As a vendor you are most likely responding to an increasing number of customer requests for information on the cyber security posture of your product or service, and possibly your internal cyber security program.
Supply Chain/Third Party Breaches Are Highly Damaging And Costly
The recent reports on the SolarWinds breach are testimony to the impact of supply chain/third party breaches. Approximately 18,000 companies were impacted by the compromised SolarWinds Orion update.From: www.cybersecuritydive.com/news/cisa-initial-access-vectors-solarwinds-orion/592419 Further, the Cybersecurity and Infrastructure Security Agency (CISA) said malicious actors have access to more backdoors than just SolarWinds Orion. The agency found “evidence of additional initial access vectors and tactics, techniques, and procedures, but the new vectors are still under investigation.”From: www.cybersecuritydive.com/news/cisa-initial-access-vectors-solarwinds-orion/592419
A recent risk management report issued by Claroty stated that the SolarWinds attack “has again put defenders’ focus back on the supply chain.”From: www.cybersecuritydive.com/news/solarwinds-fallout-dragos-ceo/594633 The report said that organizations “need more scrutiny on their partners, contractors, vendors, and other entities with credentialed access to internal systems, or manufacturers of hardware and firmware they may be purchasing.” Claroty’s report concludes incidents like the SolarWinds attack “demonstrate the fragility of some perimeter-based defenses and the eventuality that these attacks will land on ICS and [supervisory control and data acquisition] equipment.”
So, what do you do?
It’s critical as the starting point to understand the basis of your customers’ queries. There is a wide range of customer expectations in this area which creates a difficult situation for you as a vendor to properly respond. As a result, it is a recommended strategy to be proactive and promote the security program that you have adopted for your organization and product/service as applicable. This increases the efficiency of your response and can differentiate you from your competition.
AESI recommends the following five-step plan for vendors:
- To adopt the supply chain/third party controls from the authoritative standard (e.g., NIST Cybersecurity Framework, NERC CIP) that are most applicable to your customer base.
- Assess the gaps that you currently have with respect to the controls in the chosen standard.
- Address the control gaps commensurate with risk.
- Monitor, exchange information with others in the industry, and improve continuously.
- Develop a document that can be provided to customers and prospects as part of the sales process and in proposals.
AESI Can Help
AESI has developed a set of robust Supply Chain/Third Party cyber security services based on authoritative standards. For Bulk Electric System entities, AESI uses the NERC CIP-013 standard, and for all other critical infrastructure entities, AESI uses the NIST Cybersecurity Framework as well as the NIST SP800-37 Risk Management Framework. AESI has extensive experience with these standards and has developed a proven methodology for risk management of supply chain/third parties. We apply that experience and methodology directly for vendors.
AESI’s process starts with a discovery phase to assess your cyber security program. We highlight the controls that your customers are expecting, and we analysis the design and implementation of these controls. We analyze third party contracts, documentation, security programs, and access to your environments. From the analysis phase we identify the gaps to the standards and then prioritize these gaps based on risk. The recommendations are discussed and finalized with you so that they are clearly understood and implementable. Our deliverables include a detailed report with a gap assessment, long term roadmap, and tools to be used to self-manage your Supply Chain/Third Party Risk Program. In addition, we develop a document that explains your cyber security program to be used for customer responses and in your proposals.
AESI’s services will provide you with the following benefits:
- Appropriate and accurate capabilities to respond to cyber security queries from your customers and prospects
- Demonstration of a proactive approach to cyber security, which will provide differentiation for you in your sales process
- Standard approach to address the increasing number of questions and queries from your customers and prospects in this area
- Improved cyber posture and increased cyber maturity for your firm
- Documented proof of duty of care for protection of your firm in then event of litigation cases or insurance claims
We are pleased to offer a 15% discount for those entities that sign up for AESI’s Supply Chain / Third Party services by June 30, 2021.
We would be pleased to discuss your specific requirements and our services with you. For a no-charge consultation with one of our cyber security specialists please provide your contact information below and one of our team members will contact you.