You’ve probably encountered them. Self-reported ‘supplier security assessments’ – documents where fact and fiction can easily overlap if the requisite information cannot be readily validated.
In reality, while skepticism of supplier questionnaires may be warranted they do offer an indication of an organisation’s level of cyber maturity and are a necessary process. Rigorous compliance verification for ISO 27001 and GDPR standards are equally advisable due diligence that JUMPSEC encourage all organisations to undertake. However, without the ability to demonstrate and validate real-world risk exposure, organisations can only achieve a superficial level of assessment.
JUMPSEC therefore do not advocate the removal of existing processes. Rather, we understand the vital need for evidence-based assessment methodologies to expand in scope and have evolved accordingly.
Recent breaches like SolarWinds, 3CX, and MOVEit have again illustrated the sheer impact that can occur when a single widely used platform is compromised and a supply chain attack begins to emanate from the source victim. It’s clear that existing risk assessment strategies need to be bolstered and improved wherever possible.
Our Methodology: OSINT-backed Assessment
JUMPSEC have developed a unique methodology to independently identify and validate high-risk suppliers across various service lines and sectors. We have assessed hundreds of critical suppliers thus far, enabling our clients to proactively manage their attack surface while reducing their risk of supply chain attack.
Our approach encompasses the following phases:
- Phase 1 – Initial Identification. Our collaborative workshop first identifies high-risk suppliers.
- Phase 2 – Discovery and Analysis –
- 2a – Information Gathering. JUMPSEC then conducts a landscape review using open-source intelligence (OSINT). This ‘passive’ reconnaissance approach enables us to gain insights into the target environment (i.e publicly accessible infrastructure, IP addresses, domains, or services), while maintaining a respectful and non-intrusive stance.
- Phase 2b – Active Scanning and Validation. Clients may choose to request permission from suppliers to actively scan their network and yield more detailed findings, actively probing target systems for exploitable vulnerabilities, misconfigurations, or weaknesses that, when combined, could present significant opportunity for malicious actors to exploit.
- Phase 3 – Supplier Analysis and Reporting. JUMPSEC ultimately provides a prioritised list of high-risk suppliers, detailing evidence of vulnerability, security mismanagement, and the rationale for the assigned severity level. This includes a debrief on next steps for the notification, support or recommended mitigation of any critical supplier related risks.
JUMPSEC advocates an evidence-based approach as we invite organisations to consider whether passive or active supply chain assessments may be utilised to manage their cyber risk more effectively, by supporting and enhancing their existing processes.
Key assessment outcomes
OSINT backed supply chain security assessments facilitate the following outcomes for JUMPSEC clients:
- Real-world insight & meaningful collaboration. While quantifying the likelihood of risk exposure, OSINT-backed supply chain assessments are not about catching suppliers out. JUMPSEC discovers numerous risks and vulnerabilities via open-source intelligence (OSINT) previously unknown to suppliers, which offer vital security insight and lay the foundation for future cooperation.
- Highly effective analysis delivered at scale. JUMPSEC’s methodology is human-led, using automation to enable efficiencies prior to manual analysis, meaning JUMPSEC can conduct assessments rapidly across multiple suppliers.
- Elevating security expectations for suppliers. Suppliers who demonstrate a significant degree of exposure can be made aware of security blind-spots and adequately supported, or commended, where best practice is identified. Evidence-based assessments are particularly informative prior to contract negotiations and renegotiations where findings enable the strategic selection of suppliers.
- An increased level of security assurance. Detailed analysis of publicly available supplier data which attackers will likely seek to leverage expands an organisation’s understanding of its entire attack surface, as key suppliers are incorporated into overall risk exposure.
A future-ready assessment
Each organisation should carefully explore what works for their unique needs.
Naturally, a small business that does not heavily rely on digital platforms will not find an OSINT-backed assessment as beneficial as an organisation with a large accumulative attack surface and a clear dependence on a handful of critical supply chain partners. Either way, as scrutiny on supply chain risks increase and new assessment frameworks emerge, it’s time for organisations to reassess whether or not their existing processes could be enhanced.
By 2025, an estimated 60% of organisations will use cyber security risk as a primary determinant in conducting third-party transactions and business engagements. Yet currently, only 23% of security and risk leaders monitor third parties in real time for cyber security exposure. (Gartner).
Seismic supply chain cyber-attacks are already shaping regulations and policy in certain industries (i.e DORA financial regulations) and placing increased emphasis on the development of new threat led and evidence based methodologies. As clients prepare to meet the requirements of the most advanced cyber security frameworks emerging today, JUMPSEC are continually working to align our assessment approach where possible to ensure continued compliance.