87 years ago, on April 18th 1930, during the BBC 20:45 hours news bulletin, the newsreader said that there was no news and they just played instrumental piano music for fifteen minutes! While this was a relief for the world then, in current-day cybersecurity, no news isn’t necessarily good news. Often, lower activity with respect to hacks or breaches could make organizations complacent. This illusion of “a sense of security” clouds objectivity and that is often the attitude that generates the much dreaded “news”.
Third-party cybersecurity can often be perceived as this news bulletin where no “news” often fuels complacency. The recent Solar Winds hack has suddenly brought third-party cybersecurity under the spotlight. While this attack is being touted as one of the more elaborately planned and sophisticated cyberattacks in modern times, it is not going to be the last and it certainly wasn’t the first. This pillar of Enterprise Cybersecurity Strategy has perennially been a blind-spot. With digitisation, supply chains are becoming complex global networks with sub-networks and no longer just linear transactions. When the Global Supply Chain Management Software Market is poised to grow at an 11% CAGR Projection over the next five years, why are we struggling to build resistance to cyberattacks?
Supply chain attacks happen as a result of:
1) Digitisation and cloud-adoption with the increased use of SaaS applications are blurring the perimeter, making the external environment of an organization an easier target.
2) Unmonitored remote access with unnecessary privileges to third party vendors and service providers, specifically in this remote working environment. Drafting contracts without security-first policies for the hired third-party vendor, such as lack of robust access control procedure, credentials sharing, improper network segregation, unpatched systems, and more are also sources of backdoor entries.
3) Leaked PII which is tactically used to craft social engineering or targeted attacks on contractors.
In a tightly-linked digital world, third-parties access companies’ systems and resources. These links are so inherent and part of everyday use that most of them are hardly accounted as third-parties in the business inventory. The average organization uses nearly 6000 third-party SaaS applications to simplify business functions ranging from prospects and client management to handling accounts. It is both time and money efficient—leveraging SaaS applications also allows (often unsupervised) access to your data. The fact that sensitive data is being (recklessly) shared with third, fourth and nth parties is not news any longer and it will be leveraged against your business unless you take appropriate measures.
While even a few decades back, third-party risk management only revolved around physical security, today it has evolved to encompass their overall presence including cybersecurity. As businesses began appreciating the integral existence of their suppliers’ cybersecurity, the use of software to ask relevant questions boomed; making spreadsheets the de-facto standard for TPRM. This was the first wave in TPRM where analysts manually entered details such as data inventories, vendor contacts and ratings, compliance issues, updates, regulations, requirements, and more. With time, this first wave of TPRM magnified the loopholes in a human-dependent, time-consuming process. Additionally, they’re a self-assessment, businesses cannot trust the veracity of the answers at face value. The painstaking and labor-intensive questionnaires needed a supplement.
Automating TPRM not only saves hours of work but also ensures that due dates and reminders aren’t missed. This was the second wave. Automated outside-in assessments, supporting the exhaustive traditional first wave, provided faster albeit limited analyses of third party risks. It digitized user authentication (Password policies, access control processes, and support of multi-factor authentication), logging and auditing, data center security, vulnerability and patch management, and a lot more. Organisations quickly adopted these methods to know their nth parties’ cyber risk posture, yet, this vector remained one of the most-used attack points throughout the last decade, accounting for over half of all data breaches in the U.S. alone! Brands as large and reputed as Marriott, Adobe, General Electric, and P&N bank are being breached through their third-party. What is amiss?
The solution is in the third wave of TPRM
Industries need to take charge of their cybersecurity with all their might and cannot merely use ‘hope’ as a strategy! Rather than rueing poor third-party cyber hygiene & accepting vendors as their friendly dark web, enterprises should start treating them as a part of their Enterprise Cybersecurity Strategy and not a separate entity.
They must take concrete steps to firstly know where they stand by measuring their third-party related risks and secondly, the deployed solutions should run continuous third-party risk assessments with real-time feedback irrespective of the business’ environment; on-premise, hybrid or on-cloud.
The third wave of TPRM should include questionnaires, automation and integration where all the assessments are present under a single umbrella performed in real-time. In an environment where the NVD database itself updates twice in one day, a point-in-time analysis is as good as no analyses!
Deployment-less, automated risk assessment for vendor cybersecurity will be possible only when enterprises begin assessing their associated third-party suppliers’ inside-out risk postures along with outside-in assessments. In other words, it will include a continuous assessment of not only the employees of the third-party business but also the multiple software (SaaS) configurations leveraged by the nth party. When cybersecurity assessments begin spanning across the people, processes and technology in their internal environment; then and only then will an enterprise have transparent and 360o cyber risk visibility of their nth party ‘web’, in the truest sense of the word. “I wish it need not have happened in my time," said Frodo. "So do I," said Gandalf, "and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.”― J.R.R. Tolkien, The Fellowship of the Ring.
Views are personal. The author is Co-founder & CEO, Safe Security.