What methods do you use to mitigate risk in your supply chain? It’s impossible for your team to run an audit on everyone, standard contractual clauses only protect post-breach, and you can’t firewall off the suppliers that your product production (and payroll…) relies on.
One way is some form of third-party risk scoring. We do this for financial risk (Equifax etc.), why not for cyber risk? BitSight ratings are a superficial look at the internet-facing side of your suppliers. They don’t look at the soft underbelly of what happens once an attacker is inside. Combined with certifications like ISO/IEC 27001 and even simple schemes like the UK’s Cyber Essentials, it’s a step towards improving security controls in your supply chain…:
[…] A BitSight rating may not be familiar to everyone, but when it comes to choosing what businesses to partner with as a vendor or third-party provider, this score can be insightful and educational. BitSight is a company that calculates security ratings to shed light on an organization’s security performance and measures cyber risk. Think of it as a cyber security credit score that you can evaluate before doing business with an organization, much like lenders use FICO credit scores to review potential applicants. With the overwhelming number of vulnerabilities and threats, motivated attackers, and increased attention to global privacy concerns, having access to a score like this can provide valuable context when evaluating the risk of doing business with current and prospective partners. Who wouldn’t want to this in their repertoire?