Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2020
02:00 PM
Jake Olcott
Jake Olcott
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Third-Party Risk Management Has Never Been More Important

Given today's coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here's how to start.

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.

In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce. In responding to real business needs, they now face a variety of new, complex cybersecurity challenges from an expanding attack surface — both internally and within their third-party networks.

Work from Home & Insecure External Networks
Under the best of circumstances, it's difficult for security teams to enforce stringent controls and policies when employees are operating from disparate locations on various networks and devices. In the wake of COVID-19, with newly remote home workers logging on to unpatched machines through unsecured Wi-Fi networks that haven't connected to the corporate VPN in days or weeks, the dangers are even more of a threat.

In fact, new concerns about "external network" security have become top of mind for security teams. The National Institute of Standards and Technology recently issued an urgent bulletin outlining challenges and best practices, suggesting that "organizations should also assume that communications on external networks, which are outside of the organization's control, are susceptible to eavesdropping, interception, and modification." Organizations are now seeking to better understand the security posture of the external network.

Compounding this challenge, opportunistic hackers are taking advantage of the ongoing fear to target individuals with phishing emails that appear to come from an official source, such as the Centers for Disease Control (CDC). These emails contain a malware-ridden attachment that infects the computer in question and steals the individual's personal information. These risk factors are hard to assess and mitigate in your own organization — and even more difficult to monitor when it comes to third- and fourth-party networks, where you have less visibility and control.

Vendor Assessment and COVID-19
Given the current coronavirus pandemic, the need for companies to collect cybersecurity data about their vendors has never been more critical. That being said, recent travel bans and widespread WFH policies prevent on-site evaluations from being a viable option, completely upending traditional ways of assessing third-party risk. In addition, organizations that have previously leveraged consultants to aid in evaluation processes will now need to rethink their approach because most consultants will no longer be traveling, at least for the short and medium term.

Of course, existing or new manual assessment processes will be slower and more stressful due to the challenges that come with a newly remote workforce, not to mention a reduced access to the latest technology, such as video conferencing for brainstorming sessions and planning meetings that will be increasingly difficult when everyone is in a different location and relying on potentially flawed home Wi-Fi networks.

To promote efficient and effective vendor assessment and onboarding processes in these conditions, it's critical to streamline and automate wherever possible. Many organizations will need to completely rethink their assessment schedule and policy to include more remote monitoring capabilities. By leveraging a dynamic, standardized cyber-risk key performance indicator (KPI), like security ratings to assess each potential vendor's security posture side-by-side, you can immediately identify areas of risk that require attention — and make data-driven evaluation decisions under the limited remote resources you have today due to the coronavirus. [Disclosure: The author is an executive of a company that provides security ratings to help companies evaluate third-party risk.]

Developing Remediation Contingencies
Once a vendor has been onboarded, it's critical to continuously monitor their security posture to ensure they're maintaining the previously agreed-upon risk thresholds. As security ratings are updated on a daily basis, you can easily leverage this data to track any security shifts in your third-party network from your remote working location.

Of course, monitoring only goes so far. If you identify critical vulnerabilities that pose a risk to your ecosystem, you need to have a remediation plan in place. That being said, in this brave new world of mandated WFH policies, your previously agreed-upon plans will likely need to be reassessed and updated.

As part of your third-party risk management initiative, make sure you align how your current vendors will handle any security issues that arise within your remote workforce over the coming weeks and months. For instance, you should confirm that they have a plan in place to resolve any data center vulnerabilities, given that no employees will likely be permitted to travel there.

As is the case whenever you update vendor security expectations, make sure that any and all contingencies are documented in writing and agreed upon. Outline the preferred forms of communication and be as specific as possible when defining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.

Closing the Security and Communication Gaps
During these uncertain times, it's more important than ever to be proactive and vigilant when it comes to your organization's cybersecurity. Don't let a security incident be the first time you reconnect with your third parties about new processes and standards you need to implement during this global crisis. As the workforce goes remote and new targeted threats become increasingly prevalent, it's critical to have a plan in place to continuously evaluate and manage both your security posture and that of your vendor ecosystem.

Of course, given the current resource restrictions and unprecedented stress on the overall digital supply chain, all organizations will need to start by reassessing (and potentially overhauling) their existing policies and procedures. In many ways, this is uncharted territory, and no security leader is going to have all the right answers immediately. You must be willing to think outside of the box to accomplish your responsibilities, support your team, and protect your network in this new and evolving risk environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Evict Attackers Living Off Your Land."

Jake Olcott is vice president at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...