In this third article in our series "Shaping the future of supply chain cyber security", our CEO Haydn Brooks dissects our new Defend-as-One approach and how it is already helping communities of organisations to Defend-as-One against supply chain attacks.
As we have argued in our last article in our series on “Shaping the Future of Supply Chain Cyber Security: From TPRM to Defend-as-One”, current third-party risk management practices are proving ineffective at protecting organisations from cyber security threats in their extended supply chains.
A new ‘Defend-as-One’ approach is required that takes a more holistic view of the problem, and, as a first step, transitions TPRM from a siloed, every man and women for themselves, to a collective defence approach.
To date, no holistic solution has been available to overcome the fundamental problems associated with TPRM in safeguarding organisations against supply chain breaches that we highlighted in our first two articles in this series. To briefly recap, these were:
So let’s take a look at how Risk Ledger has re-imagined TPRM and what its Defend-as-One methodology means in practice.
Recognising that the first step to better security is greater visibility and understanding of risks in the wider supply chain, Risk Ledger has developed an innovative new approach combining a third-party risk management platform with the logic of a social network for security teams.
Risk Ledger has built a supply chain security platform that connects security teams with those at their suppliers, as well as with security teams at their peers.
Similar to a social network like LinkedIn, each organisation has a profile on the same platform, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is then shared with their clients and customers. Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them.
Crucially, suppliers can also use Risk Ledger to manage their own supply chain risk, connecting with their own suppliers, thus using Risk Ledger as both a supplier and client in their own right.
Organisations acting as both suppliers and clients on the Risk Ledger platform is what uncovers the middle links in supply chains and builds the map of interdependencies within the wider supply chain ecosystem, not just between one client and their third-parties.
Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems beyond third-parties, into fourth, fifth and n-th parties.
This offers a uniquely customised view of the entire network of connected organisations for different use cases, including detecting and measuring the kind of concentration and systemic risks that we discussed in the first article in this series.
To briefly recap, there are in essence three types of concentration risks that organisations should consider in their supply chain. The first is when an organisation relies on one critical supplier for a number of different critical services, and would find it hard to replace this supplier in the event of a breach or outage.
The second type of concentration risk is a ‘fourth-party concentration risk’, i.e. when multiple critical suppliers of an organisation rely too heavily on the same fourth-party, with which the organisation itself is not even directly connected.
The third type of concentration risk is a ‘systemic risk’, which transpires when a large number of organisations all rely on the same critical supplier, but are unaware that they do. Should this critical systemic provider get breached, this could impact the operational resilience of an entire industry.
It is the latter two types of concentration risks that have hitherto been extremely difficult if not impossible for organisations to discover, but which Risk Ledger can unearth through its social network model.
Our social network approach, which allows us to visualise supply chain relationships well beyond 3rd parties, helps organisations on our platform uncover these risks to themselves, but we can also do so for entire industries or groups of connected organisations such as group structures or federated organisations.
During a Cyber Innovation Challenge, led by the City of London and Microsoft, for example, a tier-1 bank used Risk Ledger to uncover potential blindspots, and within 48 hours was able to identify 36 fourth parties connected to 14 direct suppliers, 175 fifth parties, 15 sixth parties, and 27 seventh parties, as well as, most important of all, 7 potential concentration risks. They used this information to brief the Bank of England on their efforts to gain greater awareness of risks emanating from deep inside their supply chains.
The need for identifying such a concentration risk is becoming an increasing focus of regulators in the context of seeking to boost organisations’ operational resilience. To provide just a few examples, regulations such as the updated (2019) “FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services” by the Financial Conduct Authority (FCA), the upcoming Digital Operation Resilience Act (DORA), or the European Banking Authority’s (EBA) ‘Guidelines on outsourcing arrangements’, as well as NIS2 have all zoned in on these systemic and concentration risks, and are asking organisations in scope to identify and mitigate against them.
Another problem with the state of TPRM today that we addressed in the last article in this series, and one that Risk Ledger is already actively solving for many organisations, is the lack of a commonly accepted standard for assessing the security postures of our suppliers. This is among the leading causes that makes third-party risk management such an arduous and inefficient process, and has prevented greater collaboration.
Most organisations, as we explained in the previous article, are using their own tailored frameworks, which means they have to also maintain it and constantly keep abreast of all new security trends and developments as well as regulatory changes in order to keep it up-to-date. But this is just one unnecessary extra burden for security teams associated with doing so.
This practice also presents a huge pain point for suppliers, which receive hundreds of separate questionnaires from their clients all the time, overburdening them and making them spend less time on actually increasing their security postures. It also makes it impossible to achieve collaboration with industry peers to actually reduce the burden of duplicate assessments, because there is no single source of truth acting as a starting point that would create a cumulative benefit by multiple clients reviewing the same suppliers based on the same standards and controls. Finally, using tailored frameworks means that suppliers can only receive support from each specific client, rather than from anywhere within the community.
Risk Ledger has created a core standardised framework made up of 12 key security domains that is mapped against all leading international standards such as ISO27002, NIST Cybersecurity Framework, NCSC’s CAF, and many others, so that suppliers can maintain one single source of truth.
Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them, and they also have access to add-on domains, including control questions in areas like financial risk, ESG risk and many others, if they have more specific requirements, but which don’t form part of our standardised framework.
But the core framework is the same for all suppliers, ensuring that all organisations on Risk Ledger have access to the same information, and that the information is as accurate and up-to-date as possible. If one organisation misses a flaw in a supplier’s security posture when reviewing it, they can be almost certain that another client of the same supplier will have spotted it.
One of the fundamental differences between the social network approach and traditional third-party risk assessments is that CISOs and their security teams are notified almost in real-time when any of the security controls at any of their suppliers has changed. The use of a standardised assessment framework makes this possible for the first time. With many eyes on the same supplier at all times, collectively the network can spot if there have been any changes at any supplier much faster, and the platform then automatically notifies all connected clients about the change.
At the same time, Risk Ledger re-assesses each supplier bi-annually as well, further ensuring that the responses and evidence provided are kept up-to-date. All this removes the need for security teams to run regular full re-assessments of their suppliers from scratch. It is all being taken care of for them.
But this is just the beginning. You can find out in the next article in our series all the new features and capabilities that Risk Ledger has already been developing and which are currently being rolled out, and how they will take continuous monitoring to a whole new level of sophistication.
Moreover, a social network approach also comes in handy during times of crisis, for example when a new emerging threat, such as the MOVEit Transfer vulnerabilities emerge and are being actively exploited by threat actors. It often takes days, weeks, even months to figure out whether you're impacted by a supply chain incident, especially if the exposure is a few levels down in your supply chain. But during that time, how much data has already been exposed to malicious attackers?
When an emerging threat appears and organisations need to quickly understand and appreciate the risk to themselves from their supply chain, they often pick a segment of their suppliers to focus on, usually critical suppliers that handle sensitive data on their behalf, as well as any suppliers that they know could be affected by a threat. They don’t usually have the capacity to check all of their suppliers at scale, and they may also not have their full supplier list to hand.
Since security teams need to collect data to make informed decisions on the risk a particular supplier might pose to them, they usually put together their own set of questions and send them over email, with a deadline for responding. They then manually track responses via spreadsheets, confluence pages, google documents etc. All of the above takes too long, however, and involves a lot of manual work, significantly delaying response times.
When a new emerging threat appears, Risk Ledger quickly posts information about the discovered vulnerabilities on its platform and bulk contacts all suppliers in its network, inviting them to share with their clients information on whether they have been affected and what they're doing to investigate, and then remediate.
When the MOVEit vulnerabilities were discovered, Risk Ledger quickly posted this as an emerging threat on its platform. Thousands of suppliers responded to our request within the first 48-hours alone.
Over the coming days, more and more organisations responded to the request on their security status relating to the threat.
Organisations on the platform were thus able to ascertain in which of these four groups - unaffected, investigating, remediating or resolved - their own critical suppliers fell into, and to get in touch with any of these suppliers to either request further information or to even offer their support in helping them deal with any problems identified.
This significantly increases the incident response speeds to emerging threats like these, and helps security teams collaborate with the security teams at potentially vulnerable suppliers to mitigate any risks quickly.
Our ability to provide visualisation into the full supply chain ecosystem also puts us in a unique position to identify the potential blast radius of emerging threats and how risks and breaches might ripple up or down the chain, thus enabling organisations to understand where they and their suppliers sit with respect to this potential blast radius, and anticipate potential paths through which an attack might eventually reach them.
While all these features and benefits that organisations can derive from Risk Ledger’s social network approach have been crucial stepping stones to encourage and achieve enhanced collaboration, to fill our Defend-as-One methodology with life, Risk Ledger has now introduced a new community feature into its platform, through which organisations can further exploit the benefits of taking a collective security approach to TPRM.
Like-minded organisations on Risk Ledger, either within or even beyond the same industries, can now join together in communities of interest that share many of the same problems, have to comply with the same regulations and often have significantly overlapping supply chains.
Members of these communities agree to share information on their supply chains with each other, which include their supplier reviews, any risks they have raised against them, and, most importantly, their respective supply chain network maps. This overlaying of organisation’s individual maps with those of their peers then allows them to uncover otherwise hidden systemic and concentration risks shared between them across their extended collective supply chains, rather than just for themselves individually, based on their more limited maps.
In these communities, security teams can also collaborate on lobbying unresponsive large suppliers together, to ensure they take their security reviews and self-assessments seriously and engage with the process, as well as compare notes and best practice.
Joining a community of peers provides individual security teams with much more contextual information on shared suppliers, creates additional confidence that other peers will have spotted a problem in any given supplier in case they might have missed it, and also significantly reduces the burden of assessment reviews by ending the need for duplicate reviews.
But this is just the beginning of our journey. Our social network approach and the new community feature have laid the groundwork for the kind of “Defend-as-One” future that we envision, where these and other network effects can be leveraged into a genuine collective defence approach against supply chain attacks.
No organisation is an island. Organisations are linked, whether they like it or not, and the responsibility for preventing cyber crime is inescapably shared by the entire ecosystem. To put it simply, an organisation’s defences are only as strong as those of the other organisations in the ecosystem, so sharing resources and data is in everyone’s best interests.
Right now each organisation is performing their own assessments on each individual supplier’s security controls, so there is a vast amount of duplicated effort across organisations when performing these reviews. By sharing security activity within their environments, and then collaborating on making the weakest nodes in the system stronger collectively, we can save a lot of time and resources. Even more importantly, it actually enhances the security of the entire ecosystem.
Connected organisations have a natural incentive to make sure there isn’t a breach within their ecosystem. When everyone is connected, an attack on one organisation is tantamount to an attack on every organisation, which means that looking out for each other can only be beneficial. And conversely, failing to collaborate can only be detrimental for everyone involved. When it comes to cyber security, organisations can only win when they play as a team.
Organisations should thus start to consider themselves as part of a wider network of defenders. When one node (organisation) experiences an attack, the entire network will react, learn, respond and increase in strength. Organisations with large security operations centres and strong expertise in hunting, detecting and responding to attacks must rally around their smaller partners and suppliers in order to protect the whole system.
As the network of connected organisation grows, Risk Ledger will be able to provide a bird’s eye view of entire supply chain networks for regulators, sector bodies and security agencies, creating a clear incentive for them to support our communities to Defend-as-One, and providing their support and technical expertise to immunising the entire network from attacks, benefiting everyone involved.
But this is just the beginning of our journey to transcend TPRM and approach supply chain security much more holistically. Risk Ledger’s vision for the future of supply chain security is one where we collectively create a digital Security Operations Centre (SOC) for the supply chain, where peers, their suppliers, external experts, regulators and national security organisations all collaborate, actively detecting, responding, and preventing attacks across a network of suppliers almost in real-time.
So keep a lookout for the final article in the series on our website www.riskledger.com, or subscribe via the link below to get it delivered straight to your inbox, as well as receive the final white paper at the end of this series that will include additional case studies from our work with our partners, setting out how we strive to create a future of Defend-as-One, where peers and their suppliers come together to collaboratively secure their supply chains and strengthen their combined security.
To receive the final article in our series straight to your inbox, you can sign up here:
riskledger.com/promoted/the-future-of-tprm
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
