Understanding third-party cyber risk
The Department of Homeland Security recently released an alert warning about active threats targeting managed service providers (MSP). The number of organizations using MSPs has grown significantly over recent years, according to the alert, which warned that threat actors have been using various tactics and techniques for the purposes of cyber espionage and intellectual property theft since May, 2016.
Cyber adversaries are innovative, organized, and relentless in finding new ways to infiltrate, corrupt and weaponize whatever touches the internet – often bit by bit. An increasingly prevalent strategy is for attackers to divide targets into two groups; the intended targets and potential staging targets – third-party organizations including vendors, suppliers, and industry websites.
Divide and (unfortunately) conquer
Rather than simply going straight after the larger, and often better protected, intended target, adversaries worm their way into that organization’s supply chain, using smaller, less secure trusted partners and suppliers to gather intelligence and set traps.
When it comes to MSPs, the attackers appear to be casting a wide net. Large firms in a range of sectors rely on MSPs to carry out security and technology operations, generally at a lower cost. Given the increasingly important role that MSPs play in supporting business processes and operations in today’s business environment, a threat affecting one entity can have cascading effects across many sectors.
By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.
Building resilience against systemic risks
The 2008 financial crash highlighted the extent to which, in a deeply interconnected world, stresses and shocks propagate across systems in ways that evade forecasting. Since then, the web of connectivity has increased as companies have looked to outsource ever greater parts of their business. WIRED’s cover story, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History” by Andy Greenberg offers a chilling insight into the impact a single piece of code can have on complex and interconnected corporations around the globe.
“Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.”
The systemic nature of cyber risk has not gone unnoticed by regulators all over the world who are pushing to hold more companies accountable for cybersecurity across their ecosystem, including contractors, third-party vendors and affiliates, particularly as it relates to data protection and privacy.
Looking beyond your it security defenses
When considering security options to enhance third-party risk defences, areas of focus should include requiring service providers to use and monitor VPNs when accessing local networks, using access control lists to protect and segment networks, with firewalls to protect them, and keeping tabs on third-party account credentials.
However, cyber is a strategic risk that exists at the intersection of people, process, and technology. Organizations need to place as much importance on shoring up their entire ecosystem of vendors and partners as they do in preparing their entire workforce with the skills and tools to protect against cyber attacks.
A risk focused call to action
Your organization’s risk surface is likely much larger than you think. To accurately, and holistically, assess cyber risk, you need to consider the threats that lurk below the surface and figure out how a threat actor may try to target your organization through vulnerabilities in your entire ecosystem of vendors, partners, and third-party suppliers.
Get a handle on your ECOSYSTEM
Understanding the totality of your threat ecosystem is a good place to start. Identify all third-parties serving all functions in your organization. Build a centralized third-party risk management program around a register of vendors and subcontractors that have access to your networks and data. Consider how they are using your information, interfaces, and where it is stored.
BOLSTER VENDOR RISK ASSESSMENTS
Given the proliferation of third-party relationships, outsourcing, adoption of new technologies, movement to the cloud, and mergers and acquisitions, organizations need to take a risk-based approach to managing the cyber threat across their ecosystem of partners and suppliers. Determine which third-parties are critical, and consider identifying alternative vendors that can be called upon if they suffer a material cyber attack, data breach or technology failure. Use vendor risk assessments to surface gaps and vulnerabilities in third-party control environments, and gain critical insights into the effectiveness of their cyber security measures and preparedness.
ENHANCE THIRD-PARTY DUE DILIGENCE
Taking a robust line with outsource partners is important because so much of an organization’s activities typically depend on third-parties. Critical vendors must be evaluated and monitored in a more rigorous way through a combination of questionnaires and remote and onsite cyber security assessments. Ongoing due diligence can help give you comfort that third-parties are handling sensitive data according to regulatory guidelines and industry standards, and have the capabilities to protect and secure your data.
And remember, it’s not just your suppliers and vendors. Businesses undergoing mergers and acquisitions must complete rigorous due diligence to uncover and remediate concerns about the security posture of their merger / acquisition targets along with their third parties.
REVISIT CONTRACTS
Besides the obvious things like right to audit, if your third-parties are engaging subcontractors, make sure that flow-down clauses reflect everything you are holding your third-party accountable for are included in their outsourced vendor contracts. Verify that all service agreements include the right clauses to meet your regulatory compliance and reporting requirements. When a partner company or a supplier is compromised, it is important to understand that it may not simply impact their organization, the entire ecosystem could be at risk through that compromise.
Align INCIDENT RESPONSE PLANS AND PROCESSES
Organizations need an integrated approach to responding to cyber events, irrespective of where in the supply chain the incident occurs. Bringing together critical vendors and third-party suppliers as part of wider response planning efforts builds resilience across the entire ecosystem. Consider including your external vendors and business partners in focused tabletop exercises and simulations to rehearse response strategies and plans, enabling the launch of a coordinated and joined-up response.
Identifying your weakest link
Third-party relationships can pose a major threat to your company’s reputation, compliance, and overall value. Your network isn’t just your network. It’s your network, plus your trusted partners, plus your suppliers. If you are not mitigating risk across the entire ecosystem, you are potentially missing a very large exposure to your business. Now would be a good time to review your cyber risk management program through a third-party lens.
To learn more about STRATIUUM’s Third-party Risk Advisory Solutions, please contact us.