Cyber-attacks have spiked in the last few years, but despite this growing concern, only 34 per cent of organisations have assessed their risk assessment and possibilities to exposure. This becomes all the more concerning as they rely on third-party software providers to enable their hybrid and remote working models – users of which are prime suspects for cyber criminals.
Simon Eyre is the CISO at Drawbridge, a provider of cybersecurity software and solutions to the alternative investment industry. Its proprietary platform helps firms exceed and manage their governance, risk and compliance (GRC) requirements while combatting sophisticated cyber threats and third-party risks. With a company focus on third party risks, and with over 18 years working in the investment industry, Eyre is well placed to discuss the missing piece in supply chain security.
Speaking to The Fintech Times, Eyre highlights the importance of understanding comprehensive data flow across an organisation and vendors, why continuous monitoring is necessary, and how organisations can create proactive and reactive plans to handle third-party compromises:
No organisation exists in a vacuum- and cybercriminals have taken notice. Businesses today increasingly rely on third-party vendors to perform daily operations such as video conferencing and cloud-based web services. As companies continue to adopt permanent work from home and hybrid policies, reliance on third-party software has never been greater.
Threat actors consistently attacked third-party vendors throughout 2021, resulting in significant impacts throughout the software supply chain. As we saw with the Kaseya attack, although fewer than 60 direct customers were affected, the downstream effect compromised between 800 to 1500 companies globally. And that was not the first time we witnessed this attack style; we saw a similar situation with the 2020 SolarWinds attack – and cybercriminals do not appear to be slowing down anytime soon.
According to a recent study, 56 per cent of businesses expect an increase in reportable incidents in 2022 from attacks on the software supply chain. But worryingly, only 34 per cent have formally assessed their enterprise’s exposure to this risk.
The question remains: how can business leaders best assess vendor cyber risk and apply proper safeguards and protections for relationships with third parties?
Know the risk and regulatory landscape
If businesses are to defend against a third-party cyber-attack properly, it’s critical that they have up-to-date knowledge on cyber threats and the cybercriminal landscape. You cannot ensure protection from vulnerabilities you do not know. Look to similar organisations and continuously track how cybercriminals are executing attacks, what attack strategies they are using, and how attackers compromised data in the attack.
In the first six months of 2021, the global volume of ransomware attacks increased by 151 per cent and the average cost of a breach was $3.6million per incident. It’s clear that cybercriminals do not discriminate when choosing an organisation to attack. That means every organisation, big and small must stay vigilant to ensure preparedness.
Regulators across the globe are proactively responding to the threat of cyberattacks in the form of regulation. In the EU the Digital Operational Resilience Act (DORA) is expected to come into effect in 2023, requiring organisations to prioritise secure technologies and resilience to ensure the integrity of financial institutions.
Garner support from the C – Suite
Ensuring adequate knowledge on cybersecurity trends also requires that cybersecurity professionals have C-suite level support. Cybersecurity experts should have their own responsibilities within the business separate from the generalised IT team so they can focus on in-house security and mitigate and analyse third-party vendor risk. Generalised IT teams generally focus on daily tasks to keep the organisation running, including troubleshooting emails, processing data and managing the overall technology infrastructure. While IT teams focus on this diverse array of duties necessary to keep the business running, most do not have the time or resources to dedicate the needed attention to third-party cyber risk protection. If you want to ensure preparedness for whatever disruption hits your third-party vendors, hire proper cybersecurity talent, and equip them with the support and resources they need to properly protect your business.
Understand data flow
Data is the lifeblood of any business. To properly protect it, businesses must understand where the data is located and who has access to it. This type of comprehensive data flow understanding encompasses the full data lifecycle including where data originates, is stored and what vendors have access to it in any capacity. Data mapping exercises can help business leaders truly understand their data and apply the proper proactive strategies to prevent a breach.
Vendors should only have access to the minimum data needed to perform their intended function for your business. Oversharing data with a vendor can lead to a breach that could significantly impact your business. When beginning a new relationship with a vendor, double-check what data they require. If a vendor requests data that you feel they should not require access to, inquire and investigate further to ensure you’re implementing optimal data protection practices.
Run vulnerability management continuously
When selecting vendors, it’s vital to vet their cyber posture and preparedness – but that’s just the beginning. Work only with vendors that demonstrate robust, proactive cybersecurity systems – and set the expectation that vendors must similarly vet their own vendors and partners. Setting these parameters can help ensure that if your vendor is attacked, threat actors will have a difficult time accessing your networks and data.
Businesses can harness vulnerability management technology to continuously vet vendor risk profiles and help discover points of weakness within a platform and on a network used by vendors. Performing vulnerability management continually, with routine penetration testing within the environment, ensures preventative measures are taken before an attacker can capitalise on a weakness.
In addition to the traditional Security Operations Software (SOC) team, vulnerability management tools can enhance cyber risk protections. Compliance, HR and Risk Assessment teams can also use these tools in their daily operations to ensure the utmost protection from a breach. When a business uses this type of risk management platform across departments, it allows the business to take a collaborative approach to efficiently tackle business risk, especially as attacks against technology vendors are on the rise.
Proactively plan for your cybersecurity success
Proactive planning is the key to protecting your business from what could be a massive disruption in the wake of an attack on your third-party vendors or supply chain. That starts with hiring proper cybersecurity personnel, equipping them with the right resources and ensuring your business has a handle on the current risk landscape and threats. Then it’s about using that knowledge, focusing on your data flow and making continuous vulnerability management scanning a priority to maintain the most robust security posture with your third-party vendors.
The risk landscape is evolving, and threat actors will continuously try to capitalise off the shortcomings of business cybersecurity. We don’t know when the next disruption will happen, but it’s not a matter of if but when – so the best time to prioritise your third-party risk program is now.
