A new service rates businesses in supply chains on their security measures and the potential risk of doing business
A new service has been launched to give indicators to enterprises of whether or not their supply chain partners could be susceptible to cyberattacks.
The security of businesses is only as strong as its weakest link. Threat actors understand this and will often target employees via phishing campaigns, malicious links, and fraudulent websites in order to steal credentials and infiltrate a corporate network.
According to BakerHostetler’s 2017 Data Security Incident Response Report, up to 43 percent of cyberthreats against enterprises are related to phishing, hacking, and malware, and 32 percent of these incidents are due to human error.
However, human shortcomings in training and cybersecurity education are only part of the problem.
Companies now working on a global platform may work with suppliers worldwide, who are held to different cybersecurity standards based on local rules and their systems may be very difficult to audit.
Attackers can now not only target corporations directly, but can also ferret out a weak link in a supply chain, such as a partner vendor with lax security, in order to reach the true goal.
The enterprise cannot control the security practices and structures of partner vendors — the exception being, if stipulations are in place for lucrative contracts — and so taking new players into a supply chain does come with risk.
However, a new service from Australian research and consultancy firm Security in Depth hopes to tackle the problem and reduce the risk factors associated with the supply chain.
Speaking to Computer World, CEO Michael Connory said the service, dubbed Cyber Assurance Risk Rating (CARR), will rate businesses on their maturity when it comes to cybersecurity and issue a “credit score.”
This score can then inform business leaders as to whether or not new suppliers could pose a risk to their own corporate networks and security.
“If you’re looking at working with organisations that are going to be linked into you, from an integration perspective — it could be your HR system, it could be your finance system, or you could be sharing project files with an external organisation — we do a review on those organisations to see where the biggest risks are.”
“That way, the organisation can make a better decision whether or not they want to share their data,” Connory noted.
The basic service rates businesses based on their industry and size. As an example, an SMB with skeleton staff is not likely to have established cybersecurity procedures in place, and so may earn a low score.
A second service tier requires a security audit of a supplier in order to see whether or not they conform to specific security standards, such as the voluntary framework issued by the National Institute of Standards and Technology (NIST).
The third level involves continuous monitoring of a supplier’s critical systems and vulnerability scans.
These kinds of services have potential in a world where cyberthreats have become a daily occurrence.
Not only could this give enterprise players more visibility into security weaknesses in their supply chains, but suppliers can benefit, too, by being made aware of any security flaws which could impact present and future business relationships.