Due to the complexity of today’s globally functioning supply chains, identifying and avoiding cyber-related third-party vendor risks is becoming more and more challenging. To add to the challenge, the cyber security of an organizations’ supply chain is no longer exclusively dependent on the prevention of system breaches, crashes or cyberattacks. Sophisticated attackers are willing to use any means necessary to gain access to sensitive data, and third-party suppliers and vendors may have fewer security controls in place than your organization, making them an easier target for an initial attack. Once breached, attackers can leverage these vendors’ access as an ingress point into their ultimate target, your organizations crown jewels.
“The supply chain stuff is really tricky.”
~Elon Musk, CvEO of Tesla and SpaceX
Cyber supply chain risk covers a lot of territory. According to NIST, the key cyber supply chain risks are:
In order to address cyber related supply chain risks, organizations must have strategies in place to actively and preemptively address cybersecurity in and along the entire value chain.
At TBG Security we take a methodical approach to assessing your cyber supply chain, creating an effective supply chain management program and reducing your cyber supply chain risk.
Third-party risk management and Vendor Risk management are a critical aspect of overall risk management that involves analyzing and controlling risks associated with outsourcing or working with third parties, including vendors, suppliers, contractors, or service providers. TBG Security has partnered with three of the industry leading vendors to create a TPRM/VRM service to address both the regulatory requirements and best industry practices in this space. TBG security’s VRM service provides everything your organization needs to build, implement and execute a robust comprehensive program to effectively manage the risks posed by the use of third-party vendors.
The three complementary components of our service solution are provided by Whistic, RiskRecon and Osano. Whistic is on Gartner’s 2020 Magic Quadrant as a leading provider of IT Vendor Risk Management tools. Whistic makes it easy for buyers to assess their vendors and for vendors to proactively share their security posture directly from Salesforce, including security assessments, documentation, audits, and certifications to build trust early in the sales process. By leveraging RiskRecon, our solution makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all of your third parties. RiskRecon gives you visibility into a deep risk assessment spanning 11 security domains and 41 security criteria – software patching, network filtering, ip reputation, web encryption, application security, and more. All fully risk contextualized and tuned to match your risk appetite.
While assessing and monitoring your vendors security posture is critical to managing risks in your supply chain, how your vendors handle privacy requirements has become paramount in meeting the ever changing privacy regulatory landscape. California Privacy Protection Act (CCPA), California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), Canada’s Consumer Privacy Protection Act (CPPA) all have third party vendor requirements dealing with how your vendors and/or third parties handle protected information. That’s why we’ve partnered with Osano to round out our offering to assess vendors privacy & consent posture. Osano calculates the scores for each vendor based on 163 items assessing cookie policy, enforcement, GDPR/CCPA statements of accessibility, choice, enforcement and numerous others providing you with a real-time assessment of the third party’s privacy posture.
