teissTalk: Bolstering your defences against supply chain cyber-risk

On 20 February 2025, teissTalk host Jonathan Craven was joined by Mike Johnson, Global Cyber Threat & Incident Response Manager, Verifone; Jean Carlos, Group Head of Cyber Architecture & Engineering, TP ICAP; andRichard Marcus, CISO, AuditBoard

 

Views on news

Israel’s electronic pager attacks underscored the dangers of relying on third-party hardware and software with roots back to foreign countries of concern. Also,  a US House Select Committee Investigation revealed that 80% of the ship-to-shore cranes at American ports are manufactured by a single Chinese government-owned company. It seems that now is a vital time to move beyond self-reported security assessments and vendor questionnaires and migrate toward more comprehensive validation processes that prioritize regulatory compliance, response readiness, and secure-by-design. A survey by AuditBoard has also shown that 54% of respondents had at least one IT incident that was directly caused by a breach in their downstream suppliers. Incidents with minor suppliers can be an eye-opener and spur businesses to put more security controls in place to avoid bigger ones. 

 

Where you set the boundaries of your threat surface

Big companies often have their own third party security teams. With technological transformation, SaaS models and data proliferation outside the organisation, inventorying the threat surface and prioritisation have become the most challenging parts of third party cyber risk. Getting the suppliers classified can be a huge problem too, as suppliers and their role keep changing. This is where technology-enabled threat assessment and threat modelling come into play. Although you don’t expect your large suppliers to be breached, they can also fall victim to cyber-attacks. That’s why prioritising and categorising risks are key.

 

Oftentimes, companies require security certifications from their suppliers, but these can work as a double-edged sword, because you don’t exactly know the scope of the certification and you have to take the suppliers’ word for that.

 

Although certifications are important, the first questions you need to consider about a supplier are what they are connecting to in your company’s system or whether they have a 100% access or an access to the network. The you can ask more questions to see whether they, for example, perform pen tests. But beyond just asking for the documentation of a pen test, it’s also key to ask about its scope and whether vulnerabilities have been mitigated. You will be able to identify problems only if you read and review documents that have been submitted by your suppliers, so you know what issues you should work on with them before onboarding. 

 

As organisations are becoming harder to attack directly, criminals are increasingly looking for side doors within the supply chain or via social engineering or insider threat. As it’s more and more easy to buy new software, new vulnerabilities will keep being created. 

 

There is an arms race between security experts and criminals to leverage AI for their pursuits. In cyber defence, AI can play a central role in assessing a company’s threat surface. Third parties using unsanctioned software is also a major risk, which is extremely difficult to police, also because in medium-to-large organisations the IT asset management is completely separated from the security team. On cloud platforms, for example, someone can get control of your vulnerability monitoring service (VMS) and learn about your weaknesses. Small suppliers with vulnerabilities that you have discovered will be keen to resolve them in order to become your partner. 

The panel’s advice

• Identify what the top risks are to your organisation regardless of the supplier’s brand name or the amount of spend with them and pick key controls that are applicable to those risks.
• Rather than having a 300-question survey, pick the top 3-5 security controls that are important for you and continuously monitor the effectiveness of those.  
• Your security policy must be explicit about what Ai tools and SaaS applications are not allowed.  
• A major question to ask about new tools and platforms is whether the value they bring outweigh the risk they come with.
• Onboarding suppliers is not about blocking them but managing the risks they present.
• Don’t apply the same risk assessment to all your vendors.