Category: Blogs & Videos

Written by Dan Wood – Group CISO – Cyberfort

With fast-paced changes in technologies, evolving regulations, and changing growth expectations many organisations are finding their risk environments becoming time consuming to manage and difficult to keep under control. Without a structured approach to managing these risks, even the most innovative organisations can face costly disruptions, security incidents, and compliance missteps.

According to Vanta’s latest State of Trust Report, nearly 72% of organisations find their overall risk at an all-time high, while 56% report a recent vendor breach, all highlighting the constant risk to  operations, reputation, and bottom line.

Risk management software offers an efficient way to stay on top of your organisation’s risk landscape and mitigate detected threats. In recent months at Cyberfort we have been reviewing the business use cases for risk management software from a number of providers and how the right risk management tooling can reduce the admin burden of routine risk management tasks, but that is only one part of the equation. We have discovered the Vanta suite offers a lot more than merely time savings when it comes to risk and compliance management.

In this article, I explore the value risk management software brings and provide guidance on choosing the solution that works best for your organisation.

So let’s get started!

What is risk management software?

Risk management software helps organisations streamline risk assessments, tracking, and mitigation with capabilities spanning:

• Risk identification and prioritisation
• Ongoing risk tracking and management
• Reporting and compliance
• Visualisation and decision-making support

Ideally, the software enables organisations to move beyond reactive point-in-time checks to a real-time overview of their risk landscape, allowing for faster response times.

Risk management software plays a key role in demonstrating compliance with popular frameworks and standards, including ISO 27001 and SOC 2, and streamlining audit preparation. Some tools can automatically consolidate real-time data to generate gap analyses, which can be useful to both internal and external auditors.

ROI potential of risk management software

Robust risk management software can also unlock significant savings in the long run. When fully integrated, these solutions scale with your organisation, reducing the need for investment in additional resources and tools as risks evolve.

While the software is valuable for all industries, its ROI may be higher for companies in heavily regulated sectors, such as government, finance, healthcare, and technology, where emerging risks and increased scrutiny make manual tracking impractical and costly. Ineffective risk management can also potentially lead to missed business opportunities in these sectors.

Similarly, many companies begin exploring these tools when scaling initiatives, such as international expansion or mergers and acquisitions, introduce new complexity and increase risk exposure. In these cases, manual processes become too time-consuming and error-prone, ultimately hurting ROI.

Benefits of risk management software

Integrating risk management software into your GRC program also brings various tangible benefits, including:

Enhanced vendor oversight: Gain visibility into third-party risks by linking security review findings to various risk scenarios

Improved efficiency: Automate core risk management processes and assessments, reducing manual workloads and freeing up team capacity 

Demonstrable transparency: Centralise all risk data into a unified risk register, giving stakeholders a clear overview of your organisation’s risk landscape

Informed decision making: Collect risk information from disparate systems, enabling data-driven decisions and optimised resource allocation for impactful mitigation efforts

Proactive risk management: With real-time monitoring and automated alerts, security and IT teams can identify and address risks proactively, strengthening resilience

“From my experience CISO’s respond best to metrics that show measurable risk reduction and efficiency gains. Two of the strongest KPIs are:

1. Percentage of critical risks remediated on time
2. Average time to remediate gaps

This highlights how risk management software accelerates and standardises remediation of high-priority issues and helps executives clearly connect how the investment influences reduced risk exposure and stronger organisational resilience.”

Dan Wood
Group CISO – Cyberfort

Vanta’s Most Valuable Risk Management Features for CISO’s and IT Leaders

For UK CISOs navigating a landscape shaped by UK GDPR, the ICO’s enforcement appetite, and the Cyber Essentials Plus scheme, Vanta’s platform offers several features that stand out as genuinely high value.

Continuous Controls Monitoring is arguably the most impactful. Rather than relying on point-in-time audits, Vanta moves organisations beyond point-in-time assessments with continuous monitoring, real-time alerts, and integrated risk management. For a CISO at a UK financial services firm subject to FCA oversight, this means risks are surfaced and evidenced in real time rather than discovered during an annual audit.

Vendor Risk Management (VRM) is increasingly critical given the supply chain incidents we have witnessed over the past 12 months across a wide range of industry sectors. Vanta’s VRM replaces static point-in-time assessments with continuous, AI-driven risk intelligence, monitoring for vendor changes and delivering real-time alerts with context, severity, and mitigation guidance.

Enterprise Risk Reporting Rollups address a key boardroom challenge all senior cyber security and IT leaders face. Multiple Risk Registers allow organisations to structure risk management around business units, with Enterprise Risk Rollups consolidating those into a unified, real-time dashboard for executive-level visibility,  exactly what a CISO/IT Director presenting to a UK board needs.

Finally, Privacy Automation, covering ROPA management, data inventories, and DPIAs is particularly relevant under UK GDPR. Centralising these into the broader compliance environment provides a real-time, audit-ready view of how personal data is governed across the entire organisation.

Together, these features shift the cyber security and IT team from reactive firefighting to proactive, board-ready risk governance.

5 tips for choosing your risk management software

Based on my recent discussions with a number of customers across a range of sectors, here are my top 5 tips when it comes to selecting a risk management software platform and why I believe Vanta is the best choice on the market today.

1. Determine your organisation’s risk management priorities

Start by defining the categories of risk your organisation must manage, such as operational, compliance, and vendor risks, and how they shape your risk monitoring and mitigation needs.

For example:

• If you handle sensitive data, you may need a solution that supports regulatory compliance and data protection
• If rapid company growth and emerging threats have made manual processes inefficient, you must prioritise automation-enabled solutions
• If you’re working with distributed or remote teams, you may want software that promotes workflow visibility

Consider scalability and long-term alignment from the start if you don’t want to worry about constant add-ons or software replacements down the line.

2. Evaluate technical usability and request demos

Your next step is to evaluate solutions that align with your priorities. Some risk management platforms are versatile and serve multiple industries, while others only support limited sectors, such as healthcare or government contracting.

Besides looking into risk management features, also consider these technical usability factors:

• AI and automation maturity: Check whether the solution uses AI to reliably automate risk and compliance management workflows or predict risk trends
• Deployment method: See if your team better aligns with cloud-based or on-premise solutions, as the latter demands deeper in-house technical expertise
• Regular updates and proper patch governance: Determine if the software receives updates regularly and how visible the patch governance is

Request demos to help you validate these usability aspects and plan a structured adoption process.

3. Assess the software’s integration capabilities

The software’s integration capabilities play a crucial role in its effectiveness. A tool that can integrate easily into your existing system architecture will likely provide a more complete and up-to-date view of organisational risks by consolidating data from multiple sources.

Key systems and processes your risk management software should connect with include:

• Cloud infrastructure
• Identity providers
• Human resources information systems (HRIS)
• Version control
• Vulnerability scanner
• Ticketing tools
• Mobile device management (MDM)

Weaker integrations aren’t necessarily a dealbreaker, but you’ll have to rely more on manual workarounds, which can impact overall efficiency and the speed of adoption.

4. Determine the cost-to-feature ratio

Implementing risk management software is a long-term investment, so it’s important to weigh the cost-to-feature ratio carefully and flag potential extra costs associated with sustained usage.

Before you choose a solution:

• Identify must-have features based on existing needs to avoid paying for unused capabilities
• When calculating the total cost of the software, include factors such as maintenance, setup complexity, training costs, as well as pricing tiers and bundling options

Paying a high upfront price for a capable risk management solution may be worth it in high-risk, heavily scrutinised landscapes, or if your organisation needs to aggressively build customer trust.

5. Assess monitoring and reporting capabilities

Real-time monitoring and alerting are non-negotiable features of any strong risk management software. While nearly all existing solutions offer some form of reporting, you’ll have to focus more on whether you’re getting enough data for decision-making support.

The right solution will provide options for customisation and variety, allowing you to tailor insights to different internal teams, leadership, and even external auditors. For instance, modern risk management tools like Vanta offer numerous risk visibility options, such as: 

• Automated risk registers
• Colour-coded risk matrices based on custom risk scores
• Risk assessment reports with visual aids and mitigation prompts 
• Risk snapshots that can record your posture at a particular point in time and serve as a historical report for auditors

Overall, a granular monitoring and reporting setup can help teams turn risk management into a strategic advantage, supporting decisions that are a clear win for security and growth.

Best practices for implementing your risk management software solution

Follow these best practices to make the adoption of risk management software smoother:

• Prepare systems and processes: Configure your systems and processes ahead of time to make the implementation process smoother. Proactive preparation can help uncover gaps, such as unmapped data processes or conflicting access rights, which can cause friction during rollout.
• Conduct stakeholder training: Train your stakeholders on the new software so they can use it independently. Address potential adoption errors via written or video tutorials.
• Document the effectiveness of the tool: Track the long-term impact of your risk management solution using relevant metrics so you can demonstrate the effectiveness of the solution to leadership.
• Review and update the risk management software: Regularly assess your software to see if it holds up against evolving risk management needs. Check if the tool provides alerts for missing patches or if you should get the IT team involved to configure updates.

Why Vanta is the best risk management software on the market today

As discussed earlier in the article, I have evaluated several risk management software tools in previous months alongside customers in different industry sectors. One thing is clear from both mine and the customers I have talked to – Vanta is the leading risk management and agentic trust platform that offers one of the most comprehensive and scalable feature sets, complete with built-in resources and automation-enabled workflows. Some of the key features the Vanta platform includes:

• Automated risk assessments, reviews, and approval through 400+ integrations
• Automated risk scoring and prioritization
• Risk ownership for better accountability tracking
• A pre-built risk library with 100+ scenarios and suggested control mappings
• Continuous risk monitoring for real-time alerts
• Risk snapshots for better demonstrability during audits
• A dynamic risk register and integrated control recommendations
• A centralised dashboard for seamless accessibility

Cyberfort and Vanta can also work with you to enable third-party risk management workflows and conduct context-rich staff training.

What questions should you ask when evaluating software risk management tools

The key questions to focus on related to your organisation’s tech and risk profile, should include:

• What types of data and systems does your solution support for risk monitoring?
• What workflows are automated, and what will be the level of human intervention?
• What kind of support is available during software adoption?
• How does your risk management software help with compliance?

Final Thoughts

In this article I have discussed why Cyber Security and IT leaders need to be seriously considering risk management software to save time, effort and costs associated with risk and compliance management. From my recent customer interactions and understanding of the risk management software marketplace I believe there are 5 key reasons why Cyber Security leaders should be considering a risk management platform like Vanta:

1. Shift from reactive to proactive. The traditional audit cycle often means risk is discovered too late. Vanta’s continuous controls monitoring means a CISO is not dealing with ambiguity between review cycles, this becomes a critical advantage when regulators like the ICO or FCA can act quickly on incidents.

2. Eliminate tool sprawl. Security teams routinely juggle spreadsheets, standalone GRC tools, and manual reporting. Consolidating into one platform reduces human error, speeds up response times, and gives the CISO a single source of truth.

3. Third-party risk at scale. After several supply chain incidents over the past 12 months, supply chain risk is top of mind. Continuous, AI-powered vendor monitoring replaces annual questionnaires with real-time intelligence. This is  particularly valuable as vendor portfolios grow.

4. Board-ready reporting. CISO’s are spending more time in the boardroom. Enterprise risk rollups mean risk data can be surfaced in a format that non-technical directors understand, without hours of manual consolidation before each meeting.

5. Measurable ROI. Security budgets are under scrutiny. Being able to point to concrete metrics including faster audit cycles, framework coverage across ISO 27001 and UK GDPR, reduced third-party review time, gives Cyber Security and IT leaders a compelling business case that resonates with CFOs and CEOs alike.

If your organisation would like to explore how Cyberfort’s GRC knowledge and Vanta’s risk management software can reduce the time, effort and cost associated with compliance efforts contact us at [email protected] and one of our experts will be in touch.

Written by Dan Wood – Group CISO – Cyberfort

The EU AI Act which came into force on the 1^st August 2024 introduced the first comprehensive, harmonised regulatory framework for managing AI systems ethically and responsibly. Before the Act, the closest robust guidelines in existence was ISO 42001, which has a similar overarching goal.

If your organisation has already implemented ISO 42001, you might have a head start in achieving EU AI Act compliance. In this article, we explain why this is the case by covering:

• The purpose and scope of the EU AI Act and ISO 42001
• The complementary and harmonious relationship between the two frameworks
• Steps and strategies to approach compliance with both standards

EU AI Act and ISO 42001: Similarities and differences

The EU AI Act and ISO 42001 aim to ensure safe and responsible development, implementation, and use of AI systems. Still, they approach this goal differently.

The EU AI Act is a mandatory regulation that applies to all EU-based organisations and those that provide services in the EU. Meanwhile, ISO 42001 is an international, voluntary standard with recommended best practices for building a comprehensive AI management system (AIMS).

Another considerable difference is the certification type:

• ISO 42001 is a certifiable standard, and an obtained certificate is valid for three years
• The EU AI Act requires only self-attestation, with re-attestation needed only if significant changes are made to the AI system

Even though ISO 42001 is a certifiable standard, this certification is voluntary and organisations are not mandated to achieve it. By contrast, the EU AI Act carries considerable legal weight, so non-compliance can lead to substantial fines and penalties.

Despite these differences, the shared goal of the EU AI Act and ISO 42001 results in notable overlaps between these frameworks.

The relationship between the EU AI Act and ISO 42001

The EU AI Act and ISO 42001 have around 40%–50% overlap in high-level requirements. Both frameworks cover several important aspects of responsible AI system development and implementation, such as:

Data governance: Article 10 of the EU AI Act outlines various data governance requirements regarding data categorisation and bias detection. Similarly, ISO 42001 also focuses on bias detection and mitigation and calls for clear roles to be defined in charge of AIMS oversight, which should encompass effective data governance.

Risk management: The main pillar of the EU AI Act is the classification of risks into four categories (unacceptable, high, limited, and minimal) and the different treatment of AI systems depending on their risk level. ISO 42001 offers a clear framework for effective risk assessment, which helps categorise different AI system risks and manage them accordingly.

Human oversight: As per Article 14 of the EU AI Act, AI systems should be developed to enable ongoing human oversight, with specific measures corresponding with the risk level. ISO 42001 aligns with this requirement, mainly by recommending the detailed documentation of AI processes for increased transparency and easier oversight.

Ethical implications: Both the EU AI Act and ISO 42001 emphasise the importance of ethical use of AI systems, which includes fairness in decision-making, bias mitigation, and other measures that prevent harmful effects of AI implementation.

High-risk AI systems: ISO 42001 provides practical guidelines for detecting and discontinuing AI systems that breach EU AI Act prohibitions, including untargeted facial recognition or biased decision-making algorithms.

These overlaps allow your team to reuse the existing controls you might have put into place while pursuing ISO 42001 certification to simplify compliance with the EU AI Act.

How to approach compliance with ISO 42001 and the EU AI Act

If you’ve already obtained an ISO 42001 certificate, the first step toward EU AI Act compliance is to cross-reference your existing controls with the Act’s requirements. You can then identify all compliance gaps that require remediation to ensure adherence to the Act.

If you haven’t achieved ISO 42001 compliance, you can choose whether to implement it first or focus on the EU AI Act directly. Since the Act is comprehensive and mandatory, prioritising it might be the more practical option.

This doesn’t mean you should skip ISO 42001 compliance altogether, becoming certified lets you build a robust AIMS that helps future-proof your AI-related operations. It can also give you a notable competitive advantage because it shows commitment to responsible AI use beyond the mandatory regulations. Keeping this in mind, combining ISO 42001 certification with EU AI Act compliance is the most comprehensive way to develop and implement AI responsibly. To help, we’ll go over the high-level processes of complying with both standards.

How to obtain an ISO 42001 certificate

To become ISO 42001-certified, it is advised organisations undertake the following steps:

Understand the principles and requirements: ISO 42001 has 10 clauses, six of which outline the specific requirements you must meet to get certified. It also includes four annexes with detailed prescriptive guidance you can use to implement the necessary controls.

Conduct a gap analysis: Analyse your current or prospective AI system to see how it aligns with ISO 42001 requirements. Some of the key aspects you’ll need to review include roles and responsibilities, data and resources used to build the system, and the impact of AI systems on stakeholders and your broader environment. Use the findings to develop a strategy for closing the gaps and achieving compliance.

Build your AIMS: Go through the ISO requirements to develop the policies, procedures, and practices that will be encompassed by your AIMS to ensure ongoing compliance with the prescribed standards.

Document your processes: Document the implementation of the relevant controls to ensure transparency and clear oversight of your AI processes.

Continuously monitor and improve: Continuously monitor and review your AIMS to identify opportunities for the improvement of its suitability, adequacy, and effectiveness.

How to achieve EU AI Act compliance

While the specific steps to achieving EU AI Act compliance depend on the current state of your AI systems, the general process consists of the following steps:

Assess the Act’s impact on your organisation: Use an EU AI Act Compliance Checker or specialist GRC partner to precisely determine how the Act affects your organisation.

Review and document your AI practices: Perform a comprehensive assessment of your current AI systems, documenting the related policies and practices to make the relevant information readily available to auditing bodies.

Perform a conformity assessment: If your AI system is classified as high-risk, conduct a conformity assessment to bridge any compliance gaps related to transparency, risk management, record-keeping, and other relevant requirements.

Submit your EU Declaration of Conformity: After ensuring EU AI Act compliance, submit an EU Declaration of Conformity in physical or electronic form.

Conduct post-market monitoring and reassessment: Develop a system for continuously monitoring and reporting your AI system’s performance and adherence to the EU AI Actace to recover your system should the worst happen might be the key to keeping your organisation functional during a cyber security incident – without them your organisation may be unable to fully recover.

Cyberfort and Vanta: Your ISO 42001 and EU AI Act compliance partners

Cyberfort works with Vanta to provide end-to-end compliance and trust management solutions that help organisations achieve compliance with ISO 42001 and the EU AI Act quicker while using fewer resources. By combining Cyberfort GRC knowledgeable experts with the Vanta platform we can offer a dedicated EU AI act reporting solution with comprehensive resources and features, such as:

150+ pre-built controls alongside custom ones
15+ policies and 50+ ready-made documents based on ISO 42001
In-app policy editor
Risk management features

The Vanta platform also cross-references your existing controls with other authoritative sources, which can be particularly helpful if you’ve already adopted ISO 42001 and want to pursue EU AI Act compliance without duplicate workflows.

If you haven’t obtained an ISO 42001 certificate yet, you can use Vanta’s ISO 42001 product with Cyberfort’s GRC knowledge to leverage numerous automation features and become certified without extensive manual work.

For more information on about Cyberfort Governance Risk and Compliance services and how Vanta’s EU AI Act product helps ensure full compliance, email us at [email protected] and one of our experts will be in touch.

Written by Hattie Irving – Cyber Security Consultant – Cyberfort  

Within all modern organisations there is a technical supply chain which underpins how that organisation not only functions, but also how it protects itself. Recognising the importance of IT supply chains and minimising disruptions and vulnerabilities should be an ongoing focus for all organisations. Protection of IT supply chains is becoming increasingly important for small and medium-sized enterprises (SME’s) which are increasingly becoming targeted for supply chain attacks due to their less rigorous security risk-management measures.

The EU ICT supply chain security toolbox seeks to provide member states with a common and structured approach to securing their supply chains. Its key objectives are:

• Create and foster a common understanding of supply chain security risks
• Identify potential threats, vulnerabilities and risks within the supply chain through a scenario-based methodology
• Provide recommendations to secure the ICT supply chain

The ultimate objective of the EU supply chain toolbox is to provide guidance on effective measures for managing security risks at each stage of the services lifecycle across hardware, software and managed security services. The IT supply chain toolbox is technology agnostic and aims to focus on the assessment of supply chain risk rather than targeting specific technologies.

This toolbox aims to not only educate organisations around how they can better manage their security risk and technology but to provide them with the examples to empower them to manage their security.

Three things the toolbox does

1. It makes risk scenarios real and actionable

Abstract risk language can be confusing when it comes to effective security governance. Telling a board that ‘supply chain threats are increasing’ generates concern but without the right business context – how it will affect business KPI’s, and KBI’s it rarely generates action. The EU ICT Supply Chain Security Toolbox aims to replace theoretical risk with real quantifiable risk aligned to an organisation’s goals and objectives.

It identifies risk scenarios across three categories:

• Deliberate threats such as ransomware attacks against managed service providers and the insertion of counterfeit hardware components
• Unintended threats including faulty software updates cascading across dependent systems
• External events such as supplier lock-in and geopolitical disruptions that could constrain an organisation’s ability to operate with a vendor they have relied upon for years

These scenarios are not hypothetical. They are drawn from documented incident patterns, ENISA threat intelligence, and the collective experience of national cyber security authorities. For IT teams, they provide a structured way for assessing supply chain exposure, not in the abstract, but against specific, realistic threat pathways.

2. It gives organisations a structured mitigation framework

The toolbox does not stop at identifying risks. It provides seven recommendations grouped across four strategic pillars, giving organisations a clear action framework rather than a list of concerns.

The first pillar demands a robust framework for ICT supply chain risk management, moving beyond point-in-time assessments to establish structured, repeatable processes that cover the full supplier ecosystem, including the tier-two and tier-three dependencies that most organisations currently have limited visibility into.

The second pillar addresses supply chain resilience through diversity, the toolbox highlights that single-vendor dependency is a strategic vulnerability, and that multi-vendor strategies are not just commercially sensible but a security ‘must have’.

When it comes to the third pillar it focuses on situational awareness and operational cooperation, the kind of structured information sharing between organisations and sectors that transforms isolated security teams into a networked defence community.

The fourth pillar looks to the longer term – building a resilient, trusted, and transparent industrial base through standards alignment, security certification, and an interoperable ecosystem where Software Bills of Materials (SBOMs) and cryptographic attestation become baseline procurement expectations.

Each of these pillars has immediate operational implications for IT teams. They are not aspirational; they are the measures against which your supply chain security programme will increasingly be assessed.

3. Extended scope to critical sectors through dedicated risk assessments

The toolbox is accompanied by two Union-level coordinated risk assessments that signal where the EU considers the supply chain threat to be most acute right now.

The first focuses on connected and automated vehicles, a sector where the convergence of hardware complexity, software dependency, and remote update capability creates a large supply chain attack surface. The NIS Cooperation Group recommends that the Commission and Member States identify proportionate measures to de-risk EU supply chains from high-risk suppliers, particularly in processing and decision-making systems and vehicle control components capable of receiving remote updates.

The second focuses on detection equipment used at borders and customs, infrastructure that sits at the intersection of physical and digital security, and where supply chain compromise could have consequences that extend well beyond the cyber domain.

For IT teams operating in or as part of these sectors, these assessments are not background reading. They are a direct signal of where regulatory scrutiny will intensify.

The competitive dimension IT Departments are missing

From our discussions with several customers over recent months at Cyberfort we know that supply chain security conversations are not happening in enough boardrooms. Instead of supply chain security being seen as another compliance task to complete it should be treated as a competitive differentiator.

Organisations that can demonstrate structured, auditable supply chain risk management will increasingly win procurement decisions, particularly in public sector and regulated industries where NIS2 and DORA compliance is a requirement for suppliers. Organisations that cannot demonstrate this will find themselves excluded from opportunities, regardless of how competitive their core offering is.

The EU ICT Supply Chain Security Toolbox provides the framework to build that capability credibly and systematically. IT teams who engage with it proactively, embedding its risk scenarios into their vendor assessment processes, aligning their procurement governance with its recommendations, and investing in the information sharing infrastructure it calls for, will be ahead of the curve when national authorities begin enforcement.

Those who wait for enforcement to begin will be playing catch-up in a regulatory environment that has less tolerance for delay.

So what does this look like in practice?

An example scenario for an organisation to consider from the EU ICT supply chain toolbox which would apply to most organisations is;

A Cloud service provider has a datacentre outage due to human error which prevents access to millions of domains including your organisations. This disruption to your web application has its root cause traced back to an air vent being mistakenly closed in the datacentre which although simple to remediate has left many organisations’ online services down or working at limited capacity after they failed services over to other datacentres. This extended period of downtime raises concerns around the resilience of hosting vital organisational infrastructure in the cloud.

How would the analysis of this look?

Type of incident: Service outage

Root cause: Human error

Supply chain: Cloud computing provider, organisational users of the cloud computing provider

Threat actor who could use this scenario to their advantage: Advanced persistent threats, Organised crime groups, Insiders in the supply chain

Vulnerability: Poor practices by cloud computing provider, poor supply chain management by the end user organisation

Impact: Reputational damage, service disruptions (availability and integrity)

For organisations these types of incidents and risks should be considered as part of their operations. They need to consider how they would they recover if something like this were to happen and do they have any measures in place to minimise the damage it would cause to their operations.

Without a business continuity/disaster recovery plan in place an organisation may struggle how to prioritise remediation and get their operations up and running again.

Where to start with developing a business continuity plan

Firstly, identify your most critical and time sensitive operations and the impact that disruption to any of these operations would have. Measure the impact and likelihood of these operations being disrupted and attribute a timescale as to how long your organisation would continue with these services deprecated.

Plan your response strategy – having processes in place to not only identify issues as they arise, but also how technical support are contacted in case of an emergency and what the roles look like for the involved teams will be a first step in bringing the organisation back to its full operations.

Consider the recovery – define the steps which would be required in a variety of scenarios which would need to be completed in order to recover these critical services. That could be server failover to a new region or removal of malware from a server depending on which risks you have defined. Create a team which know how to start recovery and who know where to find the necessary materials to begin the recovery process

Train around your key risk scenarios – you may have plans written but do you know these plans work in practice, consider running tabletop exercises to train staff around how they might work in a  real-world situation. This will identify key areas of weakness which can be considered and remediated before a real-world situation occurs.

Ensure communication channels are detailed within the organisation – In case of X happening this is the go-to team and people we need to help resolve it should be defined in the business continuity plan. Understanding who needs to be involved will speed up the time to recover rather than having people searching for the right teams when they’re under high time pressure.

Disaster could strike at any time day or night and the last thing you want is to be trying to work out who you need to call at 3am. Have plans for any regulatory or external comms you might need to make in case of a breach in GDPR or cases where your organisations attack is one with wide external consequences. This might be informing your suppliers, the ICO, customers or industry of what has happened and the steps you are taking to remediate.

Four top recommendations for effective incident response include:

• Partners – know your supporting partners and contact details/process – Cyber Incident Response (CIR), Insurance, Legal
• Decision process – Board responsibilities – have clear and known Board level decision and escalation processes
• Empowering decision makers – rehearse and engage with Board stakeholders, educate any that are not Cyber aware
• Exercising and planning, prioritise information sharing (reporting) etc

Disaster recovery planning

Disaster recovery plans go into greater depth than the business continuity plan defining the recovery objectives and how systems and data needs to be protected during an outage. The recovery time objective determines the maximum acceptable time the system or component can be down before it starts causing unacceptable damage to the organisation. This will be individual to the specific component of the organisation and will be based around the result of the business impact assessment (BIA).

As part of this process there will also be the need to define a recovery point objective (RPO) to answer the question. How much data can we afford to lose in case of a disaster? If the answer to the question is we cannot afford to lose any of this data – you may need to consider how you can improve your security posture to best protect this data as any and all systems can be compromised.

For data which your organisation feels they could afford to lose, build your disaster recovery plans accordingly.

How do business continuity and disaster recovery plans benefit the organisations who have invested in them?

Reduced downtime – keeping any security incident based downtime to a minimum is key to maintaining a good relationship with stakeholders. If your organisation find itself unable to recover previous customers may start to move to competitors who have been able to maintain operations during any cyber attacks or incidents.

Lower financial risk – the average cost of a data breach has been increasing year on year up until last year where it fell by 9% to $4.4 million due to improved speed of identification and containment as organisations have become more aware of their general risk landscape. 

Reduction in penalty risk – having a plan to mitigate data loss will reduce the overall security risk around your organisations data. Without appropriate measures in place to start data or system recovery the organisation can be left open to high penalties for losing sensitive customer information. This is most prevalent in healthcare, finance and government environments. Having plans and steps in place to recover your system should the worst happen might be the key to keeping your organisation functional during a cyber security incident – without them your organisation may be unable to fully recover.

Three immediate actions organisations should undertake following the release of the EU Supply Chain security toolbox

Now we have been through a practical example, what are the key actions IT and Cyber Security leaders should undertake to ensure they have a resilient supply chain and are implementing the right measures from the EU supply chain security toolbox?

It is clear that the toolbox is thorough in its recommendations for organisations. Implementing everything it recommends will take time – after all there is no ‘silver bullet’ to supply chain security. It requires technical, business and risk understanding and appropriate actions to take place on a regular basis not a ‘point in time’ exercise.

From our experience at Cyberfort if an organisation is serious about improving supply chain security they should start with the following three things:

1. Conduct a supply chain inventory that goes beyond tier one suppliers. Map your critical IT dependencies, services, systems, hardware, and software, including the vendors your vendors depend on. If you cannot name your tier-two suppliers for your most critical systems, you have a visibility gap that the toolbox is specifically designed to address.

2. Assess your vendor relationships against the toolbox’s high-risk supplier criteria. This includes not just technical security posture, but non-technical factors: geopolitical context, legal jurisdiction, foreign ownership structures, and the potential for state-compelled access.

3. Bring procurement and legal into the supply chain security conversation. Supply chain security cannot be managed by the IT or Cyber Security function alone. The toolbox’s recommendations on multi-vendor strategies, contractual security requirements, and incident notification SLA’s require procurement governance changes that IT teams cannot make unilaterally. The organisations that move fastest will be those whose IT teams have already built the cross-functional relationships to drive those changes.

If your organisation is looking to start or improve environment hardening through the use of the EU supply chain security toolbox, business continuity planning or disaster recover, contact us at [email protected] and one of our experts will be in touch to support you with your journey.

Written by Hattie Irving – Cyberfort Security Consultant

---

With the UK Government’s 2025 Cyber Security breaches survey reporting that just 14% of UK companies have reviewed their supply chain risks posed by their immediate suppliers, and 7% have reviewed their wider supply chain in the last 12 months is it time organisations started to take their supply chain security risks more seriously?

At Cyberfort in recent months we have been exploring why supply chain security is still such a ‘blind spot’ for many organisations. Afterall most people reading this article will know supply chains are widely interconnected and will have some understanding of security risks posed by their supply chain. So why is this area of cyber security still not being taken seriously enough? Are supply chains too complex for organisations to map or is supply chain security being left behind with other conflicting priorities taking precedence?

In this article we explore why supply chain cyber security needs to be taken more seriously, practical actions organisations should undertake and how to mitigate supply chain compromise risks.

Dispelling the Supply Chain Security Control Myth’s

Let’s start with a reality check. Most organisations have direct relationships with tens or hundreds of third-party suppliers. Those suppliers have their own suppliers, and those suppliers have theirs. Within these layers of separation, an organisations sensitive data and critical systems are potentially exposed to thousands of companies, operating under security postures your organisation has never reviewed, and you can’t effectively monitor.

Unfortunately, along the way supply chain security has fallen into a ‘tick-box exercise’ trap. Many organisations are building their supply chain security on a foundation of trust and verification that assumes good faith, static relationships, and accurate self-reporting; this as opposed to auditing and testing suppliers’ security controls.

But the reality is supply chains are dynamic, interconnected, and muddled. Compliance reports provide a ‘point in time’ snapshot that are outdated the moment they are published. It reflects what they believe to be true, not what actually is true.

From our experience at Cyberfort we have identified 5 common challenges organisations are facing when it comes to supply chain cyber security:

Low recognition or understanding of the risk that poor supply chain security can pose

Lack of investment to protect against supply chain risk

Limited visibility of supply chains

Insufficient tools and expertise to evaluate suppliers cyber security practices

Not knowing what you can ask of your suppliers

These challenges may appear easy to recognise and resolve on the surface. But the reality is, due to the complexities involved with supply chain security, the actions required to overcome them can be challenging without expert support.

Why is supply chain security a problem?

Managing supply chain security is the responsibility of all businesses.  Organisations who do not consider their cyber security posture an important part of their supply chain operations are putting their customers and potentially industry at risk of attack.

A lack of understanding of your organisations supply chain can leave you vulnerable to:

Software supply chain attacks – attackers will undermine security on a software system, library or product enabling access to organisations which use the product. SolarWinds is a key example of a software supply chain attack when a routine patch deployed by the company spread malicious software to their customers which had been added to the application after SolarWinds had audited their code. Any user using the infected Orion software and connected to the Internet would now be compromised.

Service provider supply chain attacks – attackers will target managed service providers (MSPs) or IT infrastructure vendors to reach as many clients at once. This was brought to global attention last year when M&S, Co-op and Harrods were all compromised by DragonForce who used social engineering to undermine security of IT helpdesk staff at Tata Consultancy Service (TCS).

Hardware supply chain attacks – malicious actors will undermine the authenticity of physical components during manufacturing to gain persistence in their targeted supply chain. One of the early examples of hardware supply chain attacks is Stuxnet – a worm introduced into the network of the Iranian nuclear defence facility via infected USB drives combining both hardware and software attack.

So what does this tell us? Your organisation may have already been indirectly compromised without even realising it.

Even if you detect anomalous activity in your environment, determining whether it originated from your infrastructure or came through a supplier is difficult. Modern attacks are designed to blend in with legitimate traffic, leveraging authorised access and trusted relationships to avoid detection.

When supplier credentials are compromised/stolen and used to access systems, the activity looks legitimate. When malicious code is injected into a software update, your systems install it voluntarily. When a compromised supplier employee account accesses your data, all the logs show is authorised access.

This creates a detection problem that most security teams are not equipped to solve.

Compliance doesn’t equal supply chain security

One of the major reasons supply chain security remains a ‘blind spot’ for many organisations is the misconception that ‘passing a compliance audit must mean we are secure’.

ISO certifications, SOC 2 reports, and supplier security questionnaires are all important and  have their place. But they create the appearance of diligence without reducing risk. Compliance frameworks are minimum baselines, not security guarantees. They measure what organisations claim to do, not what they actually do. They assess controls at a point in time, not continuously. Suppliers holding ISO 27001 is like having a valid MoT, your car has obtained the minimum roadworthiness. However it does not tell the us anything about that vehicles performance, how it is driven or how it performs under high levels of strain. Just because it has a pass today does not mean it will still be usable next week or month.

It’s important to note that the threat landscape evolves daily. New vulnerabilities are discovered, attack techniques emerge, suppliers change their infrastructure and implement new security practices. Quite often these recent changes are not reflected in certifications your organisation reviewed during supplier onboarding.

The harsh reality is an organisation can have a fully compliant supply chain and still be compromised.

Understanding Visibility Gaps

Most organisations have no idea what’s actually happening in their supply chain. As identified by the UK Government’s Cyber Breaches survey mentioned earlier in this article. Most businesses know who their suppliers are and might know what data and services they access. But they almost certainly don’t know what their suppliers’ suppliers are doing, what subprocesses are involved, where data is actually stored, or who has access to their systems at any given moment.

You cannot defend what you cannot see. You cannot detect anomalies in relationships you don’t monitor. You cannot respond to incidents in systems you don’t understand. You cannot recover from breaches when you don’t know how deep the compromise goes.

Modern attack methods exploit this gap. They compromise the parts of your supply chain that your organisation is not watching or monitoring and move through connections you didn’t know existed.

Does your Incident Response Plan incorporate your organisations supply chain?

Imagine discovering a breach tomorrow. Your incident response plan leaps into action. You isolate systems, contain the damage, begin forensic analysis. You notify customers, regulators, stakeholders.

Now imagine discovering that the breach originated from a supplier. Which supplier? When did it start? What data was accessed? How many other customers of that supplier are affected? Does the supplier even know they’re compromised?

Welcome to the supply chain incident response nightmare.

Traditional incident response assumes you control the compromised infrastructure. But in supply chain attacks, the initial compromise happened somewhere else, possibly weeks or months ago, in systems you don’t own, can’t access, and may not even know about.

Your ability to contain the breach depends on a third party’s ability to detect it, understand it, and respond to it. Your timeline for notification is limited by how long it takes the supplier to realise they’re the source. Your recovery depends on trusting that the supplier has fully remediated their systems before you re-establish the connection.

This is not a position you want to be in.

Do you know what your organisation can ask of its suppliers?

Supplier assessment can be easily overcomplicated. At Cyberfort we suggest you start small and map suppliers out – include software vendors, cloud services and anyone who has access to your data. From here rank them by criticality to your operations – who has the most access, who handles the most sensitive data and who can your business not survive without.

Once you’ve got a comprehensive list of your suppliers, track their answers to the following questions to better understand your supply chain security.

• Do you have ISO27001 or cyber essentials certification?
• Have you had a data breach, when and what happened?
• How do you train your staff on security?
• Have you assessed your suppliers security?
• How is access to data controlled within your organisation?

How can you use your suppliers answers to better protect your business

Once you have defined your supplier’s security posture and understand what they do to protect themselves you can begin to think how to better protect your organisation.

Stress testing – test your suppliers security measures through tabletop and live exercises. Use simulations of low and high impact events to understand the limitations of your incident management process.

Incident and crisis management – Establish an effective incident management process to improve business resilience, support business continuity and reduce financial impact.

• Ensure you have an agreed incident management process with your suppliers.
• Run a crisis simulation exercise to model supply chain compromise and work through the initial steps your organisation would undertake.
• Be prepared to provide support and assistance to suppliers where security incidents have thew potential to impact your organisation or the wider supply chain.
• Share information with suppliers to help prevent them falling victim to cyber-attacks.

Be aware of your horizon  – changes in the types of cyber threat you are experiencing, vulnerabilities, best practices and technology may impact your supply chain security. Be aware of changes to geo-politics and the economy which may impact your business and its overarching supply chain security. Consider undertaking a threat modelling session to understand your key threats and how they may materialise for your business.

Ensure contracts have clauses to enforce high cyber security standards for suppliers. Any which have access to your company data should be compliant with your defined cyber security standards.

Consider cyber security insurance to work in parallel with your protective measures. If the worst case scenario does happen insurance will cover ongoing business costs which have arisen from dealing with a breach.

Final Thoughts

Managing supply chain risk doesn’t need to be a complex and time-consuming endeavour, taking small informed steps to begin mapping suppliers is the starting point. Ask them the right questions and plan appropriate mitigations around them and their suppliers is a great way to get started to fortify your businesses cyber operations. Start small with just one supplier to outline a process which works for you and your suppliers and build from there.

In 2026 it’s important to take supply chain security seriously. Based on what we have seen over the past 12 months it is highly likely your supply chain is already compromised. Somewhere in your supplier ecosystem, there’s a vulnerability waiting to be discovered, credentials waiting to be stolen, or an access point waiting to be abused.

The organisations that survive the next generation of supply chain attacks won’t be the ones with the most certifications or the longest supplier questionnaires. They’ll be the ones who built systems that assume compromise and invested in continuous visibility and response capabilities required to operate in a hostile environment.

The question is no longer whether you’ll face a supply chain attack. It’s whether you’ll detect it and bounce back from it should the worst happen and your organisation is breached. If this all feels too complex for you and your team seek professional guidance from an MSSP partner with the right credentials.

For more information about Cyberfort Supply Chain security services contact us at [email protected] and one of our experts will be in touch.

Written by Declan Thorpe – Cyberfort Information Security Consultant

---

Cyber incidents rarely begin with a clear warning. Most start with small signals, a login that doesn’t fit a pattern, a process running where it shouldn’t, a connection that looks out of place. The organisations that spot these signals early tend to have more options, more time and more control over what happens next.

The incident Co-op faced in April 2025 highlighted this reality. Public reporting shows that the organisation acted early, intervening before the attackers were able to move deeper into systems or attempt more damaging activity. Early intervention of this kind usually reflects an ability to recognise unusual activity quickly and understand enough about the situation to respond with confidence.

In a year marked by several high-profile retail cyber incidents, Co-op’s response stood out for its steadiness. The organisation acted early, demonstrating the value of understanding your environment well enough to recognise when something is out of place and intervene before the situation grows. The incident reinforced that visibility is more than a technical concept; it is a practical enabler of timely, confident decision-making that can meaningfully influence the trajectory of an incident.

A quick look at what happened

Co-op experienced a cyber-attack that resulted in unauthorised access to personal data belonging to a very large number of its members. Public reporting linked the activity to known threat actor group, DragonForce. While the attackers were able to copy certain data, they were prevented from moving deeper into systems or deploying destructive tools.

Co-op’s leadership later explained that the organisation had clear visibility of the attackers’ activity, describing it as being able to “see every mouse click.” That level of insight, based on what was publicly shared, helped the organisation understand what the attackers had accessed and how far the intrusion had progressed. This clarity supported the investigation and allowed decisions to be made based on observable activity rather than assumptions.

Even with early detection and containment, the attack created operational challenges. Stores experienced stock shortages, some customers encountered payment issues, and the organisation reported a noticeable financial impact. Additional one-off costs were incurred as part of the response and recovery effort.

Despite this, the outcome could have been significantly more severe. Early insight into the intrusion helped prevent escalation, reduce uncertainty and support a more controlled response. It also highlighted the value of understanding what is happening inside an environment before the situation accelerates.

Why this was really a story about visibility and early detection

The Co-op incident illustrated how much difference early detection makes during a cyber-attack. Many organisations focus on recovery, but this case highlighted the decisions that come before recovery even begins, the moment when something unusual is first noticed and teams need to decide what to do next.

Several practical realities became clearer.

Early detection gives organisations more time and more options

Spotting unusual activity early allows teams to intervene before attackers escalate their access or attempt more damaging actions. Time is one of the most valuable assets during an incident, and early detection effectively creates more of it.

Visibility doesn’t require a large budget

A fully staffed SOC is valuable, but not every organisation can afford one. What matters most is understanding your assets, knowing what “normal” looks like and having monitoring in place that highlights meaningful deviations. These fundamentals are achievable for organisations of all sizes.

Informed decisions depend on knowing your environment

When teams understand their systems, dependencies and typical behaviour, they can interpret signals more accurately and avoid acting on assumptions. Visibility supports clarity, and clarity supports better decisions.

Containment is most effective when guided by insight

Containment works best when teams know what the attacker has done and what they haven’t. That clarity comes from visibility, not guesswork. Early insight helps teams act with precision rather than disruption.

The incident showed that visibility is not just a technical capability, it is a foundation for better decision-making. When organisations understand what is happening early, they can respond with greater confidence and reduce the likelihood of a wider operational crisis.

What Organisations Can Learn and Apply Right Now

Incidents like the one Co-op experienced highlight how important it is for organisations to understand what is happening inside their environment before an intrusion has the chance to escalate. The lessons are not unique to retail, they apply across sectors, especially where operations and customer facing systems depend on accurate, timely insight.

The following areas stand out.

Know Your Assets

You cannot detect what you cannot see. Organisations benefit from:

• a clear, current view of their systems
• understanding which assets matter most
• awareness of where sensitive data lives
• visibility of external facing services

Asset visibility is the foundation on which detection capability is built, if you don’t know what is in your environment then you don’t know what you are protecting. It reduces blind spots and helps teams recognise when something is out of place.

Monitor What Matters

Monitoring does not need to be complex or expensive. What matters is:

• logging activity from key systems
• watching for unusual authentication patterns
• tracking changes to critical configurations
• alerting on deviations from expected behaviour

Even basic monitoring can surface early signals that something is wrong.

Establish Clear Escalation Paths

Early detection only helps if teams know what to do next. Organisations benefit from:

• simple, well understood escalation routes
• clarity on who investigates alerts
• thresholds for when to act
• confidence that raising a concern is the right thing to do

This turns visibility into action. It ensures that when something unusual is spotted, it does not sit unnoticed or unaddressed.

Use Early Insight to Guide Containment

Containment is most effective when informed by what you can see. Early insight helps teams:

• isolate affected systems
• prevent escalation
• avoid unnecessary disruption
• focus recovery efforts where they matter most

This is where visibility directly shapes the outcome. It allows containment to be targeted rather than broad, controlled rather than reactive.

Build Recovery on a Verified Safe Place

Recovery is easier and safer when systems remain intact, and the organisation has a clear view of the intrusion. Early detection helps preserve the conditions needed for:

• restoring from trusted backups
• validating system integrity
• reintroducing services safely
• avoiding reinfection

Safe recovery starts with early insight. When organisations understand what has happened, they can restore services with greater confidence and predictability.

Treat Visibility as a Resilience Capability

Visibility is not just a technical feature; it is a foundation for resilience. It enables:

• earlier intervention
• clearer decision-making
• more accurate scoping
• safer recovery
• reduced operational impact

Organisations that invest in visibility are better positioned to respond calmly and effectively when the unexpected happens. It is a capability that supports every stage of an incident, from detection to containment to recovery.

A more constructive way to look at It

The Co-op cyber-attack was disruptive, but it also highlighted where organisations can strengthen their resilience. It showed how early detection can shape the direction of an incident, and how understanding your environment supports more confident decision-making.

Incidents like this are not just challenges, they are opportunities to learn. They reveal where visibility can be improved, where monitoring can be strengthened and where preparation makes a meaningful difference. They also remind organisations that resilience is not built on a single control or a single team; it is built on the combined effect of awareness, clarity and the ability to act at the right moment.

For many organisations, the most important lesson is that early detection is achievable. It does not require a large security operation or complex tooling. It requires knowing your environment well enough to recognise when something is out of place, and having the confidence to act before the situation grows. That capability, the ability to notice, interpret and respond, is what turns a potential crisis into a manageable event.

The organisations that take these lessons on board tend to respond with greater confidence and experience less disruption when the unexpected happens. They invest in visibility not because it prevents every incident, but because it gives them the insight, they need to make better decisions under pressure. You need visibility, awareness and the ability to recognise when something isn’t right.

Seeing clearly, and seeing early, can change the entire trajectory of an incident.

For more information about Cyberfort security services contact us at [email protected] and one of our experts will be in touch.