé detail their suppliers on their websites.

 

 

From the perspective of consumers as well, vulnerability disclosure policies have become a priority. Alexis Bateman and Leonardo Bonanni note in the Harvard Business Review, “researchers at the MIT Sloan School of Management found that consumers may be willing to pay 2% to 10% more for products from companies that provide greater supply chain transparency.”

 

 

For all of these reasons, now is the time for company shareholders and security teams to establish strong vulnerability disclosure policies and supply chain transparency, if they have not already. While it’s important to avoid giving away too much information – because doing so could harm your competitive advantage – CISOs also don’t want to be left playing catchup when a vulnerability arises within their supply chain. They don’t want regulators, partners, customers and shareholders asking questions about why there wasn’t more transparency and disclosure before an incident, especially in situations where proactive disclosure could have helped to mitigate the impact of a rapidly spreading attack or threat.

 

 

Of course, establishing and managing a vulnerability disclosure policy is easier said than done. To help with this mission, we are unpacking the five critical steps they should be taking to establish supply chain transparency and ensure effective disclosure of vulnerabilities (Also known as VDP).

 

 

Step 1: Set vendor disclosure goals

Supply chain transparency doesn’t mean disclosing every detail of your supply chain to the world. Instead, CISOs should set goals about how much information to disclose. Their policies should reflect the level of risk that each supply chain component or vendor poses to stakeholders.

 

For example, a vendor that supplies software that your business uses internally poses less of a risk than one who helps to provide customer-facing systems., A security issue in the latter is likely to be harder to contain and to have a bigger impact on your users and business. For that reason, a vulnerability disclosure policy might treat suppliers for line-of-business apps and customer-facing apps differently.

 

Keep in mind, too, that risks constantly change, so you should revisit your vendor disclosure goals at least yearly.

 

 

Step 2: Map suppliers and flow

Supply chain transparency is about more than just listing who your vendors are. It’s equally critical to understand how information flows between vendors, and how a vulnerability in one part of the supply chain impacts the rest of the chain.

CISOs can unpack this information by mapping suppliers to the ‘flow of information’. From there, look for gaps where failure to contain a vulnerability or disclose it quickly could impact other vendors or customers.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

 

Step 3: Optimize reporting systems

A strong vulnerability disclosure policy requires effective reporting about where vulnerabilities like to hide and which vendors they involve. Since it’s not practical to generate this information manually at any kind of scale, CISOs should leverage automatic vendor disclosure reporting systems that can generate disclosure information automatically.

 

Baking vendor disclosure into existing business processes, can also help to make reporting more systematic and automated. Supply chain transparency is an important component of corporate responsibility. Many businesses are also considering ESG as an integrated part of their cybersecurity risk management, so including it in your vendor disclosure policy just makes sense.

 

 

Step 4: Gather information continuously

Again, risks change constantly. So do the vendors within your supply chain and the role they play in it. That’s why security teams must continuously gather and update information about vendors and vulnerabilities, then adjust vulnerability disclosure policies accordingly.

They should also make sure that information is available to all stakeholders. Every person in the organization should be able to see whether there is a supply chain risk and report it to the security team.

 

Step 5: Report findings and engage vendors

Vulnerability disclosure shouldn’t be a passive affair. You can’t just list vendors or report vulnerabilities periodically on your website.

Instead, you should engage actively with your vendors to report findings, make collaborative decisions about vulnerabilities and address specific risks as quickly as possible.

 

The point of vulnerability disclosure policies, after all, is to lower risk for everyone. You can do that only by acting on the information you discover.

 

 

Continuous monitoring for vendor disclosure is essential

You may have noticed a theme running throughout the vulnerability disclosure steps described above: The importance of continuous monitoring and disclosure.

 

Continuous monitoring and disclosure means the ability to detect, report on and react to supply chain risks in real time. They’re critical because, once again, risks and vendors constantly change, so continuous monitoring is the only way to ensure you never miss a threat. Periodic audits or one-off reports are not enough to stay on top of risks or demonstrate a genuine commitment to your supply chain security.

 

Keep in mind, too, that continuous monitoring and reporting will support the image of your business as one that takes supply chain security seriously. In turn, it helps you to gain a competitive advantage, since partners and customers will see continuous transparency and reporting as a positive quality.

 

 

While continuously monitoring risk across your supply chain may seem daunting, Findings makes it easy with automated supply chain security, and our innovative continuous and cloud monitoring apps to support and scale your entire supply chain. 

 

See for yourself by signing up for a free trial.

September Security Breach Round Up

September Security Breach Round Up. An iPhone with a broken lock - signifying a breach.

Cybersecurity threats have become an integrated part of every company’s lifecycle. They are occurring now more than ever, and hackers are not selective – ultimately putting any company at risk for an attack. 

 

To keep your company safe and your cybersecurity team up to date with the latest trends, it’s important to learn from recent incidents to avoid the same mistakes that left even the world’s largest corporations exposed. 

 

Here are our top 5 September 2022 read-worthy incidents:

 

Uber:

Sneaking out of the house isn’t the only thing teens are getting good at and a recent breach proves this. On September 15, 2022, Uber fell victim to an attack. In this case, a suspected teen hacker, who Uber believes is a part of Lapsus$, was able to access Uber’s systems. In a company notice, Uber explains that the hacker likely purchased an Uber EXT contractor’s password off the dark web, and after many attempts, was successfully able to access this worker’s account. Several internal systems, internal slack messages, information from an internal tool the company uses to manage invoices, and their dashboard at HackerOne were all accessed. 


Samsung:

Most would think that one of the world’s biggest tech companies is heavily secure, right? Well… On September 2, 2022, Samsung confirmed a cybersecurity incident that affected customer data. Information such as name, contact and demographic information, date of birth, and product registration information may have been compromised. After further investigation, Samsung discovered that this incident stemmed from an unauthorized third party acquiring information from some of Samsung’s U.S. systems. 


Optus:

Optus, one of Australia’s largest telecommunication companies, suffered a cyberattack and confirmed it on September 22, 2022, through a company announcement. Customer names, dates of birth, phone numbers, email addresses, street addresses, medicare cards, and ID document numbers such as driver’s license and passport numbers of over 9 million people were potentially exposed.


American Airlines (Again?! Really?!):

On September 16, 2022, American Airlines informed customers that they experienced a security incident in July 2022. The notice explains the discovery of an unauthorized actor who compromised the email accounts of a limited number of American Airlines employees. Upon further investigation, they found that personal information such as name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information were accessible through  the email accounts. 


Tap Air Portugal:

As aviation becomes a hot target, TAP Air Portugal released an important notice to customers on September 21, 2022, regarding a cyber attack discovered back in August. The notice reads, “Regretfully, we want to inform that the following categories of personal data from some customers of TAP have been disclosed: name, nationality, gender, date of birth, address, email, telephone contact, customer registration date and frequent flyer number. The information for each affected customer may vary. We are releasing this notice to make customers aware of this matter. There is no indication that payment data was exfiltrated from TAP’s network.” While the company did not disclose how many people were affected, it is believed that over 1.5 million TAP customers had their data stolen. 


While we’ve only listed 5 of the many incidents that occurred in September, it’s important to mention that breaches occur all the time, and hackers are getting more and more creative and sophisticated. 


As businesses, it’s even more important for you to find ways to prevent, detect, and respond to these attacks in a quick and effective manner. 


Keeping your supply chain secure is vital to keeping it functioning properly and that’s why we’ve put together a supply chain security enhancement checklist for companies to reference. 

 

 

                                                                      At Findings, we help secure your digital supply chain. Discover how we can benefit your business here.

A CISO’s VDP Security Roadmap, Step-by-Step

Findings-VDP Roadmap

When it comes to cybersecurity, discovering vulnerabilities is often the easy part. What tends to be challenging is figuring out where to disclose vulnerabilities once you’ve discovered them.

If someone inside your business or supply chain discovers a vulnerability but fails to report it to the people who need to know about it, the vulnerability may as well not have been discovered at all. It’s only by disclosing and reporting vulnerabilities that stakeholders can remediate them, while also taking steps to avoid falling victim to them until their root cause is addressed.

That’s why establishing vulnerability disclosure programs and policies is critical to cybersecurity success – not to mention the overall health of your business. Setting up a VDP places you ahead of competitors who lack one. It also sends a clear message to vendors, customers, partners, employees and other stakeholders that you take cybersecurity seriously and operate with transparency when you discover vulnerabilities. And it establishes clear policies, robust communication channels and backend processes that help you resolve vulnerabilities and risks quickly.

 

 

But how do you actually create a security VDP initiative? What goes into a VDP, and how do you ensure your VDP application covers all security requirements? Keep reading for answers to those questions as we walk through the five major components of a VDP “roadmap” that can support teams and project managers when it comes to disclosing and reporting on vulnerabilities and ensuring they get back to the Cybersecurity Infrastructure and Security Agency (CISA). CISA which plays a leading role in managing vulnerabilities (and which has also, incidentally, developed a new VDP platform because it recognizes how crucial – and challenging – effective VDP security can be).

 

VDP security step 1: Outline your goals

Creating a VDP to reinforce your security strategy starts with determining exactly what you hope to get out of your VDP.

Ask questions such as:

  • What is the driving factor for your VDP? Having a clear VDP program is essential if you want to work with US officials. Do you want to promote increased security, improve coordination between teams, increase vulnerability visibility or something else? While VDP security operations can do all of these things, you may choose to prioritize one of them in particular.
  • What are your main VDP pain points? What’s currently getting in the way of vulnerability disclosure? Is it a lack of employee education or lack of communication channels, for instance?
  • What role does your VDP play in your overall business? VDPs don’t just serve security purposes. They can also help you achieve business goals by developing a unique selling proposition..

Once you know your main VDP security goals, you can build and use a VDP application tailored to them.

 

VDP security step 2: Assign responsibilities, develop policies

To start building your program, you need to map responsibilities to stakeholders, then establish policies that define who does what within the context of vulnerability disclosure. CISA offers a template that may be helpful for this purpose.

Identify, for starters, who needs to be aware of the program and who needs to participate in it. Then go deeper by defining specific responsibilities for collecting, analyzing and reporting on vulnerabilities.

Outline as well which security policies your vendors need to adhere to, and how you’ll keep those policies up-to-date. And determine whether vulnerability disclosers will be allowed to remain anonymous. An anonymous disclosure does not make the disclosure any less important. A researcher may simply not want their name on any of the disclosure notes.

Ultimately, your goal during this step should be to lay the groundwork for a community that helps itself with vulnerability disclosure and management. 

 

VDP security step 3: Integrate VDP into your processes

Vulnerability disclosure processes shouldn’t exist in a silo. Instead, they should be integrated into your routine business operations, and your VDP policies map should reflect this.

For example, your VDP should outline how software development, testing and deployment operations interface with VDP reporting requirements. It should also define exactly which tests should be run in an effort to discover vulnerabilities.

By establishing these processes, you not only gain efficiency when it comes to managing vulnerabilities. You also set clear guidelines that employees, researchers and vendors should follow to ensure that all vulnerabilities are discovered and disclosed effectively. You should give CISOs and researchers enough scope so that they can provide valuable feedback, but not so much scope that your team can’t keep up with the incoming reports. 

These policies may also help to drive VDP automation by making it possible to automate VDP discovery and reporting within the context of routine business operations. Education is key across the organization and a security culture needs to be embedded into the fabric of your business. 

 

VDP security step 4: Evaluate vendors

Once you’ve determined which VDP policies your business needs to meet, it’s time to evaluate your vendors and perform due diligence to confirm that they align with your requirements.

Rank your vendors according to their overall security postures. You can sort them into three categories: High security, medium security or low security.

From there, choose which vendors require more monitoring, and which pose such security risks that you can’t work with them. You should also highlight vendors with excellent security records, since you may want to target them for long-term partnerships.

To validate your vendor assessments, collect documentation, including the frameworks and security rules that the vendors adhere to internally. Keep these documents secure and update them periodically because they may change.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

VDP security step 5: Continuously monitor and audit VDP compliance

After rolling out your VDP policies and vetting vendors, you need to monitor, measure and audit continuously to ensure that stakeholders continue to follow the guidelines. Your goal here is to ensure that everyone – including internal users like your employees, as well as vendors and other external parties – remain in compliance with VDP policies you establish.

To make this process efficient, you’ll want to automate it as much as possible. Automation also ensures that you can scale your business as VDP requirements grow continuously more complex, and as you integrate more vendors and other stakeholders into your operations.

 

With VDP, everyone wins (except the bad folks)

Establishing clear, transparent and actionable VDP rules is a win-win for everyone (except, of course, the threat actors who want to exploit vulnerabilities). It lays the foundation for effective collaboration while also strengthening relationships with both internal and external stakeholders. And it facilitates the fast resolution of vulnerabilities and breaches by getting vulnerability data to organizations like CISA as rapidly as possible.

Findings bakes VDP into  their platform, making VDP security an effortless operation. With Findings, you can both discover and report on vulnerabilities across your business’s supply chain. Findings bakes the “switch” for vulnerability disclosure directly into your business operations, making your VDP processes efficient, scalable and all-encompassing.

 

Learn more by signing up for a Findings demo.

Our Take on Gartner’s Latest Supply Chain Compliance Advice

our take on supply chain compliance

Going forward, businesses need a new strategy for vetting and monitoring the compliance of their suppliers. But don’t just take our word for it. These are among the takeaways from Gartner’s latest guidance on supply chain compliance and management

 

Gartner highlights why conventional supplier onboarding methods no longer work as businesses need to onboard suppliers quickly, while also ensuring that suppliers meet their compliance requirements.

 

The global supply chain compliance crisis

You probably already know that supply chains are under stress, to put mildly. Gartner points to a couple of main reasons why:

 

  • Businesses are increasingly working with suppliers from new geographic regions, where compliance norms may be different. This complicates onboarding and requires a deeper level of compliance inspection.
  • Organizations often need to add vendors quickly in order to keep their supply chains moving. Yet, without a fast onboarding process, integrating suppliers is time-consuming, which increases the stress placed on supply chains.
  • We’d also add, that issues like global sanctions, which have become especially pronounced as a result of the ongoing Ukraine-Russia war, add even more complexity to vendor onboarding. 

 

We agree wholeheartedly that these are among the key reasons why supply chain compliance and management have become so challenging for the typical business today.

Today, you have to worry not only about whether your vendors meet standard compliance rules, but also about potential sanctions that are subject to constant change. This adds yet more unpredictability and complexity to the onboarding process.

Add to that the surge in supply chain cyber security risks, and it’s no exaggeration to say that operating efficient, compliant supply chains has never been tougher than it is at present.

 

How to streamline supply chain compliance

Gartner suggests three main strategies for addressing the supply chain compliance challenges that businesses currently face.

 

1. Create a playbook for vetting vendors

First, Gartner recommends creating a “playbook that grades each third party’s threat level to determine who gets more attention from the business and compliance.”

 

The idea here is that you can develop preset policies to analyze vendors rapidly during and after the onboarding process. Your policies should reflect information like which risks have impacted your business in the past and how closely a given vendor matches the risk profile of other vendors who have posed challenges.

 

We love this idea not only because it helps businesses to be proactive in their approach to vendor compliance, but also because it lays the groundwork for compliance automation. Playbooks make it possible to implement vendor compliance validation automatically within a security platform, which could sort vendors into high-risk, medium-risk and low-risk categories

This may be of interest to you:

 A CISO’s VDP security roadmap based on criteria defined in the playbooks

2. Automate supply chain compliance

The piece quotes Chris Audet, Senior Director of Research at Gartner, who says, “Compliance leaders must move quickly to onboard third parties and effectively monitor for risks, but many of their traditional methods won’t cut it.”

 

The way to move quickly and monitor for risks comprehensively is to automate risk detection. Automation can help you collect the information you need to make good decisions about vendor risks. It can also automatically flag risks with the help of advanced analytics, and it can help you keep up-to-date as vendor profiles change. In all of these ways, automation helps businesses to complete vendor onboarding quickly, even if they have an increasing number of vendors to vet and face increasing complexity due to new compliance mandates, new sanctions rules or diverse vendor geographies.

 

3. Streamline upfront due diligence

As another way to speed up onboarding, Gartner advises businesses to “streamline due diligence to focus on critical risks.” It suggests doing this by reducing the number of questions you ask vendors to answer manually. Focus validation around critical risk areas, Gartner suggests, rather than asking a large number of questions that may not be relevant for every vendor.

 

We agree. We’d add, though, that it’s important to leverage automation wherever possible to collect as much data as you can about supplier insurance, safety, environment and sustainability initiatives, legal and financial data and any other information that can be helpful for gaining a 360-degree view of your suppliers and sub-suppliers. With automation, it’s possible to onboard rapidly without compromising on your visibility into supply chain compliance.

 

Bonus advice: Establish a compliance-focused company culture

We think Gartner did a great job of capturing much of what it takes to achieve supply chain compliance. But we’d suggest another strategy that Gartner hasn’t mentioned: Building a compliance-centric culture.

 

A compliance-centric culture is one that maximizes collaboration and communication related to compliance. It aligns compliance with vendor expectations, and it allows all stakeholders – both internal and external ones – to share information rapidly in order to manage compliance and supply chain cyber security risks.


Findings helps you to build this culture by providing a platform that anyone can use to raise compliance flags automatically. With Findings, you get holistic compliance that protects your entire supply chain, while also benefiting from automations that allow you to onboard vendors rapidly.

 

Learn more about how Findings can help you to streamline your compliance.

 

Top 5 Reasons Why CMMC Security Will Be Good For Your Business

Top 5 Reasons why CMMC Security will be good

Keeping up to date on the changing CMMC security requirements may seem like a hassle that’s only worth undertaking if you do business with the Department of Defense. But in reality, meeting the new CMMC compliance mandates is a great way to make your business more secure and agile.

That’s why, even if you aren’t a DoD contractor, the CMMC security updates can be beneficial to your business. Keep reading for an overview of what to know about the new CMMC Framework and how to meet it in a way that benefits your business.

Read here how to meet the CMMC compliance challenge head on 

How CMMC is changing

By May 2023, the DoD expects to implement CMMC 2.0, at least in interim form.

Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three. This is a major benefit to businesses that need to meet CMMC security mandates because it simplifies the process of choosing which compliance path to follow and adhering to its associated rules. The 3 levels are:

  • Level 1 (Foundational)

This level must match the 15 controls of FAR52.204-21 “basic” controls to protect

Federal Contract Information. Certification is required annually. It is possible for your

organization to self-assess. This is similar to the previous model in CMMC 1.0.

  • Level 2 (Advanced): 

This level is comparable to CMMC 1.0 level 3. Its requirements mirror NIST SP 800-71, which includes 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect sensitive information. The 20 requirements of CMMC 1.0 level 3 compliance have been dropped.

  • Level 3 (Expert)

Under this CMMC 2.0 assessment level, which is comparable to CMMC 1.0 level 5, businesses will require government-led assessments. The focus is on reducing Advanced Persistent Threats (APTs) that could lead to data exfiltration or compromised applications. Besides the 110 controls that are required for the new Level 2 certification, the NIST’s SP 800-172 is required for Level 3 certification.

5 great reasons to choose CMMC compliance

Some businesses will need to meet CMMC compliance requirements because they sell to the DoD, and CMMC 2.0 is a mandate. But even if that is not the case, there are great reasons to become CMMC-compliant.

1. Overall CMMC security protection

Implementing security controls using CMMC 2.0 levels is a great way to maximize your overall security posture. It will help to protect sensitive information within your organization and increase the security of your supply chain.

2. Tailor cyber hygiene to your business

CMMC uses maturity processes and cybersecurity best practices from multiple frameworks as its foundation. And, because CMMC security offers different compliance levels, it’s an excellent framework to follow if you want a cybersecurity plan tailored to your business. Not every organization faces the same level of threats or the same level of data sensitivity. With CMMC, you can establish cyber hygiene policies, such as vulnerability disclosure programs, that reflect your organization’s particular needs. 

3. Prepare for upcoming regulatory changes

As we’ve noted, there is a lot of overlap between the CMMC security requirements and other compliance standards, like those developed by NIST. Thus, by becoming CMMC-complaint, you prepare your business to meet similar compliance mandates that may be rolled out in the future.

4. Validate your cybersecurity from the outside

CMMC assessment is a great way to determine how well your business meets security mandates. This can be done not only by internal stakeholders, who are not objective observers, but by outsiders who understand how risks can flow through supply chains and what it takes to build a strong cybersecurity culture within an organization.

5. Winning additional contracts

The higher your level of cyber security, the more competitive you’ll be. Supply chain security is increasingly viewed as a necessity rather than a nice-to-have. Businesses that fail to prioritize security risk losing contracts and relationships with key enterprises.  Additionally, coordinated vulnerability disclosure programs that are apart of the CMMC security framework, help to build trust and positive cooperation across the supply chain.

Here’s Why Your CISO Wants To Implement A CMMC Framework

The future of supply chain security

As you assess what the CMMC security changes mean for your business, don’t think merely in terms of whether you are specifically required to undergo CMMC assessments. Instead, think about how increasing awareness of cybersecurity and building a stronger cyber culture within your organization will pay dividends now and in the future, regardless of your specific CMMC compliance requirements.

After all, security is always changing, and compliance frameworks like the CMMC change with it. Keeping pace with changing requirements is a good way to encourage accountability across your supply chain and enforce strong cyber hygiene standards.

Indeed, it’s a safe bet that, going forward, cyber security requirements will become tighter, not looser. Embrace the trend now by using frameworks like the CMMC to supercharge your cyber hygiene and disclosure programs, rather than waiting until a specific mandates is handed down that affects you.

Schedule a call to learn more

How Supply Chain Cyber Security Threats Impact Stock Value

How supply chain cyber security Threats Impact Stock Value

The most obvious types of fallout from supply chain cyber security threats are the impact on regulatory compliance or the damage to a business’s reputation. 

 

But here’s another major consequence of supply chain security attacks that keep occurring despite dogged efforts to stop them: Losses on the stock market. When businesses are affected by supply chain cyber security threats – even if the threats originate from an external vendor, rather than the business’s own systems – their stock price usually takes a major hit.

 

Here’s why supply chain cyber security threats can wreak such havoc on stocks, and what to do to protect your business from watching its market value plummet due to supply chain vulnerabilities. Your goals should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.

 

More resources  below to keep your supply chain secure:

Take a look at how Vulnerability disclosure programs can help secure your business

&

Watch here to understand how to give your supply chain monitoring the advantage it needs.

How supply chain security threats impact stock value

When a supply chain breach occurs, you’re at risk of losing share price for a variety of reasons.

 

Probably the most obvious is the hit you’ll take to your company’s reputation. Again, even if the breach originated in a third-party product, investors may still question your commitment to security, given that you were unable to detect and mitigate the breach quickly enough to prevent it from harming the organization.

 

Regulatory fines, too, could follow supply chain breaches if the breach leads to loss of regulated data. Those fines will impact quarterly earnings reports,that investors use to decide whether to buy or sell stock in your company.

 

In more extreme cases, supply chain security threats may become vectors that allow threat actors to take control of your systems. In turn, attackers could take actions like publishing fake news through your media channels or inject false price quotes into data feeds. Such activity may breed a sense among investors that you’ve totally lost control of your business operations, leading to a dramatic fall in market value.

 

Types of supply chain cyber security threats against stock markets

As the following image shows, supply chain breaches can target both suppliers and customers.

Proposed taxonomy for supply chain attacks

Either way, the fallout from a stock market perspective is likely to be negative for the companies involved. Any type of supply chain attack – from malware infection, to brute-force attacks, to vulnerability exploits and beyond – can undercut a business’s reputation among investors and lead to swift sell-off – which brings down stock prices.

Stock losses resulting from supply chain attacks

 

The risk we’re describing here is not just theoretical. Here are some of the most recent major supply chain cyber threat exploits. You’ll notice that they led to significant loss of company value on the stock market.

Nvidia cyber attack

When Nvidia was attacked by a ransomware group called Lapsus$, Reuters reported that Nvidia’s schematics, drivers, firmware and other sensitive intellectual property may have been compromised. The credentials of 71 000 employees were leaked, after which Lapsus$ made this information available to other hacking communities. The result was an immediate drop in Nvidia’s stock price by 7%. Although the drop was modest, and the stock quickly recovered, it was still a clear example of how supply chain cyber security threats can hamper stock value.

Mimecast  breach

Mimecast is an email security and cyber resiliance platform. When the news was released in January 2021 that they had been hit by supply chain cyber security threats, this upset shareholders trust in the stock.  

 

Mimecast stock lost more than 12 percent of its value following the disclosure of a compromised certificate. Moreover, because about 10 percent of the company’s customers were using the compromised certificate, this supply chain attack likely also impacted other businesses.

 

The Chief Information Security Officer, Terence Jackson at Thycotic, a Washington, D.C. based provider of privileged access management (PAM) solutions said,”The certificates that were compromised were used by Mimecast email security products.  These products access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”

SolarWinds attack

The SolarWinds supply chain breach, in which attackers injected malware into SolarWinds’s source code, was associated with a huge selloff that took place just days before the breach was publicly disclosed. 

 

While it has not yet been proven that the 35 investors who sold their stock right before public disclosure had insider knowledge of the breach, the timing of the selloff doesn’t seem to be coincidental.

 

Assuming it wasn’t, this is also an example of how a supply chain attack can trigger a major loss of stock value.

Staying on top of supply chain cyber security threats

 

Once a supply chain attack takes place, the damage to market value is done. The best way to contain supply chain cyber security threats, then, is to be proactive, so you can address risks before they turn into active breaches.

 

Start by gaining full visibility into your supply chain. This is the only way to know which vulnerabilities may impact you.

 

Then, take preventative measures – like application controls and network segmentation – that reduce the likelihood or mitigate the impact of cyber security incidents.

 

You should also educate your employees and partners about cyber security, and make it clear that finding and containing supply chain cyber security threats is a top priority.

 

Finally, have a crisis management plan for your supply chain security in place so that you can react swiftly if an attack does occur. Although managing your response won’t prevent all financial harm, it can reduce the total damage.

Supply chain cyber security threats aren’t bad just for your users or your IT team. They also pose a serious risk to your business’s market value. To prevent major financial losses, it’s critical to have a supply chain threat detection and mitigation solution in place.

 

Learn how Findings can help your business stay ahead of supply chain cyber security threats

 

The Insider Guide To Coordinated Vulnerability Disclosure Programs

The-Insider-Guide-To-Coordinated-Vulnerability-Disclosure-Programs

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

 

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

 

 

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

 

Did you know that your supply chain security can affect your stock value?

 

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

Schedule a call to learn more

Crisis Management: The Missing Link In Supply Chain Security

Crisis-Management--The-Missing-Link-In-Supply-Chain-Security

It’s easy to treat crisis management as an afterthought within the context of supply chain security. Businesses may assume that attacks are unlikely to happen, especially if they’ve invested in risk assessment and mitigation. Just ask some of the major vendors that have been at the root of cybersecurity crisis in the recent past, despite having taken breach prevention quite seriously.

What is a cybersecurity crisis management strategy?

A crisis management strategy provides a protocol for organizations to identify, eliminate and recover from cybersecurity attacks as swiftly as possible; its purpose is to  position the organization for minimal impact of a cybersecurity incident. The protocol will unquestionably reduce the stress on your executive and IT teams in a crisis situation and everyone else involved in mitigating an attack. 

The protocol typically includes, who does what in the event of a cyber incident, who is in charge of managing the crisis, aka  Cybersecurity Crisis Response Team (“Response Team” or “CCRT”). It also covers which  systems need to be checked for impact and where the backups are located; which partners, vendors and customers need to be notified and at what stage does the Board of Directors and media need to be addressed and how. 

For many organizations, this strategy is not only  the responsible thing to do, but may also be a compliance mandate.

 

Two policies we suggest you look at:

Your Vulnerability Disclosure Policy Can be Easier Than You Think

 Meeting The CMMC Compliance challenge Head On

 

But where do you start? In contrast to many other security protocols – like privacy disclosure requirements, which are usually straightforward enough – there is no predefined playbook you can follow or set of boxes you can check off, to plan for crisis management. 

It is therefore up to each organization to research and create their own set of protocols. We’ve highlighted what should be in yours below.

Supply chain security: Your crisis management plan

Step 1: Risk assessment

The first step is to identify your supply chain security risks.

Do this by assessing which regulations and legal requirements your business is bound to when it comes to cybersecurity. You should also evaluate your contractual obligations. Next, identify vulnerabilities that exist within your supply chain security and risk management report. Do these vulnerabilities need to be reported to other vendors within your supply chain? Or can they be easily patched? Finally, examine how a breach may impact your business’s operations.

The easiest way to check your metal here is to take risk assessments test surveys and run some gap analysis – doing so will give you a complete score on where your current efforts stand compared to where you should be and industry standards. 

If you find any “show-stoppers,” you must stop your process and fix it before moving forward to avoid failure at a later stage.

With this insight, you can develop a plan for managing the impact.

Step 2: Formalize your security and risk management plan

Once you’ve identified the risks, document them and put them in writing, along with a plan that spells out which steps various stakeholders need to take during an incident to mitigate the risks.

Specifically, your plan should detail:

  • Whom – such as vendors, partners, customers, regulatory authorities – you need to notify about a supply chain breach. And, your head of cyber security should also be formalized.
  • Which processes various stakeholders – such as executive, IT and public relations teams will follow to do their part in handling the incident.
  • How you’ll maintain the necessary level of transparency (which should be defined within your Vulnerability Disclosure Program).
  • What information to disclose to the media, and how to disclose it. Not every part of every incident needs to be publicized, but you should think strategically ahead of time about how to engage with the media.

Step 3: Practice cyber drills

In order to ensure your crisis management plan actually works as you intend it to, you should run through cyber drills, which mean engaging stakeholders in responding to simulated incidents.

If you have the resources, you can hire a professional penetration testing team to create a mock incident, then test your business’s response. Alternatively, you may use your own teams to create a simulated supply chain attack, using a red team/green team model.

The more drills you practice, the better, but you should perform one drill annually at a minimum.

Step 4: Make crisis management a collective business responsibility

Next, work to ensure that everyone in the business – not just the IT team and security experts, but everyone from PR and customer relations to sales and marketing, to the C-suite and beyond – understands your supply chain crisis management plan and knows how to play their role within it.

Do this by publishing the process in a place where all stakeholders can view it. You can also ask stakeholders to explain their role in crisis management, based on the published plan.

Be sure, too, that the plan nominates someone to take the lead in crisis management unless your business already has an obvious person (such as a CISO) to take on this role.

Step 5: Leverage crisis management

Finally, to get even more buy-in for the plan and generate business value from it, educate your sales and marketing teams in particular about the investments you’ve made in crisis management.

This is important because sales and marketing teams can tout your crisis management investments when selling your products to other companies that require a high level of supply chain security and risk management. The more commitment you can demonstrate to managing supply chain risks effectively, the better positioned you’ll be to win customers who need strong supply chain security guarantees.

Winning such business is certainly not the only reason to invest in crisis management planning, but landing more customers this way can’t hurt.

 

Request a demo

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!