Defending Against Cyber Attacks Attributable to Your Supply Chain

Today, we’re excited to unveil a new brand identity and expanded capabilities for our supply chain cyber risk management solution. What has been BlueVoyant Terrain: 3PR (Third-Party Cyber Risk Management) is now BlueVoyant Terrain: SCD (Supply Chain Defense).

When we launched our external cyber defense offering two years ago, we aimed to bring something new to the market — the ability to not only alert to vulnerabilities with vendors and software providers but continuously monitor these third- and fourth-party vendors and quickly remediate any issues.

BlueVoyant Supply Chain Defense is the next generation of how we analyze business partners and suppliers for their cybersecurity risk. The 1.0 offerings worked to observe and measure risks, often with scores. However, these options did not help enterprises defend against attacks attributed to supply chain weaknesses, a growing threat.

The result is that many organizations are struggling to defend their supply chains. According to BlueVoyant’s research, 93% of companies say they have suffered a cybersecurity breach because of weaknesses in their supply chain. Last year the average number of supply chain breaches companies said they experienced grew moderately from 2.7 to 3.7, a 37% year-over-year increase.

The fact is risk identification just isn’t enough, so organizations shouldn’t just score, but defend their supply chain. As reliance on third-party business partners and suppliers increases, cyber attackers are increasingly targeting these vectors with more sophisticated and focused approaches. It’s hard for even the largest enterprises to keep up with evolving cybersecurity threats, and even harder to track and manage vulnerabilities within their third- and fourth-tier supplier networks.

The key difference? Supply Chain Defense clients have the special ability to operationalize supply chain risk data so BlueVoyant can quickly, on their behalf, advise suppliers on best practices to remediate Zero-Tolerance findings, patching issues, IT hygiene issues, and more.

Supply chain defense is borne from the knowledge of Jim Rosenthal, BlueVoyant’s CEO and co-founder. The idea for the product materialized when he was Morgan Stanley’s Chief Operating Officer. Rosenthal worked to solve the problem at Morgan Stanley, as well as across the broader financial services industry. From this experience, two years ago BlueVoyant launched our supply chain defense product.

There are seven key elements to effective supply chain defense:

1. Accurate and complete identification of the supply chain’s attack surface validated by the right data, analysis, and expert oversight from security professionals.

2. Supplier risk ranking and alerting prioritization.

3. Internal assessment of supplier policies, processes, and technologies to understand a supplier’s intended state. The assessment is usually done using questionnaires/onsite audits, some of which can be validated externally.

4. Continuous external vulnerability assessment of supplier network presence to establish a suppliers’ actual state as seen by attackers.

5. The ability to quickly respond to, and thoroughly resolve issues.

6. Enforce cybersecurity posture requirements in all supplier contracts.

7. Establish effective cyber diligence as part of the new supplier evaluation and onboarding process.

BlueVoyant: SCD (Supply Chain Defense)

From day one, we set out to reduce supplier risk with a comprehensive perspective that uses a technology-driven approach backed by human-in-the-loop expertise. Once BlueVoyant Terrain: SCD technology identifies and detects potential risk in your supply chain’s attack surface, BlueVoyant’s Risk Operations Center (ROC) analysts curate and validate these findings to ensure accuracy and priority. In addition, ROC experts directly communicate and coordinate with your suppliers to help make sure findings are resolved and don’t reappear.

We’ve learned from working with our client organizations in industries ranging from manufacturing to media to finance that typically about 15% of your suppliers at any point in time show one or more critical findings.

The ROC provides organizations with proactive protection for their supply chains against new vulnerabilities and commonly overlooked risky behaviors that might leave your network exposed. With assistance from the ROC, the vast majority of critical vulnerabilities have been remediated within 30 days of notification. By comparison, in that same time span only a minority of vulnerabilities are remediated by most organizations that lack similar oversight and analyst support to communicate directly with their suppliers. This is a force multiplier for organizations attempting to keep pace with the threat of key vendors, suppliers, and partners supporting critical business processes.

BlueVoyant Terrain: SCD (Supply Chain Defense) is an end-to-end, third-party cyber risk management solution — with ROC analyst-backed expertise incorporated throughout.

• External Risk Assessment: Maintain a comprehensive understanding of your external attack surface with automated digital footprinting; help ensure accuracy with the ROC’s analyst-led critical findings curation.

• Supplier Questionnaire: Confirm that your suppliers’ cybersecurity posture is consistent with their responses to standard compliance or company-specific questionnaires through continuous risk monitoring and ROC analyst-backed curation of their digital footprints.

• Emerging Vulnerability Identification: Gain immediate awareness and understand where to focus cybersecurity resources when newly disclosed Zero Tolerance vulnerabilities in your supply chain are identified.

• Cyber Risk Mitigation: Optimize supplier communication following high-risk alerts with ROC analysts providing direct collaboration and guidance for third parties to mitigate threats.

BlueVoyant Terrain: SCD can be leveraged to reduce risk and improve the security posture of organizations’ supply chains, and its coverage expands further to private equity firms that want to maintain comprehensive awareness of their investments’ security posture, as well. BlueVoyant offers a PE-specialized solution for our Cyber Risk Mitigation and External Risk Assessments.

Adam Bixler is BlueVoyant’s Global Head of Supply Chain Defense.