Libby Bevin

Recent cyberattacks on Colonial Pipeline, NEW Cooperative, Oldsmar, and other critical infrastructure companies have highlighted the harm of downstream liability for organizations, and the importance of its proper assessment.

Assigning responsibility for downstream liability is a challenge, especially given the lack of clear regulations that identify who is responsible for downstream liability among companies, distributors, suppliers, and customers.

For this reason, correctly identifying these factors and establishing clear legal liability over those third-party risks is a priority for companies of any size.

Downstream Liability Defined

When a security failure happens at your business, that can cause a cascade of potential damage for your suppliers and customers. The potential liability for these damages is downstream liability.

For example, a data breach at your company might result in the destruction of customer data, and those customers then lose money because they can’t put their data to good use. Who makes the customer whole for that harm? What if the breach happened because of a security failure at a third party you use? Should that vendor then pay the damages for your harmed customers? Those are the questions that downstream liability attempts to answer.

This concept also includes what is known as vicarious liability, focused on damages (bodily injury, property damage, or any other) caused by a third party when there is a supervisory relationship. This “duty of care” over your service providers’ information security leaves your company exposed to legal action if the providers suffer a cyberattack due to their poor practices; you should have supervised them more closely.

The risks of downstream liability are widespread in today’s digital age. To improve supply chain visibility, many companies have built connections between their computer systems. This enables a cyber attack to spread quickly, causing much more information destruction and operational disruptions across your supply chain.

Supplier Risk and Downstream Liability

The concept of vicarious liability plays a crucial role in managing supplier risks. When you share client data with your third-party partner, you have a supervisory responsibility for assuring that the partner follows various data protection laws. So determining the cybersecurity maturity level of your suppliers is a fundamental part of your risk management program.

Regulatory standards are not the only reason to be concerned about downstream liability. Operational and financial risks also arise from your third parties’ lack of cybersecurity policies. When a supplier falls victim to a cyberattack, that puts your IT infrastructure at risk of downstream attacks and becomes an attack vector for your company.

The Downstream Effect of Cyber Attacks

Just as third parties can be the attack vector for your company, you can be the entry point for your suppliers. This is the most immediate effect of cyber attacks on your environment. For example, the ransomware attack on Colonial Pipeline disrupted Colonial’s delivery of gas, which then disrupted gas stations’ ability to operate.

As a practical matter, this means the target’s resilience to an attack can influence the downstream impact on other community members. If those community members are not well prepared, the consequences will spread quickly.

How to Avoid Downstream Liability

Downstream liability is a risk that must be addressed when formulating an effective risk management plan. As such, some standard practices can help mitigate this kind of risk.

First, robust third-party risk management assures that your third parties comply with information security regulations similar to those of your company; that can minimize overall third-party risks. Communication with your third parties plays a crucial role in preventing downstream attacks to and from your company.

Maintaining a cyber security-aware culture within your company minimizes common cyber risks that generate downstream liability. Compliance with cybersecurity standards and regulations demonstrates a duty of care and reduces your overall risk landscape. Implementation of prevention and mitigation measures within your computer systems and across networks is essential.

In addition to traditional risk management techniques, your organization may consider insurance coverage. Some insurance companies offer downstream coverage, which is a liability policy specifically designed for the mitigation of downstream liability costs. As with most liability coverage, these policies are full of disclaimers, so do your research.

Mitigate the Risks of Downstream Liability with ZenGRC

Global disruptions can directly harm your procurement and sourcing capabilities, resulting in business continuity and financial risks. Cyber supply chain risk management is critical because the world is increasingly connected, and every company relies on outside enterprises for business continuity.

ZenGRC’s compliance, risk, and workflow management software is an intuitive, simple-to-use platform that not only maintains track of your process but also allows you to identify areas of high risk before they become an issue.

Using ZenGRC to manage your third-party partners reduces the efforts associated with a robust vendor risk management program. Its continuous monitoring tools keep you on top of your third-party compliance management. It will even send out vendor compliance questionnaires and keep track of the responses as they come in.

ZenGRC enables you to manage your cyber supply chain risk and compliance in a worry-free manner. Automated workflows reduce manual intervention and improve audit trails. Our system handles a lot of the work for you, so you don’t have to be on high alert 24 hours a day, seven days a week.

Schedule a demo today and see how ZenGRC can streamline your vendor risk assessments and regulatory compliance processes.

A supply chain is a broad ecosystem of activities, business processes, people, resources, and information that lead to the completion of a company’s product or service. The strength of a company’s supply chain of vendors and distributors allows that company to bring its offerings to customers and to achieve a competitive advantage.

Conversations about supply chain compliance, resilience, and creating a sustainable supply chain are a rising priority today. These issues encourage organizations to move away from traditional supply chains in favor of digital supply chains instead.

A digital supply chain results from applying advanced electronic and digital technologies to the traditional supply chain management paradigm. These technologies include:

• Cloud computing
• Software as a service (SaaS)
• Big data
• Artificial intelligence
• Machine learning
• Natural language processing (NLP)
• Virtual reality and augmented reality
• Blockchain
• Internet of things (IoT)

Digitalization with new technologies and digital initiatives can optimize traditional supply chains, improve control, and build greater resiliency and preparedness for future disruptions.

In a 2019 IBM study, 84 percent of chief supply chain officers said that poor visibility across the supply chain was the biggest challenge for their organization, leading to inefficiencies and waste. Digitalization helps address this problem by establishing improved visibility, transparency, and accountability along the entire supply chain.

In addition, digital transformation garners benefits in automation, speed, collaboration, cost reduction, and connectivity. It also eliminates inefficient business silos, improves business decision-making, and unlocks value for all stakeholders involved in the supply chain.

5 Benefits of a Digital Supply Chain Strategy

The digital revolution (sometimes called the “third industrial revolution”) has transformed modern human society. Supply chain digitization is a part of this era, redefining how global supply chains operate and deliver value.

Electronic technologies, connectivity, data, and advanced analytics are at the heart of digital supply chain management. Together, these elements deliver the following benefits, especially when embraced by every partner along the value chain:

1. Improved Visibility Into Supply Chain Performance

   Compared to traditional supply chains, a digital supply chain provides significantly more visibility into its elements and moving parts. Organizations can get real-time visibility into supplier performance, allowing them to identify gaps that may cause disruptions and then address them.

   Digital supply chains are also more customer-centric, so companies can better understand customer needs and take actions to improve customer experiences.

2. Process Automation

   A digital supply chain eliminates the traditional paper-based, manual supply chain processes. It removes manual data entry and the need for stakeholders to request updates via phone calls or emails. All the required information is readily available to whomever needs it to improve their processes and collaborate with other entities.

   Digitalization also brings automation to business processes, which improves process efficiency and worker productivity, performance, and profitability. Digital tools like sensors allow real-time tracking of inventory across the entire supply chain. Ultimately, electronic connectivity enables organizations to optimize the supply chain and redefine new business strategies.

3. Reduce Costs and Accelerate Innovation

   A digital supply chain provides up-to-date, holistic information about performance, status, and requirements. This information helps to manage and optimize processes such as raw material flows, operational logistics, inventory levels, forecasting, and resource planning. These are direct benefits to improved cash flow and cost reductions.

   Improved information sharing and collaboration create opportunities to identify process bottlenecks, reduce time-to-market, accelerate innovation, and increase the return on innovation.

4. Data and Advanced Analytics

   The digital supply chain is enabled by many data-driven technologies, including big data, machine learning, IoT, and predictive analytics. Organizations can connect and relate data sources to improve inventory management and preventive maintenance. They can leverage data to identify inefficiencies, boost product quality, and enhance customer experiences.

   A digital supply chain can also provide advanced analytics that visualize data so users can more easily learn from mistakes, make predictions, and improve decision-making.

5. Improve Supply Chain Planning

   In traditional supply chains, spotting possible issues and predicting their likely effects can be laborious, time-consuming, and unreliable. In a digital supply chain, shared and up-to-date quality and control data enables companies to anticipate issues and respond quickly before the problem escalates.

   Moreover, digital supply chain management makes it easier to plan and manage all supply chain workflows, including:

   • Sourcing
   • Procurement
   • Conversion
   • Inventory management
   • Logistics management

   Through digital tools and technologies, companies can better coordinate and collaborate with various stakeholders, including third-party service providers, vendors, intermediaries, and customers, to improve the performance of the end-to-end value chain.

How Can I Digitize My Supply Chain?

Digitalization is the key to creating a connected, intelligent, and efficient supply chain ecosystem. Gartner predicts that 50 percent of large international organizations will use AI, advanced analytics, and IoT in supply chain operations by 2023. In addition, it is expected that collaborative robots will supplement more than 30 percent of warehouse workers.

The following best practices can help organizations to transition from a traditional supply chain to a more modern digital supply chain:

Step 1: Assess the Current Supply Chain

Digitalization should always start with assessing the existing supply chain. This assessment includes the strengths, weaknesses, opportunities, and threats to the supply chain. All current issues, risks, and possible complications must be identified and analyzed.

An assessment makes it easier to recognize future issues early, set up preventive frameworks and supply chain solutions, and mitigate potential harm. Use a framework to set actionable goals for specific problems, rather than attempting a Big Bang transformation that could cause confusion and minimize the chances of success.

Step 2: Define the Digital Strategy

Businesses and their supply chain partners must collaborate and communicate to define the goals of the digital supply chain. It’s essential to understand the expected benefits to assure that the new digital system will meet the needs of every stakeholder.

Moreover, the transition from the traditional supply chain to a modern, fully integrated digital supply chain can be a complex endeavor, so it’s vital to develop a clear strategy and implementation roadmap.

Step 3: Conduct Supplier Analysis

Assessing suppliers’ maturity and digital readiness is a critical step in setting up a digital supply chain. One good practice is to check their awareness of potential risks. Ensure that their questions or doubts about digitalization benefits and expectations are fully answered. If a supplier isn’t ready for digitalization, you won’t reap the expected benefits.

Step 4: Invest in Digital Capabilities

Once there’s clarity on digitalization goals, risks, expectations, and potential benefits, invest in relevant digital capabilities. The right capabilities are crucial to digitalization success, whether that’s software for digital logistics or supply chain management, radio frequency identification (RFID) tags or GPS for real-time inventory management, or automated robotics for packaging or payments processing.

Step 5: Get People on Board

A digital supply chain reduces the need for human intervention. While digitalization improves stability, accuracy, quality, and predictability, you still need human problem-solving and decision-making. Successful digitalization depends on a well-informed staff that has received sufficient training to assure that they can handle the new technologies effectively and optimally.

Step 6: Analyze Performance for Continuous Improvement

Once digitized systems and processes are implemented, the performance of the digitized supply chain must be regularly assessed. Productivity, efficiency, ROI, and other metrics like lead times, inventory turns, and perfect order rates must be captured, analyzed, and compared over time.

Such analysis can help assess if the new system is performing as expected and reveal opportunities for digital-led optimization and growth.

Improve Your Supply Chain Security with ZenGRC

Digital supply chains are the way of the future and will deliver considerable advantages in customer satisfaction, efficiency, resilience, and cost savings. The flip side of digitalization, however, is increased cybersecurity risk. You can reduce risks in your digital supply chain by improving your visibility into the risk landscape. And for this, ZenGRC is ideal.

With the ZenGRC integrated risk assessment platform, you can identify and track supply chain risks. It provides a single source of truth repository for storing all necessary vendor documentation. Best of all, ZenGRC tracks compliance with all your frameworks at once to avoid duplicating efforts.

Insightful reporting offers a comprehensive view of control environments and leverage customizable risk calculations to evaluate risks across connections and third parties. Automated alerts help you monitor risks in real-time and remediate them quickly.

Schedule a demo today to learn more about ZenGRC’s intuitive and easy-to-use platform.

Open-source intelligence (OSINT) is any information that can be accessed by the public. This accessibility is defined as anything that doesn’t require hacking or private credentials to read or collect the information. Google search results, broadcast news, online forums, and social media (sometimes called SOCMINT) are all examples of OSINT.

OSINT includes information from the “dark web” and other data sources that won’t show up in standard search engines. It also encompasses the “internet of things” (IoT) – information gathered by any device with internet connectivity. Public sources have always been used by both organizations and individuals, but the internet has made it easier to compile and analyze this wealth of data in a cohesive, productive way.

How Is Open Source Intelligence Used?

The applications of open-source intelligence are endless. OSINT covers such a wide range of information that it can be used in nearly every facet of your organization.

For example, open-source intelligence can be used to determine what your customer base expects from your industry and what you should deliver to them moving forward. You can also use “social listening” to understand your reputation among current and potential clients. OSINT can help to compile multiple narratives from a variety of sources, to create an in-depth picture of how an event may have occurred and what the effect of that event might be. This is particularly useful in studying cyber breaches or other security failures.

Penetration testing is another way that OSINT can be used to benefit your company. A company of any size will generate and collect a large amount of data that is readily visible to malicious parties.

Ethical hackers can use the information available about your company, plus knowledge of current hacking schemes, to give you an idea of what vulnerabilities might be found by a criminal investigating your company. This will help with your risk assessments as it will show you what areas of your cybersecurity program are at risk and need increased protection.

Always remember, however, that whatever information is available to you is also available to hackers and other malicious actors. For example, criminals can use information from your company website to identify targets for phishing or malware schemes. Information about your company can be manipulated by those who want to access your sensitive data and steal your information. Using OSINT to develop your security program can help you beat hackers at their own game.

What Are the Benefits of Open Source Intelligence?

One of the primary benefits of using OSINT is that it’s free. Gathering and analyzing open-source intelligence will cost you nothing, especially if you can do this work in-house. Implementing the information already at your disposal can save you money otherwise spent on contractors and independent research firms.

Another bonus is that your right to OSINT will never be in question. The information you’ve gathered is information you’re legally allowed to have. It’s also always available; you don’t need expensive technology or a paid subscription to acquire OSINT.

Finally, the information you’re gathering is the most current available. The internet is a powerful tool that can provide you not only with the history of your industry but also real-time information on where it may be headed in the future. This can be helpful in outlining your future goals for growth and ensuring that your company stays relevant for many years to come.

What Is an Open Source Intelligence Analyst?

Just because OSINT is readily available, that doesn’t mean it’s readily acquired or easily understood. The sheer volume of OSINT makes it difficult to refine everything down to information that’s helpful or usable specifically to you.

Given the breadth of OSINT, people scanning that information do need a certain amount of specialization to determine what is and is not useful. An open-source intelligence analyst is able to take the raw data available online and apply it to specific scenarios that will benefit your company. He or she will also be able to use analysis tools to organize the data into graphs and charts that will make it easy to communicate findings to board members and stakeholders.

What Are Some Open Source Intelligence Tools & Techniques?

A critical component to any OSINT research is to know what you’re looking for; searching without a plan or list of queries will be an overwhelming and ultimately unsuccessful process. Setting your goals upfront will help you narrow your search to the exact open source information you need.

Once you’ve decided what you’re looking for, you’ll need to devise a program for information gathering. There is no single correct way to research OSINT, but most techniques can be broken down into two categories: passive and active collection.

Passive collection is limited to easily available information, and is most frequently used when the researcher would like to retain anonymity. Active collection takes a more focused methodology, and usually requires interaction with the topic or target. Hackers and IT security professionals alike will use OSINT techniques that fall into these two groups.

There are a number of OSINT tools available that an analyst or your staff can use. One of the simplest are “google dorks,” specific search queries that help you narrow your search results to more exact specifications. Beyond basic searches, there are also platforms and websites that can highlight specific areas of interest and create a centralized source of information.

Your security teams in particular could possibly benefit from the use of Threat Intelligence Platforms (TIPs), online aggregates that collect updated information on security threats like malware and phishing schemes. Penetration testers may use sites like Shodan, which access different parts of the internet than a standard google search; or Maltego, which determines what seemingly unrelated pieces of information may have in common.

ZenGRC Is Your Secure Intelligence Solution

Open-source intelligence is an important tool that can help you protect your company from threats. It is, however, only one piece of a successful risk management program. To provide the best possible security for your organization, you’ll need a solution that tracks your risk throughout every department.

If you’re seeking help for your risk management efforts, ZenGRC can help. This innovative software can provide your company with a single source of truth – one central location where all of your risk is tracked, assigned, and controlled. Schedule a demo today to learn how ZenGRC can streamline your risk management and keep your sensitive information safe.

Since the dawn of COVID, we have become more conscious of washing our hands and other personal hygiene practices. What about cyber hygiene? What is it? Is it important? And if so, why?

Cyber hygiene refers to the set of practices and precautions that allow organizations to:

• Secure networks and resources
• Protect sensitive information from cybercriminals and hackers
• Maintain online security
• Assure that devices function as expected
• Protect systems and users from outside attacks

Poor cyber hygiene leaves your organization vulnerable to cyberattacks and cybercrime. It also increases the risks of data breaches, data loss, software vulnerabilities, malware installs, and compliance-related issues.

Common Cyber Hygiene Practices

Cyber hygiene is not a single process or a one-time activity. Rather, it is a set of practices to improve enterprise cybersecurity, such as:

• Using strong passwords
• Applying security patches to out-of-date software and apps
• Taking regular data backups
• Implementing appropriate privileges and permissions
• Using security tools such as firewalls, anti-virus, and anti-malware
• Maintaining an inventory of all network assets
• Vulnerability scanning and management

Why Is Cyber Hygiene Important?

Organizations with a more robust cybersecurity program follow good security practices. As a result, they are better protected from cyberattacks, data loss, and asset damage. In the expanding threat landscape, cyber hygiene practices provide numerous benefits.

Protect Assets

Good cyber hygiene helps companies to run their IT resources at peak security. They also make it easier to locate unmanaged assets, shadow IT, and rogue software. This way, security teams can identify vulnerabilities and address security gaps.

Prevent Cyber Attacks

In the first six months of 2021 alone, ransomware attacks cost the world $304.7 million. The average cost of a single data breach also increased from $3.86 million in 2020 to $4.24 million in 2021. Good cyber hygiene is vital to keep these risks (and their costs) at bay.

Specifically, hygiene practices can help your organization minimize and mitigate the risk of cyberattacks and scams like malware, phishing, ransomware, and distributed denial of service (DDoS) attacks.

Stronger Security Posture

In May 2021, the Biden Administration issued the Executive Order on Improving the Nation’s Cybersecurity. Here, President Biden urged the U.S. government and the private sector to secure their computer systems from malicious cyber actors.

Cyber hygiene best practices are crucial in improving an overall cybersecurity posture to defend assets from current and evolving cyber threats.

Protect Data

Cyber hygiene practices around password discipline and appropriate administrator privileges help protect data. Data breaches and data loss events can incur significant costs and severely damage an organization’s reputation.

Meet Compliance Requirements

Many compliance regulations require documentation of known risks and steps to mitigate or remediate those risks. Cyber hygiene habits make it easier to identify the organization’s security risks and to prioritize corrective actions. By tracking these activities, you can assure compliance with relevant laws and regulations.

What Is a Cyber Hygiene Policy?

A cyber hygiene policy is a documented set of practices and routines to protect the organization’s hardware, software, data, and other resources. The formal policy dictates what employees and third-party users should or should not do when connecting to your enterprise network and using its resources.

Such a policy minimizes the likelihood of cyberattacks and security breaches because it is an integral part of employee behaviors, routines, and ultimately, corporate culture.

Cyber Hygiene Policy Elements

A robust cyber hygiene policy includes various elements that work together to improve the organization’s cybersecurity posture.

User Access, Privileges, and Permissions

The policy states how admin users will be separated from other users with privileges and levels of access. Non-admin users should have limited capabilities to access enterprise assets.

Evaluate employee risk and implement the principle of least privilege (POLP) as a part of your policy. According to POLP, a user is given only the minimum levels of access or permissions required to perform his or her job functions.

Hardware and Software Updates

The policy should specify how older devices will be updated. It also establishes how software products will be patched or upgraded to eliminate security vulnerabilities.

New Installations

Processes for new installations of hardware, software, and applications should be documented to maintain an updated inventory of IT assets.

Password Management

Complex passwords and regular password changes can minimize the risk of compromise by hackers and cybercriminals. The policy should include requirements for users to change their passwords frequently, not share them with others, and not reuse them across multiple devices or accounts.

Data Backups

Data backups assure that you don’t lose critical or sensitive data in the event of a cyberattack. Details about how often backups are taken, where they are stored, (for example, on-premises or in the cloud), and who will do the backup should be covered in the policy.

Using a Cybersecurity Framework

Many organizations adopt a standard cybersecurity framework such as the NIST Cybersecurity Framework to guide their cybersecurity practices. A framework provides a comprehensive roadmap for security staff and admins to follow as they develop and deploy the policy.

Improving Cyber Hygiene through Assessments

A series of assessments can help you maintain solid cyber hygiene.

1. Regularly review and update the cyber hygiene policy, and communicate it to all users.
2. Assess the enterprise network, and perform regular maintenance on it, particularly on:
   • Files and folders
   • Devices
   • Online and offline programs
   • Security software
   • Virtual machines
   • Databases
3. Audit your cyber hygiene practices using a performance monitoring solution that scans the IT environment to identify existing assets and discover exploitable vulnerabilities.

Ongoing cyber hygiene assessments help you better manage and protect the IT environment. It provides more clarity on the current security exposure and shows whether it’s getting better or worse.

Cyber Hygiene Best Practices

Your organization’s cyber hygiene can improve or degrade over time, depending on whether users are aware of cyber risks and taking action to protect the organization from these risks.

These best practices will assure that users diligently follow your prescribed cyber hygiene practices.

Create an Asset Inventory

Document all the hardware, software, and web applications used in the organization. Continuously maintain this inventory to help your IT department keep track of each asset (including new installs), identify vulnerabilities, and quickly resolve security gaps.

Look for Old or Unused Assets

Regularly inspect the asset inventory to find unused, outdated, or vulnerable software and hardware. Uninstall unused assets, upgrade or patch outdated assets, and update the operating systems on all devices, including desktops, laptops, and mobile devices.

Install Security Tools

An up-to-date firewall, as well as anti-malware, anti-spam, and anti-virus software, should be a part of your cyber hygiene ecosystem. Assure your security staff runs regular virus and malware scans, properly configures all firewalls and routers, and implements network segmentation wherever possible.

Implement Password Management

Proper password management is essential for solid cyber hygiene. Implement practices around password length, strength, changes, sharing, and reusing. If possible, use two-factor authentication or multi-factor authentication to increase system and account security.

Use Data-Wiping Software

To delete files permanently, use data-wiping software. Make it mandatory for users to clear out unused data and wipe the information from their hard drives. Implement controls to protect and recover data that is accidentally or maliciously lost or deleted.

Find Outdated Administrator Privileges

High-level administrative controls pose a significant security risk. Regularly audit who has administrative privileges and how often they use them. Immediately update or revoke all outdated privileges.

Educate Users on Good Cyber Hygiene Practices

Employees and third-party users are often the weakest links in your cyber security posture, so it’s crucial to involve them in the effort to improve cyber hygiene. Train them on good hygiene practices around:

• Password management
• Access control
• Bring your own device (BYOD) policies
• Dangers of using open WiFi networks
• Benefits of using VPN
• Identifying phishing emails and social engineering attempts
• Actions to take in case of a suspected ransomware attack

Show them why cyber hygiene is essential and the possible consequences of poor cyber hygiene. Finally, make these practices part of their daily routine and the organization’s cyber-aware culture.

Some other cybersecurity hygiene tips include:

• Assure secure authentication and access, especially for remote users
• Maintain detailed action logs
• Implement strong endpoint protections
• Regularly back up data
• Establish an incident response plan

Include ZenGRC in Your Cyber Hygiene Policy

Your cyber hygiene policy is an integral piece of a comprehensive risk management program.

ZenGRC is a single source of truth for governance, risk management, and compliance. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

ZenGRC reveals information security risks across your business, so you can address critical tasks, identify and respond to incidents, and avoid or minimize loss events. Schedule a demo to see how ZenGRC can help your organization manage cyber hygiene.

LEARN HOW TO USE YOUR COMPLIANCE PROGRAM AS A JUMPING OFF POINT FOR RISK MANAGEMENT

Through regulations and countless best practices, industry has been pushing organizations to take a more proactive approach to compliance and risk, which means making thoughtful, strategic decisions on where to prioritize investments.

Are your security and compliance initiatives helping you bridge compliance and risk?

Check out this in-depth presentation on how effective compliance is a catalyst for developing a proactive IT security risk management program.

You will learn:

• How you can mitigate associated risks by mapping industry or company security requirements to actionable controls
• To get a more comprehensive visibility into your compliance and risk posture that is easy to consume and share
• 5 steps to simplifying the journey to security by integrating compliance and risk management

Duration: 60 minutes