Cyber Fitness: A new approach to supply chain cyber risk management

While we’re great at helping small businesses do the right thing and giving big customers unique insights into their supply chain cyber risk, we’ve been bad at keeping everyone up-to-date as things have progressed 😯. Today we’re going to shine some light on what we’ve been working on and explain how it will be driving us forward.

Since our founding in 2018, we’ve been on a mission to help as many business owners as possible prevent a cyber incident from being the worst day of their lives. We’ve been fortunate to work with more than a thousand businesses right across Australia, growing and evolving with them every step of the way. Over the years, we’ve transformed our Cyber Fitness Platform into simply the best way to help a small business become cyber resilient. For larger businesses, tracking their progress against a variety of security standards such as Essential 8, ISO27001 etc can be an administrative nightmare. With Cynch, it can be done with a click of a button.

Working with our amazing Enterprise partners we’ve built the Cynch Partner Portal, a supply chain vendor reporting tool that does away with point-in-time assessments and brings unique insights into how your suppliers are progressing individually, in aggregate, and on a day-by-day basis.

 

Bringing small business cyber risk out of the darkness

Everyone who wades into the challenging space of small business cyber security is immediately struck with the massive gap in understanding what the cyber risks truly are. The Cynch Cyber Fitness Platform was built from the ground up to tackle this problem head-on and has grown to track cyber risk across 1,700+ technologies and provide business operators with access to more than 8,000+ plain language recommended actions.

In the past couple of years, we’ve built up this core capability by aligning our guidance to an ever-growing catalogue of industry standards as well as tailor-made programs designed to help businesses quickly get across their obligations in various settings. For example, Cynch members can now instantly see how their efforts are aligned with standards such as the Essential 8, ISO 27001, PCI-DSS, APRA’s CPS-234 and many more. We’ve aligned to so many standards and frameworks recently that OpenAI is considering using us to avoid an AI apocalypse 😆.

Thank god for you guys, you are angels.
— Actual Supplier Quote

These standards are typically overwhelming and confronting to the unfamiliar, so we’ve also developed a range of Cyber Fitness Programs to introduce core concepts and guide businesses towards best practice without the never-ending scroll of a spreadsheet full of control statements. Our Critical Resilience for Critical Infrastructure cyber fitness program, aligned to SoCI obligations, and our Australian Defence Supplier cyber fitness program, aligned to DISP, have been receiving rave reviews from those working through them since their release.

 

We want every business to have a way to meet these obligations, so going forward any business with an active Cynch membership will have full access to every compliance report and cyber fitness program in our platform.

 

Explaining compliance obligations in a relevant, plain-language manner has dramatically improved the quality of assessments captured through the Cynch Cyber Fitness Platform. Yet for many larger organisations simple attestation-based responses have remained a barrier to broader acceptance. To address this, we’ve introduced validated actions. Validated actions align the assessment guidance methodology guidance from the Australian Signals Directorate (ASD), marking actions as validated only if they have been tested by a suitable mechanism. Active Cynch members already have many actions validated through our automated scanning, and external assessments or audits can now also be used to increase confidence in the efforts our members are taking. For small businesses not yet ready to engage an external auditor yet, our Cyber Fitness coaches can now check the actions you’ve taken and mark them as validated in the platform and reports.

Action validation is already active in the Cyber Fitness Platform and is also available to all active members. Users of our Partner Portal can also now see the validation level across their suppliers. This flexible approach has already made it possible for dozens of businesses that were previously scoring zero on their security questionnaires through other vendors to not just meet but exceed the level necessary to work with our supply chain partners.

Being unable to understand or complete a security questionnaire shouldn’t be a barrier to closing an enterprise deal, so we’re also switching to an unlimited licence model for all of our Partner Portal arrangements. If you sign on as a Cynch Supply Chain Partner, every single one of your suppliers now has complete access to our Cyber Fitness Platform. You’ll be giving them the gift of Cyber Fitness and in return, you’ll gain unprecedented insight into the improved security posture of the suppliers you rely on.

 

Creating a Cyber Time Machine

Time is the one thing every business needs. There’s just never enough of it. The running joke at Cynch is that every problem could be solved if we just had a time machine. The next best thing to being able to control time is making sure we are getting the most out of what little we have.

We reviewed over 12,000 threat intelligence items over 2023, identifying just 73 items worthy of notifying our subscribers about. The time it takes to stay across such a rapidly changing landscape is well beyond the reach of most teams, but the changes we’ve implemented recently continue to enable us to keep pace. In most instances we’re notifying impacted customers within minutes of an issue being identified. Not only does this remove the need for our subscribers to spend time staying across things, but it also reduces the time it takes for a vulnerability to be treated. It’s not uncommon for our Cyber Fitness Platform members to have been notified of a critical patch, and have it deployed, before the ACSC have posted a bulletin to cyber.gov.au.

We’ve started to extend this analysis work to not just monitor for active threats that need action, but also ways to remove the need for our users to manually mark an action as completed. Auto-completion of actions draws on our growing corpus of knowledge around the technologies our members are using, marking them as completed where we can confidently attest on a business’s behalf. Mandated controls, such as MFA enforcement within Xero, as well as detectable versions of software like WordPress, allow us to instantly close off an item for our subscribers, enabling them instead to spend their time working on things that require their attention. As we close these actions off, we also automatically record evidence and reward our members with a validated outcome, allowing them to give their partners even greater confidence in their Cyber Fitness scores.

These intelligent automations have allowed us to dramatically reduce the time it takes to gain insight into the Cyber Fitness of an organisation. Today, through a combination of automation and short simple exercises, we can provide a Cyber Fitness Baseline assessment of any business within 15 minutes of signing up. Completing a similar assessment as part of a procurement process utilising other cyber assurance tools typically takes weeks, if not months, causing pain for everyone involved. This baseline assessment is designed to give all parties the confidence to move ahead with a shared understanding of the cyber risks a supplier may be carrying and come to a mutual understanding of how they will be resolved. This doesn’t remove the need for a supplier to get their act together, but does allow them to work on it over time, while other aspects of contract negotiation continue. Our Partner Portal users can see progress daily and can use this visibility to set and manage expectations at any point in time. The result: vendor security assessments are no longer on the critical path for procurement, potentially removing months of agony and frustration from the end-to-end process.

 

To help with all of this, we’ve introduced a raft of new planning capabilities into the platform. Cyber Fitness Platform users can now set a planned date for recommended actions as well as assign them to individual team members to run with. Actions scheduled to reset periodically (e.g. regular vulnerability scans and security patching) are also automatically assigned a due date, giving businesses to see what’s coming and stay on top of things. Plans can be exported and used as the basis of agreements between suppliers and their clients after an initial procurement phase is completed.

Cyber Fitness isn’t ‘set and forget’ but the Cynch Cyber Fitness Platform continues to make it achievable and sustainable for every business.

 

Removing the Limits

Our pricing has always been focused on ensuring cost isn’t a barrier to Cyber Fitness for any business. We’ve offered a free plan from the start to small businesses, and paid plans for as little as $29/month. As our focus has shifted towards supporting supply chains, these plans have led to confusion and at times frustration amongst our enterprise partner portal users and Cyber Fitness Platform subscribers alike. After many beers and soul searching, we’ve decided to overhaul our pricing approach to simplify everything into a single paid Cyber Fitness membership.

Here’s how access to Cynch works from today:

  • New Cynch members (signing up directly and not through a Partner Portal arrangement) will have no limits and fully-featured access to our platform for 14 days. Enough time to establish a Cyber Fitness Baseline and address the issues burning most ferociously.

  • After 14 days, Cynch membership will cost $149/month.

  • Startups, Sole Traders and Not-for-profits will have access to heavily discounted pricing. (contact us to learn more)

  • Existing members on the Starter and Standard plans will be given full access to our platform at their existing price point for as long as their membership stays active.

  • Premium members will continue to have access to our Cyber Fitness coaching (otherwise now available for an additional $500 a month) and prioritised support.

 

All active Cynch members now have access to all features. Everything mentioned above, as well as so much more.

It’s also worth repeating the massive changes to our Partner Portal subscriptions, removing charges attached to the number of connected suppliers. Partner Portal subscriptions are now linked to the capabilities that make sense for each Partner organisation.

This means that most of our subscribers will now have complete access to Cynch simply by entering into a contract with a customer who cares. If your business is invited to the Cynch platform by one of our Partner Portal subscribers, your access will be gifted to you for as long as the relationship lasts. Don’t have an invitation yet? Consider applying for a tender with one of our growing list of partners, or referring your existing ones to us so we can get them set up.

2024 is looking to be a huge year for the Australian small business and cyber ecosystems and Cynch is here to make it Cyber Fit. 💪

Want to explore this entirely new way of managing your supply chain risk? Get in contact here today.

Susie Jones