How has supplier due diligence responded to modern threats to supply chain

RiskXchange How has supplier due diligence responded to modern supply chain threats RiskXchange The leader in Third-Party Cyber Risk Management

On 2nd July 2021, Kaseya found their data stolen and held for ransom. Those who perpetrated the ransomware attack demanded over $70 million in payment to release the data, but the exposure of over 1500 of their clients to a potential ransomware attack was even more concerning for Kaseya. 

An investigation into the attack revealed that there was a vulnerability in Kaseya’s virtual system, which at least 50 customers could access. 

Although Kaseya avoided paying the ransom, the attack demonstrates how easy it is for businesses to fall victim to modern supply chain threats. It highlights some of the challenges of securing the supply chain and how it is important for all parties involved to carry out supplier due diligence before signing with a vendor. 

Modern threats to the supply chain and why they occur

Due to external events, several businesses have had to accelerate their digital transformation plans to ensure that they can cope with WFH requirements. However, while most businesses have made a successful transition, it has only undermined supply chain security. 

Most contemporary supply chains have multiple endpoints, which are not as secure as they could be. This provides ample opportunities for third parties to attack the system. 

This exposure of the supply chain could explain why most businesses suffer ransomware and phishing attacks. Studies show that the number of supply chain attacks have increased four-fold in 2021, compared to 2020. Out of all the supply chain attacks, ransomware attacks are leading the category, with over 52.5 million records exposed in the first half of this year alone.

This rising number of attacks indicates a problem with the due diligence process. Most companies struggle in getting the necessary information to assess vendor security because current processes are inefficient.

At the moment, the most common method for conducting supplier diligence is to send vendors a questionnaire. But this method is flawed, as we see from the number of supply chain attacks. Companies are working with hundreds of vendors which makes it difficult to collect the information they need. Even if vendor questionnaires are answered, analysing the information is a laborious task. This creates a supply chain that is vulnerable to cyberattacks. If supply chains are to survive cyber-attacks, their due diligence processes must evolve. 

Improving supplier due diligence to meet modern threats 

To meet modern threats, businesses have had to become smarter and more efficient about the due diligence process. Here are some tactics companies used to assess their vendor’s security capabilities.

Reevaluated information they asked for

Since companies are now working with hundreds of vendors, they have had to reassess what type of information they want by improving quality and reducing quantity. 

To accomplish this, most businesses focused on control objectives and reduced the focus on granular diligence. Most of the control objectives include common industry frameworks on regulations and risk controls, along with information security, technology, governance, and business practice oversight.  

Automated the questionnaire process 

Businesses have automated the process to reduce the amount of time devoted to creating, sending, and assessing due diligence questionnaires. This has allowed businesses to work more efficiently; they can work with hundreds of vendors and scope their vendor security standards far more effectively than before.

Created risk profiles to categorise vendors 

With businesses working with several vendors, supplier due diligence needs to be more organised and sophisticated; hence why businesses are creating risk profiles. 

The type of information shared and the importance of the service provided have contributed to the construction of risk profiles. Organising information this way allows businesses to create a software vendor due diligence checklist to conduct a thorough vendor assessment while saving time. They can identify the most “at-risk” vendors and work with them to rectify the situation.

Guarding the supply chain against modern cyberattacks

Supply chain attacks are growing in scope, scale, and sophistication. To counteract this troubling trend, businesses are engineering more sophisticated due diligence processes to ensure they are working with the most secure vendors or ensuring that current vendors maintain security standards that are in line with compliance regulations.

The RiskXchange solution is the only risk rating platform that gives you a 360-degree view of vendor infrastructure. If you want to optimise due diligence processes by integrating continuous monitoring into your system or assessing vendor security standards, our solution has all the features you need.