A pragmatic approach.
A ‘ticket to trade’.
Requiring all suppliers to adhere to complex standards or frameworks, or complete onerous assessments, can be almost impossible, particularly for SME suppliers. But this doesn’t mean there shouldn’t be expectations.
These suppliers just need clear guidance on specific controls they need to have in place depending on how good you need them to be. Five levels of certification. Their ‘ticket to trade’.
Digital Trust Certification.
Third party cyber risk management (TPCRM) is a big job and rapidly becoming a critical one. We don’t believe that it needs to be an onerous one though. Our goal is to simplify the process of improving low maturity suppliers that constitute the majority of most supply chains.
Most SME’s don’t have ISO27001 certification and most never will. Our program leverages a multi-level certification framework developed specifically for SME’s and their operational capabilities. This coupled with a multi-level supplier categorisation risk matrix and you have the core components of a highly efficient digital trust certification solution for managing supply chain cyber risk.
The ‘iceberg’ effect.
Supplier cyber risk isn’t limited to an organisation’s top suppliers. The vast majority of an organisations suppliers are micro, small and medium sized businesses that typically go unaddressed in most TPCRM programs. Relationships with these long tail suppliers significantly increases cyber risk exposure as the buyer, or prime inherits their low cyber maturity.
Typically TPCRM programs concentrate on large and mature organisations like AWS, Microsoft, Cisco, Telstra that provide technology based strategic capabilities.
How it works.
CyberMetrix or a Certified Implementation Partner works with your procurement team to setup a supplier cyber risk agreement program if you don’t already have one in place. Then we follow a simple two step approach of categorising and then certifying your suppliers. A very low overhead solution that delivers improved engagement, security, and assurance across the depths of your supply chain.
Step 1 - Categorise.
CyberMetrix or a Certified Implementation Partner works with your procurement team to define what level of certification you require each supplier to attain using our supplier categorisation risk matrix.
The matrix covers five levels of strategic importance across the three risk categories of confidentiality, integrity, and availability (CIA).
Step 2 - Certify.
Once categorised, CyberMetrix works with your suppliers to prepare and qualify them for certification.
CyberMetrix uses Cyber Security Certification Australia’s (CSCAU) Cyber Security Certification for SME’s to certify your suppliers, to the level you have defined.
Banking & Finance.
Mining & Resources.
Telecom’s & Data.
Wholesale & Retail
Certified Implementation Partners.
CyberMetrix specialises in developing solutions that address problems of scale. Very few are more complex or demanding than supply chain or 3rd, 4th and even 5th party cyber risk management. That’s why partnerships with leading Australian procurement specialists SimPPLY are so important.
Certified Implementation Partners like SimPPLY implement CyberMetrix’s Third-party Cyber Risk Management Framework as part of their core offering to help secure their client’s from the risks of supply chain cyber attacks.
The ‘long tail’ of suppliers poses risk and costs, but also opportunity if actively managed. Resource and technology constraints prohibit efficient and effective management of the “long tail” especially when it comes to managing third-party cyber risk. That’s why SimPPLY has partnered with CyberMetrix, to turn supply chain cyber risk into business opportunity.
CyberMetrix’s Digital Trust Certification Program is a simple, scalable, cost effective third-party cyber risk management solution for the supplier and the buyer to cover-off cyber security risks. The supplier can accredit once and share with unlimited supply chain partners, and the buyer gets a fully managed service offering with low operational overhead and independent certification of their suppliers. Win-win!Harry Banga (MCIPS) Managing Director
Interested in becoming a
Certified Implementation Partner?
If your organisation specialises in supply chain or procurement management and you would like to implement CyberMetrix’s Third-party Cyber Risk Management Framework for your clients, please contact us.
Secure your supply chain.
CyberMetrix’s Digital Trust Certification Program is delivered as a managed service solution for organisations with supply chains from 20 to 20,000 SME suppliers.
CyberMetrix’s Digital Trust Certification Program is ideal for any organisation with a regulatory requirement to assess and manage third party cyber risk.
Call us on 1800 292 376 or send us a message and we’ll be in contact to see how we can help.
CyberMetrix’s Digital Trust Certification Program pricing starts at:$8,995+ gst
Third-party cyber risk:
Exploiting the weakest links
One of the greatest challenges large organisations and governments are facing is the need for higher levels of assurance and cyber resilience that extends beyond their own walls. As cyber threats grow deep within supply chains due to insecure, under-prepared partners, larger organisations are needing to move fast to contain this rapidly emerging third-party cyber risk.
Current third-party risk management approaches focus primarily on the assessment and management of a narrow subset of suppliers: Larger, more technically-driven suppliers are identified as high-risk threats, with little or no attention being given to the supply chain as a whole - the majority of which consists of insecure and under-prepared small-to-medium enterprises (SMEs).
As bad-actors and nation-states continue to search for fresh avenues of attack, SMEs have become the target of choice, providing an easy entry point for attacking larger organisations and governments from within the supply chain itself.
One of the most costly cyber attacks in history used an SME as it’s entry point. In 2013, U.S. retailer Target reported a massive network intrusion and theft of data, resulting in over US$260M in direct financial loss and a further US$25M in fines. The entry point? Fazio Mechanical, a small refrigeration services company, with less than 50 employees.
McKinsey & Company
Australian Government, Australian Signals Directorate
Forbes Media LLC