Christine Halvorsen is a Managing Director at Protiviti dedicated to helping organizations in a world of emerging and changing risks.
getty
Cybercriminals are finding success exploiting vulnerabilities in outsourcing arrangements due in large part to the “blind faith” complacency with which many businesses manage third-party vendor relationships. As guardians of their enterprises, business leaders should ask themselves this critical question when considering a third-party vendor arrangement: Is our organization entering into the relationship with blind faith?
Consider, for example, the rise of cloud technology and services, which has resulted in a boom in as-a-service offerings, artificial intelligence (AI) and machine learning (ML) and the Internet of Things (IoT), among other emerging technologies. Companies are implementing these new technologies at an incredibly fast pace to be competitive, potentially affecting security in the process.
It's this blind faith in giving more third-party vendors privileged access to systems and data without appropriate checks that can introduce vulnerabilities and risks to the organization. The supply chain cyberattack on MOVEit, allegedly by the Russian-linked Clop criminal ransomware group, is a notable example and a sure sign that companies need to step up their security and resilience efforts. The attack exploited a vulnerability within the MOVEit services that allegedly allowed Clop to gain access to their customers through a vulnerability that was unknown to the organization.
The initial damage assessment of the attack uncovered victims from more than 200 organizations, with at least 33 data breach disclosures resulting in more than 17.5 million affected individuals. This significant impact was caused by a vulnerability in a file transfer service that was part of a spider web of interconnectivity between the service provider and its customers. Attacks like this should have every business leader asking: “Has our organization identified, assessed and mitigated the risks our intricate external partner network presents to our organization?”
Instead of operating with blind faith, organizations should create a circle of trust through established due diligence frameworks and processes. They can begin this journey of creating a circle of trust by taking these five critical steps.
1. Correlate all external partners and the services they provide to the organization. This exercise would help:
• Identify assets and services within the organization delivered through external partners.
• Identify threats, vulnerabilities and consequences of those external partners.
• Determine the risk tolerance and tradeoffs related to the protection of those assets and services.
• Implement a continuous monitoring program.
2. Establish a cyber supply chain risk management (CSCRM) framework. This process involves:
• Conducting a SCRM assessment.
• Documenting assessment results, clarifying findings and incorporating lessons learned into the SCRM policies and processes.
• Establishing mitigation actions.
• Identifying all stakeholders and individual responsible owners (hub and spoke).
3. Perform comprehensive due diligence on suppliers of products, services, materials and contractual agreements. This process entails:
• Conducting research and due diligence on suppliers’ risk on a continuous basis to include the sanctions, cyber, financial, reputational, foreign ownership control or influence (FOCI), operational and overall risk scores.
• Building an understanding of suppliers’ risk.
• Conducting a service level agreement (SLA) and/or contractual audit.
• Aligning suppliers with cyber vulnerabilities.
4. Develop and implement an asset management system for software and hardware. You can do this by:
• Establishing a software bill of materials (SBOM) to create a comprehensive inventory of the components used to make up a piece of software.
• Establishing a hardware bill of materials (HBOM) to create a comprehensive inventory of the components used within your infrastructure.
5. Deploy a mitigation strategy to manage risk. This is critical to:
• Determine the breadth and depth of the threat and vulnerability.
• Establish risk posture.
• Establish approval and escalation procedures.
• Develop and deploy a training program.
• Automate mitigation processes where applicable.
Here’s the bottom line—and it can't be overstated: Organizations that haven't itemized and reconciled their third-party relationships against consistent risk criteria, business-critical processes and applications are vulnerable to a broader range of vulnerabilities and misadventures.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
