Supply chain Cyber Security Risk Management

The global WannaCry ransomware attack in May 2017 pointed out some weak points when it comes to patching out of data systems, and the insidious nature of phishing emails.   But the speed and sheer global reach of the attack - the way it spread over 150 countries in just a matter of hours - really bought home the cyber-risk to organisations from their extended supply chains.

The question is, how do you manage the cyber security risks that come from your supply chain? You may have painstakingly achieved and maintained 27001, NIST or PCI, but, if you are sharing data, networks, and devices with hundreds, perhaps thousands of third parties, how does that factor in to your cyber security and business risk management process?

The answer is to weave together your information security and supply chain, vendor management and purchasing processes.  Vendors and suppliers must be quickly,  appropriately and continuously assessed if your organisation is not going to import additional risk with each new organisation you do business with.

Joining up vendor & supplier management with information security is easier said than done.   In the heat of commerce and getting things done, asking new & existing vendors or suppliers to wade through cyber security questionnaires, make declarations and provide evidence, can very easily get overlooked.  There is also the delicate issue of getting different cyber teams to "play nicely" and agree any common frameworks that are needed.

However challenging it is, it has to be done.  Crossword's approach is to make it as easy as possible.  We use our Cyber Security Risk Assessment tool, Rizikon, to collect supplier data and analyse it using algorithms developed by City University.   This gives an immediate Supplier Scoring which can be aggregated and viewed over the entire supply chain. Assessments are completed in just minutes or hours rather than days and weeks. Each supplier is given a list of prioritised recommendations which can be reviewed jointly with Supplier Management, the Information Security team and the supplier - all online and securely encrypted.

Rizikon can support frameworks mandated by Governments and Defence Procurement such as NIST (recently updated to include more supply chain assessment), Cyber Essentials, & DCPP.

Rizikon is available in the cloud as SAAS, or installed on suitable infrastructure as an Enterprise or Programme solution.  Find out more about Rizikon Supply Chain, or by contacting Crossword Cybersecurity.