n 2021, cybersecurity has continued to be a major source of investment across all industries. The cyber threat is complex and constantly changing, and a number of high-profile cyber-attacks in 2020 and 2021 demonstrate the need for companies of all sizes to shore up their defenses and face the challenges posed by cyber attackers.
Authors: Greg Tomchick, CEO & Jeff White, Chief Security Officer
But, what is the major area of risks that companies often fall down on? Weak cybersecurity in supply chains and lax third-party risk management. Like many facets of cybersecurity, third-party risk management is both crucial and subject to frequent change. Achieving high maturity and a stable, resilient security posture is the chief concern of today’s CISO or members of the enterprise team.
“Supply chain risk management is the future of the business world. With connectivity continuing to rise on a daily basis these cyber risks could take down entire supply chains in a matter of second.”
Why is third party risk management important?
While many companies take internal cybersecurity seriously, the cybersecurity procedures of the vendors with whom they do business with every day are often overlooked.
It is often the risk posed by third-parties and subcontractors that can be particularly problematic across all industries, especially in sensitive sectors such as Defense, pharmaceuticals and oil & gas. Sectors such as these are characterized by a supply chain consisting of larger companies with the capability to secure themselves, and numerous SME’s that face a disproportionate cybersecurity challenge compared to their larger counterparts.
Whether a larger company likes it or not, third parties contractors are often the first line of defense – or else the first target. Whether an organization hires a third-party risk assessor, or they undertake their own assessment, it is vital that you are aware of the risk profile of the companies they interact with.
The 10-person shop that only makes a small component in a much larger supply chain is not going to have the same resources to defend against persistent attackers. However, because that small manufacturer must take orders from a larger entity, there is inherent trust, and it allows for a higher success rate for both spear phishing attempts and lateral movement if the two companies happen to have a connection in their networks.
A collective defense is one of the largest and least well-tackled problems right now.
The aggregate vulnerability that is created by vendor relationships that are required to manufacture products and services is a huge concern.
Larger corporations can build capable defenses against everything but the most determined adversary. Unfortunately, these capabilities break down due to the extended and complicated supply chains and relationships that are now required to conduct business. Cyber attackers have always sought the path of least resistance to their targets, as the primary targets get better at cyber defense, the hackers simply went to the second-order providers.
Expert Insights and Closing
Valor Third-Party Risk expert, Jeff White, continually says that in ensuring data security in a third-party setting – somewhat at the network’s periphery – understanding where your data resides is a significant first step.
He said, “In addition to the data that you control, which of your third parties – including vendors, subsidiaries, service providers, joint marketing partners, call centers, and cloud providers – have access to sensitive data?”
White said that in addressing network gaps, the identification process continues: Who has access to data or your facilities, or even network? He advocated “due diligence” on each of the third-party controls, developing a closed loop process with the third-party ecosystem and embracing the more modern approach of continuous visibility of a third party’s security posture.
He continued: “It’s your fault for not having adequate controls. And the single easiest third-party control is around onboarding and off-boarding third-party accounts.”
Even if you’re rotating passwords, monitoring privileged access, auditing, etc., White said you must know, empirically, who’s accessing your network.
White said that one strong issue surrounding third-party access is shared accounts. That means, when outside contractors access enterprise data, they’re logging in with the same account.
“The way to get around that, is to institute named accounts for vendors with third-party access. Have onboarding and off-boarding be both a legal agreement and a well-thought-out process. If an employee at a third-party organization leaves, or is suspended, their access should be immediately revoked.”
White continued: “The bottom line is, if somebody leaves, the account should not work any longer on third-party networks to which that account had access – especially if he/she was terminated for cause.”
Upon a third-party breach, a capable organization would identify compromised accounts, lock them down and mitigate/limit the damage that the end-users sustain. Indeed, today’s privacy environment introduces a new type of risk beyond traditional vectors. While security incidents and financial risk are traditionally viewed as high risk for breaches, data privacy risk increases the criticality of adequate vendor and third-party management.
If you enjoy diving deep into the intricacies of Third Party Risk Management, we would love to continue the conversation. Contact firstname.lastname@example.org.
Until next time.