Conquer third-party risks and boost cyber resiliency now with these helpful steps
Your “quadruple A” guide to cyber safety
Cybersecurity is complex, and we often need to look at the events of the past to properly build the cyber defenses of the future. Nowhere is this more evident than in the areas of third-party risks and cyber resiliency. Luckily, hazards can be avoided when we listen to and learn from past mistakes.
In this three-part series, SHI will take you on a journey through the common hazards, challenges, and defensive tactics within third-party risk management. We’ll explore three leading pain points of third-party risk management – including cyber resiliency, supply chain, and application security – and analyze what history can teach us. Lastly, we’ll give you insights into the tools, tactics, and best practices, so you can mitigate future third-party risk management challenges.
Under fire and underprepared
2019: As the decade ended, an unprecedented attack was just beginning. Within SolarWind’s CI/CD pipeline, hackers placed malicious code in one of the Texas-based company’s regular software updates. Early the following year, SolarWinds released those same updates to its customers, unknowingly providing the bad actors access to their systems. Once inside, the hackers installed additional malicious software to elevate privileges and spy on as many as 18,000 organizations—including the Pentagon.
The bad actors leveraged what’s colloquially called a supply chain attack, penetrating the defenses of a widely used third party that already has access to an organization’s systems rather than attacking said organization directly. While the SolarWinds hack was high-profile, these kinds of attacks are anything but low frequency.
As many organizations learned the hard way, any risk to your supply chain can also be a risk to your organization. This includes third-party vendors, partners, and software suppliers that you interconnect and work with. Luckily, hazards can be avoided if you know where to look for them and how to defend against them. SHI draws your map to safety with these “Quadruple A” steps to cyber resiliency.
Scouting the landscape is the first step to navigating it carefully. For matters of third-party risk and cyber resiliency, that means taking a hard look at what software you use, who your partners are, and how your data is shared. In our highly connected world this is often a tall order and requires prioritization based on your unique IT environment. You should begin by identifying and evaluating any data processors, SaaS services, and manufacturers you connect and interact with, focusing on those that directly access your most critical business systems and data.
Next, it’s important to assess the types of resources, security controls, and practices those third parties have in place – answering the question of how they protect your data. Understanding the connection points and security practices of the third parties you work with gives you a better lay of the land and a roadmap for how to build your defenses. Remember, security is a two-way street: If any connected entity is vulnerable, all their connected entities may be vulnerable as well.
Once you know your terrain, you can start to anticipate the hackers’ movement through it. While there are numerous defensive tactics that can be leveraged, many organizations elect to adopt a zero trust methodology to help defend against third-party risks. Using zero trust, you assume the network is already compromised, and can compartmentalize third parties off with the minimum user network access needed to perform their tasks. These presumptive elements of access management and network segmentation can greatly minimize the impact from a third-party breach and increase your overall cyber resiliency to third-party risks.
Once you know where the attack could come from, you can confidently mount your resistance.
Luckily, there are solutions to help bolster your cyber resiliency. Leading SHI partners like Okta understand the challenges of third-party risk and cyber resiliency. They can aid in simplifying the identity and access management processes by reducing complexity, providing strong access management, and monitoring across a broad range of technologies.
Additionally, leading endpoint solutions like SentinelOne’s EPP and EDR can provide an effective first line of defense, both in the detection and prevention of third-party risks. Its AI/ML looks for suspicious and abnormal activity and can halt attacks to your network, almost like a digital canary in a coalmine.
While understanding your risk landscape and applying the right technical solutions are steps in the right direction, it may not always be enough. It’s also worth aligning to hallmark industry security standards such as NIST 800-53, 800-161, and CSF Framework. The National Institute of Standards and Technology maintains these frameworks in collaboration with outside technology partners and industry leaders. Each provides additional guidance and recommendations for addressing key areas of third-party and supply chain risks, making them your North Star for cyber resiliency.
Ask for help!
Third-party risk is simply a reality of the IT world we currently live in. However, that doesn’t mean you can’t take back control of your cyber resiliency or that you need to go it alone. SHI and our network of partners are your weapons cache for finding and implementing the right solutions to address any third-party risk challenge. We offer an array of assessments and workshops that help you obtain a deeper understanding of third-party risks and guide you through the steps for building best-in-class cyber resiliency. Start building your strategy for thwarting third-party risk with us today.