![]() |
Credit - VideoBlocks |
In my previous blog - The Domino Effect, we explored what SERM is, what the process entails, and we briefly touched on why Automation is preferred. In this instalment, we will expand on exactly why Automation is a must and what organisations can do to significantly reduce the risks presented by 3rd party suppliers.
The NotPetya
outbreak which dominated the news last year is a case study that
underpins the benefits of SERM. Perhaps….. If
the clients of MeDoc had an automated SERM process in place,
they would have been able to adequately weigh up the risk MeDoc posed
as their supplier. This could have resulted in the prevention, or at
least mitigation of the outbreak we saw spread throughout the Ukraine
way back in June. Automated SERM would have highlighted the
insecurities in the supply chain by automatically distributing
surveys, allowing for real time status of surveys, as well as sending
automated reminders to those suppliers who have not completed the
survey in a given timescale. An extremely efficient SERM solution
would also have highlighted the insecurities of the hardware and
software assets, missing patches for example. Upon
survey completion, automated SERM allows for immediate report
provision which eliminates the gap between survey time submissions
and risk visibility. Allowing the clients of MeDoc to weigh up
the risk to them would give them the choice of whether to keep
trusting MeDoc as their supplier.
For those
conspiracy theorists out there, who will say to me “ah yes but the
NotPetya attack was not about Cyber”. Firstly, I agree! There is
indeed evidence that suggests NotPetya was more than just a
Cyber-Attack. Secondly, and most importantly, what about Equifax? Or
Uber? Almost all damages associated with breaches could have been
prevented or at least severely mitigated if automated SERM were to be
in place. By highlighting the risks to the business 3rd
party suppliers pose, and ascertaining exactly what those risks mean,
will ultimately allow decisions to be made which will prevent our
domino from tumbling.
Not many readers
among you will like the term automation. Subconsciously do you
gravitate toward a Skynet landscape, where robots rule supreme? This
frightful thought being reinforced by the rising levels of an
insecure IoT…(Look back to “Secure Coding – The foundation on
which we must build our future empire”) If so, I’m glad I’m not
the only one. That being said, automation in SERM is an absolute must
have. We must use automation to give us a real time risk picture our
suppliers, highlighting our riskiest suppliers and therefore, where
to implement safeguards.
Now, impressive
as it may seem, over the two instalments of discussing SERM - we have
come a long way without a mention of the feared EU GDPR, but… we
would be neglectful to not discuss the requirements of SERM under EU
GDPR. Article
4 defines the role of the data controller as “the natural or
legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the
processing of personal data…” In the context of a SERM project,
your organisation would be considered as the data controller. The
suppliers you evaluate will fall under the role of data processor,
who would be “a natural or legal person, public authority, agency
or other body which processes personal data on behalf of the
controller.”
Between you and
your supplier, right from the very beginning of your working
relationship, there must be a clear understanding on what Personally
Identifiable Information (PII) each party will be processing. This
must include the metrics used to gauge how sensitive it
is. Classification of sensitive data (e.g. gender and marital
status etc.) should be clearly defined so when SERM is applied, we
will have an accurate, clear picture of what risk they present to the
business should a supplier be breached.
Over these the
two instalments relating to SERM, we have seen that the primary
purpose of SERM is to survey your suppliers and gauge the level of a
risk (how big of a domino) they pose to your business. Automated SERM
surveys will enable your organisation to ascertain the level of
protection your suppliers currently have in place and provide you
with a clear risk picture of your supplier chain - built using real
time information. This will allow organisations to take immediate
action on their suppliers. Automated SERM will highlight a supplier’s
inefficiencies relating to information Security, leading to the
enhancement of a working relationship through helping them improve
the Information Security posture, or even the possibility of ceasing
an organisations relationship with a supplier, effectively removing
them from the chain of dominoes. Remember, this is your Domino to
protect, to prevent from falling.
Without doubt,
the only way to acquire an accurate, real time risk picture of your
supplier chain is through using automated SERM. ZeroDayLab would be
pleased to demo our automated SERM process, please contact us for
more information.
What
we know is a drop, what we don’t know is an ocean
Isaac
Newton