Category Archives: Risk Management

Interrupt that Risk Event with Interos and Sustain Stable Supply Chains

Supply Chain risks are on the rise, as are disruptive events, and an event anywhere in your supply chain, even four levels down, can bring your operations to a halt if you can’t detect it, respond quickly, and take active mitigations. To this end, as chronicled in Part X of our Source-to-Pay+ Series that discussed Supply Chain Risk, a number of vendors have cropped up in the last few years around Supply Chain risks, but not all players are equal.

One of the first of the new breed of integrated supplier and supply chain risk players, and one of the most differentiated, is Interos. Interos was founded in 2005 by Jennifer Bisceglie as a consultancy focussed on helping organizations map out, understand, and get a handle on supply chain risk. Jennifer realized near the end of last decade that, with supply chains becoming so long, so complex, and so interconnected across the digital, financial, and physical realms, that technology would be needed to support organizations in this effort.

The core team knew that in order to do this, they’d need a completely new type of technology, so they sought out a new team to build one of the first outside-in business relationship graphs using trade data, third-party data sources and artifacts (such as ownership data, executive data, etc.), and even press releases. Then, on top of this relationship data, they’d need to layer risk data to help an organization identify risks in the supply chain. This would involve capturing risk events as well in order to help them understand which clients may need to be notified and/or use the Interos platform to gauge the extent that a risk event may impact them. So that’s what they built — at a global scale.

Interos has built a business relationship (knowledge) graph that connects 11 Billion relationships across 410 Million companies. These companies are then risk scored against 230+ attributes across six (6) different categories of risk: Finance, Geo-political, Restrictions/Sanctions, ESG, Cyber, and Catastrophic, depending on the extent of information available. At a minimum, they track country/industry level risks and will use that when there is insufficient data to assess the specific company risk against a specific attribute. Based on the assessment of each risk, Interos will compute an overall i-ScoreTM from 1 to 999, with lower scores being higher risk. It will then scan your entire network, from sink to source, and identify all high risk suppliers for you.

The Interos Resilience platform, which processes tens of thousands of sources and over 3 Terrabytes of raw data daily, constantly monitors for new relationships, information, and (related) events that could pose a change in an entity’s risk status, as well as indicate the presence of a (potentially) catastrophic event, including a natural disaster or a cyber-attack. For each of the six risk domains, the platform scans for a number of factors, sub-factors, and individual attributes. We’ll cover the primary factors in this post, and if you have a particular area of interest, you can always drill in during a demo or discussion with Interos.

With respect to Finance, the platform looks for the following:

  • Liquidity: Cash, Working Capital
  • Solvency: Assets, Capital Efficiency, Credit Rating, Debt Coverage, & Leverage
  • Profitability, Debt Coverage, & Valuation

With respect to Geo-Politcal risk, the platform looks at the following:

  • Political Instability
  • State Capacity
  • Political Process
  • Economic Rights
  • Socio-Economic Development

With respect to Restrictions/Sanctions, the platform looks at the following:

  • Sanctions (USA, UK, EU, etc.)
  • Associated Sanctioned Individuals
  • Import/Export Embargos
  • Associated Regulations

With respect to ESG, the platform looks at the following:

  • Environmental Performance
  • Social Commitment
  • Governance Strategy

With respect to Cyber, the platform looks at the following:

  • System Attacks (compromised accounts, cyber-attacks, data spills, etc.)
  • System Vulnerabilities
  • Supply Chain Cyber Events
  • Cyber Compliance
  • Cyber Threat Activity

With respect to Catastrophic risk, the platform looks at the following:

  • Localized Natural Hazard and Disaster Risk
  • Communication Capacity
  • Healthcare Capacity
  • Infrastructure Capacity
  • Burden of Disease Risk

Based on all of this, the platform is very useful for companies that need to perform

  1. Supplier due diligence
  2. Continuous related party monitoring
  3. Real-time catastrophic event detection

Interos is one of the most complete supply chain risk intelligence platforms for supplier due diligence. The ability to quickly screen a supplier on six highly relevant domains can give an organization confidence that the organization understands the risk profile of a supplier before onboarding it, which is not something you can get from a traditional credit score or an empty search on sanction lists.

Interos is one of the few platforms that can be counted on for continuous related party monitoring as it processes over 3 TB (Terrabytes) of data a day, constantly updates risk scores and related events for affected entities in the system, and can propagate updates through the business relationship graph in real time.

Interos is also one of the few platforms that can be used to do real-time catastrophic event detection where the event is not limited to a single event type, as the platform monitors for natural disasters, man-made disasters, bankruptcies, and cyber incidents — some of which Interos can detect before anything is reported due to a change in organizational behaviour — and it can immediately propagate news of events or risks to one of the 410M+ business entities it tracks to all impacted clients who can use their relationship explorer to identify all the links it has to the company.

For example, if there’s a fire in a raw material or component factory (which seems to happen in one of the few major RAM suppliers every decade — just do a few historical Google Searches if you don’t believe me) two (or three) tiers down the chain under your tier 1 supplier, you can immediately map out all of your tier 1 suppliers that trace down to that factory and make sure they have enough stock on hand to continue producing your products until you expect that factory to come back online (by either instructing them to immediately secure additional stock on your behalf or doing so for them) well before your competition realizes there’s going to be a disruption a week down the road when the plant is announced shut down and it finally trickles down to local news half a world away.

The platform monitors and tracks natural disasters globally down to a gird of 10 km squares, as well as potential paths of storms, waves, and fires, and can thus immediately identify each business entity that is likely to have been impacted as well as each business entity that is likely to be impacted if a natural disaster (such as a storm) continues its course. Thus, if a tsunami hits the coast of Japan, it can allow an organization’s incident response teams to immediately identify just those organizations in Japan in the area the wave hit and allow it to focus its efforts on just those suppliers, vs. having to reach out to and assess every supplier in Japan, of which it may have hundreds if it is in electronics when only ten were in the immediate area. The time savings alone is incalculable. (And, of course, if an earthquake hit a province in China, it would take an army of consultants months to figure out precisely what suppliers were close enough to the fault line to likely have suffered [significant] damage vs those far enough away to only feel minor shaking whereas the Interos platform will calculate all of this in just a few minutes.)

However, one of the most unique risk monitoring capabilities lies in its proprietary digital behavioural modelling that can often detect when an organization has experienced a potential cyber-attack, breach, or data theft and alert customers to that potential cyber-incursion days, or weeks, before the organization announces a breach and/or it makes the news. Using the business relationship graph, this immediately allows an organization to determine every first-tier supplier that relies on that organization. The organization then has to determine if any of those suppliers has access to the organization’s financial account information, personnel data, or confidential intellectual property. Those tier 1 suppliers that do need to be immediately approached and asked if any of that data was shared with, or accessible by, the sub-tier supplier that was breached, or affected by. If so, the organization can immediately start taking mitigation actions before they themselves are the target of a cyber attack.

The platform is very easy to use. When a user logs in, they see a summary of their full supply base and multiple sub-tier relationships (which for a multi-national with tens of thousands [10k+] of tier 1 suppliers can be hundreds of thousands of tier-3 suppliers). The user can see the number of suppliers by tier who are high risk, medium risk, low risk, and, possibly, unknown (as it’s a brand new supplier where there is little to no information on that supplier). Note that the number of “unknown” suppliers will typically be really small, and for most truly global companies with 500K global suppliers in their extended supply chain, the unknown will be significantly less than 5K (usually 0.5% or less).

(Note: If more than 1% of your extended supply chain falls into high risk, you have some serious problems. In a good supply chain, the vast majority of suppliers should be low risk (> 95%) with a small percentage medium risk, preferably no high risk, and preferably no unknown.)

You also see a breakdown of risk by

  • each of the six (6) risk domains, which lets you see if there is a particular risk concentration,
  • average risk by groups of interest (which could be country, product line based, strategic suppliers, etc.),
  • a summary of natural hazards and disasters currently being tracked, both visually and textually (which shows the number of potential tier 1, 2, 3+ suppliers that are potentially impacted)
  • a visual summary of the most relevant current events being reported on (with links to full articles in third party sources), and
  • a quick link to the relationship explorer tool that will let you find all of your connections to an entity of interest

When you select a category of high-risk suppliers (overall or by category), it will bring up a list of companies with their individual i-Scores that you can select to to bring up their complete risk scorecard (if you have unlocked their scorecard; depending on your subscription level, you have so many credits that allows you to unlock that many scorecards; you can buy more if you need, but most since most companies don’t need to evaluate more than a small percentage of tier 2+ suppliers, their packages are usually sufficient). The scorecard summary will summarize the score in each of the six areas, and will allow you to drill down into the factors, sub-factors, and individual attributes that are known and scored (and contribute to the overall score), which include those discussed above.

The scorecard will also summarize company corporate data (industry registrations and codes, locations, etc.), its tier 2 and tier 3 relationships and risks, which can be filtered to all known relationships (in your extended supply chain), as well as all events (and related sources) that have been detected that are relevant to that supplier entity. If a risk score is low (or suddenly drops), you will have access to all of the data that contributed to that score to make your own judgement (and jump-start your investigation).

The platform also has a geographic view of natural disasters that is interactive and allows a user to drill into a region, filter on natural disaster type (earthquake, tropical storm, volcanic eruption, etc.), and even project a few days in the future (if the disaster is a tropical storm, cyclone, tsunami, etc. and there is forecast data available from Interos‘ 3rd party, or public, sources). In addition, it can be used to look at historical natural disaster and weather event data, which goes back between 50 and 200 years, depending on how much historical data is available for the region, as well as the risk of each natural disaster type (wildfire, drought, earthquake, flood, etc.) in the region base on all of this historical data.

And the relationship explorer is likely the most useful part of the platform because, if a risk event is detected, such as a natural disaster or a cyber breach, you can instantly trace all of your active relationships to that company, and immediately start the process to determine if these tier 1 (and tier 2) suppliers will be impacted, and, if so, the degree to which you’ll be impacted. Not only will you know about an event days, or weeks, sooner than you would know without this platform (and by then it may have been too late to find an alternate source of supply or protect your data), but you can limit your discovery and mitigation efforts only to suppliers that might be affected, versus doing massive surveys and reach-outs (that can take days or weeks) to find out who might be impacted in the first place.

Interos is a one of the most powerful, and complete, risk intelligence platforms out there and one that should definitely be on your shortlist if you’re looking to get 360-degree visibility into your supplier, and supply chain, risk.

The Supply Chain is Full of Hidden Risks

A recent article in the Supply Chain Management Review by Avetta provided Insights for Procurement Leaders on tackling hidden risks in the supply chain. As per the article, supply chains are full of:

  • Geographic Vulnerabilities
  • Cybersecurity Threats
  • Ethical and Compliance Issues
  • Financial Instability
  • Environmental Recklessness

… and all of this poses a major risk to your supply chain. Avetta‘s baker’s dozen of recommendations are to:

  • conduct due diligence on all level of suppliers
  • identify alternate sources
  • monitor geographical developments
  • prioritize cybersecurity measures
  • conduct regular risk assessments
  • foster a culture of cyber awareness
  • establish clear codes of conduct
  • regularly audit supply chain partners
  • prioritize transparency and accountability
  • rigourous financial due diligence
  • monitor key financial indicators
  • prioritize sustainability initiatives
  • establish robust contingency plans

And these are all good, but most of the risk results from one thing:

  • lack of timely, accurate data on
    • the physical supply chain (people, plants, product, vehicles, etc.)
    • the financial supply chain (the financial state of suppliers, contractors, employees, etc.)
    • the information supply chain (completeness, accuracy, security, etc.)

This says that if you really want to tackle the hidden risks, you need to start with the following as you can’t tackle anything you can’t identify:

  • supply chain visibility — map every entity in your supply chain
  • external risk monitoring — whenever a geographical, political, environmental, or cyber disruption happens anywhere, and is reported, you need to detect that, identify all entities that may be affected, confirm which entities in your supply chain are affected, and take an appropriate mitigating action
  • cyber network monitoring — you need to monitor your entire network, every server, every client (desktop, laptop, tablet, AND cell phone), every router, every API end point, and every wire … your weakest link is your effective security
  • cross-system and account financial monitoring — money disappears when there are holes for it to fall into; holes exist when you have disconnected P-Card, e-Procurement, and AP systems, especially across divisions and you aren’t correlating balances between transfers, bank accounts, and investments on at least a daily basis
  • activity monitoring — all waste, loss, and fraud is the result of a bad actor, whether or not the bad acting was intentional (hint: if the loss is significant, it usually is intentional; incompetence often only results in minor loss); but you can’t monitor everyone, even if you wholly operate in a jurisdiction where doing so is legal; but, when everything is digitized, you can monitor every action, whether or not is in accordance with policy, flag everything that isn’t, and escalate any actions that are against policy that should be investigated

As you detect issues and disruptions, you can start with standard mitigation actions, and as you identify patterns of commonality, you can identify additional contingency plans, which you should already have for every product or service that is critical to your operation.

Note that Sourcing Innovation has published a list of 55+ Supply Chain Risk Vendors that already have solutions that do a lot of this monitoring. There’s no excuse for your organization not to have at least an 80% solution in place today.

Need to Trade More Confidently? Maybe You Need Trademo to Monitor Your Supply Chain!

As you should be well aware by now (as we recently gave you a 10-part series on supply chain risk), supply chains are fraught with risks — that you need to manage, and that, in many cases you can only manage with visibility. In particular, multi-tier visibility down to the source raw material. You also need insight into key areas of regulatory compliance around H(T)S codes for trade (and ECCN for defense trade), sanctions and denied parties, and (known) forced/slave labour violations by any supplier in your multi-tier supply chain.

One application that can give you multi-tier visibility, detailed insight into key areas of compliance, supplier discovery, and even trade intelligence is Trademo. Centered around a global supply chain knowledge graph on over 5M buyer and supplier entities with over 100M relationships built upon public trade (import/export) data from over 140 countries, Trademo can provide unique multi-tier visibility and insight into your supply chain, and the supply chains of your competitors which can help you find potential suppliers who could also serve you and even identify other supplier locations that could be more relevant for you.

There are three main parts of the Trademo platform.

  1. Global Supply Chain Intelligence
  2. Supply Chain Visibility & Resilience
  3. Global Trade Compliance

We’ll discuss these in reverse order, as that is the typical order in which organizations generally seek out, implement, and use these solutions.

Trademo‘s Global Trade Compliance module supports an organization with

  • HS Tariff Search, Validation and Classification across 140+ countries
  • ECCN Search
  • Sanctions Screening across over 640 global sanctions list
  • (Import/Export) Controls (and Embargo) Search
  • Product Master
  • Landed Cost Calculator

HS (Code) Search is by country, trade direction (import or export), and partial code or product keyword. (HS codes could be classified either by referring to the built-in tariff tree structure or using the AI model to classify the HS Codes.) it brings up all the matching codes based on the product key word (or partial HS code), as well as the computed match relevance. You can then select the code of interest and see the associated tariffs and duties, controls, and any associated rulings.

ECCN search is similar to HS (Code) Search and is by country and ecn/ml number or keyword and brings up the relevant subcategories that you can dive into and get relevant details.

Sanctions screening can be ad-hoc, bulk, or advance. Adhoc allows a sourcing / supply chain professional to enter a person, company, or vessel name and screen against any set of sanction lists of interest (one, some, or all). Bulk allows the same, but against a list of uploaded persons, companies, and/or vessels. Advance screening is similar to adhoc, but allows the user to limit to countries, specific locations, and even set thresholds for partial match retrievals. The user can also setup blacklists, so that any attempt to associate a product in the master with a supplier that is blacklisted fails, any search on it returns its status, and any export includes the blacklist status. The user can also setup watchlists (for daily monitoring) and any time a new sanction, control, etc. is detected for the person, company, or vessel, an alert is created in the tool and sent to the user through e-mail.

Sanctions screening are against rules that define collections of sanction lists that are relevant to the user and the types of screenings they usually do. For example, if the organization only sources from and/or two 20 countries, they may not care about any sanctions or embargoes against the remaining countries for which sanctions and embargoes are encoded in the system. In the Trademo system, rules are sorted into list groups (global sanctions, PEP, OFAC, health & human service, banking & investments, enforcement, and maritime) and then sub-groups by source (country, entity, etc.). The buyer can select what interests them, a threshold for matching, define a rule name, and then easy peasy search just those lists going forward.

When a sanction is found, extremely detailed information is returned and generally includes the entity name, the list, the country, the authority, all known entity (operating) aliases, effective date, expiry date (if a limited embargo, for example), company address / vessel birth and identifiers / personage citizenship or address, etc. A user can also bring up the full citation and download everything in PDF if they desire.

Controls bring up, for an import country or ISO Code and/or export country and ISO Code and/or country of origin and ISO Code and/or a HS Code, all related controls and embargoes along with their type (such as import permit or export permit), the controlling authority, and the scope of the control. As with a sanction or HS code, the user can click into a control of interest and see the complete details and download the source (as a PDF) if they so desire.

The Product Master allows the organization to manage their product database down to a SKU level, along with all countries of import, export, and associated HS codes. This makes it easy for the platform to automatically monitor for relevant changes to HS/ECCN codes, duty rates, controls, embargoes, etc. and notify the user when these changes occur.

The Landed Cost Calculator is very useful for sourcing professionals as it allows them, for a lot, to enter some basic information and source unit and carrier costs and get a complete total landed cost based upon the HS / ECCN code and all import and export tariffs.

The user needs to simply enter:

  1. Country (of import, export, and origin), duties of interest (default, preferential, or both), and HS CODE
  2. Mode of transport, incoterm, currency, value (and, optionally, unit of measurement & total quantity)
  3. Freight, insurance, and any other known (sur)charges

The platform will then calculate the total landed cost that will include all the duties and tariffs on the lot, the known merchandise processing fees, the known vessel fees, the known port fees, and other known fees and give the user a total landed cost (where the user can see a 200K buy become a 250K or 300K or more buy and truly understand the cost of global sourcing). the user can also compare the landed cost across different sourcing markets.

Moving on to Trademo‘s Supply Chain Visibility & Resilience solution, it is essentially a supply chain mapping solution that allows an organization to see all of their 1 to n suppliers (3 by default, but more if they want) and filter into suppliers by tier, country, HS code, and associated trade lanes. They can create product groups by brand or region and just see the associated supply chains for those brands and regions as well. The default view shows them the supplier name, domicile country, HS codes supplied downstream, trade lanes used, tier 1 connection, and total shipment value. From this complete list, the user can select a subset of suppliers by country, HS code, and/or trade lane and see a graphical representation of their supply chain, augmented with trade value. It’s simple, but quickly informative and very useful to discovering just who is in your supply chain, as well as who is in a certain region / on a certain trade lane that was just impacted by a natural disaster or border shutdown and you need to react.

Finally, there is the foundational Global Supply Chain Intelligence intelligence offering (Trademo Intel) that is based on their core supply chain knowledge graph and all of the public trade data it incorporates. The entry point to Trademo Intel is the shipment search screen which allows the user to search across all bills of lading in all categories and retrieve all associated shipments, which can then be filtered by shipper details, consignee details, ports, cargo, and freight details, and see a summary, for the selected timeframe, of total shipments, total weight, and total value. They can then drill into (top) importers, exporters, and more detailed analytics. If the amount of data is overwhelming, they can limit to specific product categories, HS codes, shippers, or consignees before starting the search.

It’s a great tool for exploring your competitors’ supply chains, which, when limited to certain product (categories), allows you to discover potential suppliers you might not have known about otherwise. Furthermore, you can see the volumes they are capable of supplying globally and the trade lanes they are already navigating. While most risk solutions will give you credit, cyber, compliance, and/or sustainability risk, they don’t give you deep insights into products supplied, locations supplied from, lanes the supplier is using (which indicates which global regulations they comply with), and so on. When you click into an entity, you can see all of their trading partners, total shipments to/from each, HS Codes supplied, and associated shipments. They can then drill into any and all shipments of interest and see complete details. The analytics are super helpful in identifying the top HS codes, HS sections, modes of transport, and routes used by the entity.

It also allows an organization to keep tabs on global trade from a certain region and whether it is increasing or decreasing, which could signal tidal shifts that could affect future cargo availability, rates, and risks if there is over saturation or under saturation of a trade region predicted.

If you need global trade support around HS codes, sanctions or embargoes; supply chain visibility; and supplier discovery (and deep trade insight in this discovery), Trademo is a solution that should definitely be in your RFP short list. It’s easy to use, powerful, and already validated by a number of Global 3000 companies. Check it out and TRADE MOre confindently!

Source-to-Pay+ Part 10: Over 55 Supply Chain Risk Vendors to Check Out

Last quarter, we ran a 9-part series that served as An Introduction to Supply Chain Risk where we introduced you to the risk elements not covered by traditional supplier management platforms (which we covered in our 39 Steps … err … 30 Clues … err … 39 Part Series on Source to Pay where we listed over 90 supply management companies of which over 1/3 claimed to have some degree of “risk”, which we dub supplier “Uncertainty”, management).

In our series, we focussed heavily on corporate risk, third party risk (which included ESG, Human Rights, Regulatory Compliance), supply chain risk (including transparency, traceability, and multi-tier tracking), transport risk, cyber risk, and analytics. We also noted that our next instalment would provide a starting list of vendors that you could check out to meet (some of) your supply chain risk needs.

This is that instalment. Hopefully this starting list will be useful to you. In the months that come, the hope is that some of these will be covered

Legend

 3P 3rd Party / TPRM
S/V supplier risk / verification
SCT supply chain transparency
T/L transport / logistics
 MT multi-tier
  C cyber
ESG Environmental, Social, Governance
 HR Human Rights
 RC Regulatory Compliance
BoM Bill of Materials (Direct)
 DX Discovery
 TX Traceability
Vendor LI/#Emps  3P S/V SCT T/L  MT   C ESG  HR  RC BoM  DX  TX
&wider 20 Y Y
Agora Sourcing 2 Y Y
AMLRight Source 2795 Y Y
Apex Analytix 411 Y Y Y Y
Aravo 117 Y Y Y Y
Archer 681 Y Y Y
Altana Atlas 166 Y Y Y Y Y Y
Brooklyn Solutions 24 Y Y Y
Certa 200 Y Y Y Y
Circulor 63 Y Y Y Y Y
Contingent 28 Y Y Y Y
Darkbeam (Apex Analytix) 8 Y
Diligent 2245 Y Y Y
Exiger 765 Y Y Y Y Y
Everstream Analytics 165 Y Y Y Y
Fact 360 12 Y
FairSupply 40 Y Y
FRDM 28 Y Y Y
FusionRM 275 Y
GoSupply 33 Y Y
IntegrityNext 96 Y Y Y
Interos 254 Y Y Y Y
Kharon 102 Y Y Y Y
MetricStream 1373 Y Y Y Y Y
Navex 1343 Y
NQC 104 Y Y Y Y Y
Overhaul 312 Y Y
Prevalent 161 Y Y
Prewave 150 Y Y
ProcessUnity (w/CyberGRX) 143 Y Y Y
Raad360 3 Y Y
RapidRatings 166 Y
Resilinc 299 Y Y Y Y
Resolver (Kroll) 371 Y Y
Responsibly 17 Y Y
RiskLedger 34 Y Y
Riskonnect 801 Y Y
RiskRecon 116 Y
RoboAI 57 Y Y Y
SAI360 435 Y Y Y
Sayari 180 Y Y
Sedex 442 Y Y Y
Seerist 127 Y
SourceMap 91 Y Y
Sphera 125 Y Y
Supply Risk Solutions 10 Y
SupplyShift 59 Y Y
SupplyWisdom 116 Y
Sustainabill 15 Y Y
The Smart Cube 1033 Y
ThirdPartyTrust (Bitsight) 16 Y
TraceLink 947 Y Y Y Y Y
Trademo 97 Y Y Y Y
Transparency One 23 Y
Trust Your Supplier 15 Y Y
Versed.AI 17 Y Y
VisoTrust 47 Y
Whistic 81 Y
WholeChain 10 Y

Darkbeam: Shining a Light on your Supply Base Cyber Risk

In part 9 of our Source-to-Pay+ series, we talked about the need for cyber risk monitoring and prevention because, in today’s hyper-connected SaaS world, nearly half of an organization’s data breaches originate in the cloud. These risks don’t just come from cyber criminals. Some come from less-than-scrupulous employees and others come from suppliers, even well meaning ones. After all, who cares if the front door is locked when the back door is wide open.

Why do you care about your supplier’s back door? What do cyber-criminals want?

  • money
  • valuable intellectual property
  • exploitable personal data

Where can they get this?

  • account hacking, which is hard, or payment redirection, which is a lot easier
  • your ultra-secure server which is locked down tighter than Fort Knox with everything on it encrypted in 256-bit AES encryption, or the relatively unprotected Google Drive your supplier stores it on (as the file will be open to anyone who can compromise the account)
  • your double encrypted HR database stored in a secure AWS instance or the plain-text Microsoft word documents stored on the supplier’s sales rep laptop with its unencrypted hard drive and an utter lack of virus protection and internet security software

In other words, if your supplier has:

  • a lot of your money coming its way
  • your intellectual property
  • your executives’ personal data

and their cybersecurity is not as good as yours, you can be sure the cybercriminals are going to be going to, and through, them to get to you.

So you need to know which of your suppliers are at risk, so you can reach out to them and work with them to close the holes and eliminate the risks to them, and you. And for suppliers that you do significant business with (and regularly send million dollar payments), who hold your patented IP (for custom manufactured electronics, etc.), or store your employees and/or customers HR data, you need to not only assess their vulnerabilities but continuously monitor for threats.

You need a supplier vulnerability assessment and monitoring solution that can identify vulnerabilities, help you communicate those to your supplier, detect improvements, and, most importantly, identify new threats as they emerge that could cost you, or your supplier, significantly.

Darkbeam is one of these solutions. The Darkbeam solution offers both of these capabilities, continuous vulnerability monitoring across your entire supply base (at a very affordable price point that starts at a mere £25,000 a year, which is low-end for any cybersecurity solution) and continuous threat monitoring, and assessment, of critical suppliers in your supply base (which you can add for an incremental cost that can be as low as £10,000 a year for your ten most critical suppliers).

The vulnerability assessment solution monitors:

  • Connections: SSL certificates and associated validations (hosts, IP, TLS, etc.)
  • Privacy: e-mail and cloud servers and configurations and breaches (esp. email addresses)
  • HTTPS: web site configuration, cookies, and port security
  • DNS: DNS record completeness, security, and recent changes
  • Blacklist: domain and email blacklist monitoring
  • Exposure: shared host identification, domain permutation monitoring, favicon, exposed subdomain monitoring, etc.

Cyber-weakness in each of these areas is highly relevant because it could allow hackers and cyber-criminals to exploit your supplier, and you, in ways that include, but are not limited to, the following:

  • an expired SSL certificate could allow a cybercriminal to register a fake certificate that validates a fraudulent facsimile of the actual site
  • exposed email accounts could allow a cybercriminal to masquerade as a supplier representative and change banking details for payment
  • an insecure site configuration could provide a backdoor into your entire network
  • incomplete DNS records could be completed by a cybercriminal and redirect traffic to a fraudulent site
  • if a domain shows up on a blacklist it could prevent email/traffic to/from the domain; and if emails show up on a blacklist, it could indicate compromised emails and/or emails not being received by their intended recipients
  • if a supplier’s website is on a shared host that is used by a lot of other sites (that are insecure), a number of (one-character-off) permutations of the supplier’s domain have been registered, favicons are being replicated, etc. then that is a strong sign the supplier is being targeted by cyber criminals (that could be coming for you, or your customers, through them)

Based on their assessment, they will compute a cyber-risk score (out of 999), the lower the better, and the higher the more concerned you should be (and the sooner you should reach out to your [potential] supplier to have a conversation about what they are doing to increase their cybersecurity, especially if they have, or will have, your IP or personnel data).

The threat monitoring and assessment solution is a service-based solution where the Darkbeam cyber-intelligence team continuously monitors the web and dark web for potential threats, investigates those threats when they are detected, and if the threats are relevant, they send you a report on which you can take immediate action which can include, but not be limited to, involving the proper authorities, that they have experience working with in multiple countries.

They literally monitor dozens of legit security and threat-intelligence sites (where general cyber security firms release warnings of cloud or software insecurity along with known breaches) as well as dozens of dark-web sites where shady characters like to sell, or at least indicate the presence of, IT, Trade and Finance secrets they should not have. On many occasions, they have detected breaches and data theft even before the supplier’s IT team knew about it (and definitely well before you did, if you were ever told).

If an incident or threat is detected, the threat report you receive will outline the issue (e.g. data exposure / breach), the root cause (e.g. system breach, ransomware, etc.), when it was detected, how it was confirmed, and what is currently being done / monitored. It will then outline the perceived severity (e.g. medium due to potential IP leakage, high due to personal data likely being stolen) as well as any potential follow on risks (i.e. personal logins that can compromise other systems). It will summarize the currently known information uncovered by the analysts and the current status (which could be ongoing). And it will provide current recommendations, such as reaching out to the supplier, changing logins and/or locking down your systems, reaching out to various agencies, etc.

All in all, Darkbeam is a great Supply Chain Cybersecurity solution and should be on your consideration list if you don’t have such a solution already. Cyber attacks are coming, and it’s best to be ahead of the issue, then behind it.