Third-party vulnerabilities are the silent but deadly cybersecurity threat. They can impact an organization without any way for it to know it’s at risk. Take the SolarWinds incident from December 2020 as a prime example: a single vulnerability in SolarWinds’s servers had a trickle-down effect that impacted thousands of unsuspecting customers, including multiple government agencies and numerous global enterprises.
Bob Pacheco is Managing Partner and leads the Governance, Risk and Compliance (GRC) practice at Mission Cyber Group. For nearly 20 years he has worked with a wide range of organizations — including the NFL, PGA, state entities, and Fortune 100 companies — to address third-party vulnerabilities like the one from the SolarWinds breach. Pacheco spoke with IT Business Edge about what enterprises should know about preventing third-party risks.
- The Nuance of Risk Management
- The Evolution of Third-Party Risks
- Rethinking Vendor Risk Assessment
- Third-Party Risk Management Requires Specialized Expertise
The Nuance of Risk Management
The SolarWinds attack is only one of the most recent examples of a worst-case risk management scenario. With all of these incidents, most of the focus of the follow-up and analysis is on the technical issues at hand. What was the root cause of the breach? What cybersecurity measures were in place to prevent the attack from being successful?
Pacheco believes this focus is misguided. When an organization is attacked, there’s another organization on the other end that has committed a crime. Rather than criticizing the victim, he believes there should be greater attention paid to the perpetrator.
As he puts it, “There’s an initial response to look at the target organization to see what went wrong, but that’s backward. It needs to be understood that these organizations aren’t security firms, and the people who are executing attacks are professional criminals.”
Nevertheless, organizations must do everything in their power to be prepared for threats — both known and unknown — to minimize the catastrophic effects when one inevitably becomes reality. Pacheco says one of the most important things an organization can do is expect the unexpected.
“If you look at all the numerous devices and applications used across an organization,” he said, “it’s an amazingly complex world. It’s impossible to be prepared for any attack or patch, and that fact needs to be taken into consideration when planning.”
In most cases, the best solution is to act as if the perimeter has already been breached and re-architect the business to anticipate those vulnerabilities. According to Pacheco, microsegmentation and patch management tools do exactly that. Microsegmentation allows an organization to contain the impact of an attack, and patch management helps respond to a detected incident quickly and effectively.
The Evolution of Third-Party Vulnerabilities
Today’s risk management needs certainly look a lot different than they did 10 years ago. When all of an organization’s IT systems operated on-premises, vendor management wasn’t as important because the organization managed everything in-house. However, virtualization effectively changed the face of IT management as we know it.
As more and more organizations migrate to the cloud, they increase their dependency on external organizations like AWS and Google to outsource their core business and IT functions. In many cases, these organizations may contract out some of their services to third parties.
“This creates a supply chain of vendors that support everyone,” Pacheco says, “and therefore a supply chain of vulnerabilities with different points of attack. You may have a systems administrator three vendors away that doesn’t change his password, but that small detail can snowball into trouble for everyone.”
Digital transformation means we’re becoming so interconnected that vulnerability is virtually everywhere. What is an organization to do? Pacheco emphasized that contractual controls are a must. With the right controls in place, organizations can reduce the possibility that they will be the victim of an attack from someone in the supply chain of vendors. “Without those measures in place,” he says, “all you’re doing when you go to the cloud is spreading your vulnerabilities across multiple vendors.”
Rethinking Vendor Risk Assessment
To understand what contractual controls are appropriate, Pacheco says organizations should revisit their vendor risk assessments. First, it’s important for an organization to know all of its compliance needs, including geographical restrictions, privacy laws, and disaster recovery planning. This gives a good starting place to then look at all of the organization’s supply chain requirements for hardware, software, and data management.
An effective vendor management process will tier vendors based on level of importance. For the top-tier, business critical vendors, Pacheco advises organizations to dig deeper and inquire about specific results before considering an assessment complete. Organizations should specifically focus on the disaster recovery process for vendor failure — if something goes wrong, what’s the backup plan? Reviewing evidence rather than settling for a checklist will provide a more thorough vendor risk assessment.
Pacheco also says smaller vendors sometimes offer more administrative controls than larger vendors. “I’m not saying don’t use big vendors,” he says, “but make sure you have the right solution for your business.” If a vendor won’t accommodate the contractual controls you need, it might be best to look for an alternative.
Third-Party Risk Management Requires Specialized Expertise
Ultimately, Pacheco’s biggest piece of advice in preventing third-party vulnerabilities is to think of vendor assessment and risk management the same as any other specialized business need. It might seem counterintuitive, but third-party experts can help with third-party risk management.
Specifically, relying on a specialist’s expertise in this area can help organizations understand what information is most important. This is particularly essential when it comes to assessing risk, planning for worst-case scenarios, and jumping into action when the time comes.
Pacheco explains, “Vendor management needs a strong understanding of information technology, but it also requires a high level of business acumen, compliance, and global laws.” In this way, vendor management is its own discipline that requires an expert balance of business and technical knowledge. Organizations that don’t have that kind of expertise in-house should consider outsourcing their third-party risk management needs.
Read next: Top GRC Platforms & Tools in 2021