Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jake Olcott
Jake Olcott
Connect Directly
E-Mail vvv

Why Third-Party Risk Management Has Never Been More Important

Given today's coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here's how to start.

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.

In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce. In responding to real business needs, they now face a variety of new, complex cybersecurity challenges from an expanding attack surface — both internally and within their third-party networks.

Work from Home & Insecure External Networks
Under the best of circumstances, it's difficult for security teams to enforce stringent controls and policies when employees are operating from disparate locations on various networks and devices. In the wake of COVID-19, with newly remote home workers logging on to unpatched machines through unsecured Wi-Fi networks that haven't connected to the corporate VPN in days or weeks, the dangers are even more of a threat.

In fact, new concerns about "external network" security have become top of mind for security teams. The National Institute of Standards and Technology recently issued an urgent bulletin outlining challenges and best practices, suggesting that "organizations should also assume that communications on external networks, which are outside of the organization's control, are susceptible to eavesdropping, interception, and modification." Organizations are now seeking to better understand the security posture of the external network.

Compounding this challenge, opportunistic hackers are taking advantage of the ongoing fear to target individuals with phishing emails that appear to come from an official source, such as the Centers for Disease Control (CDC). These emails contain a malware-ridden attachment that infects the computer in question and steals the individual's personal information. These risk factors are hard to assess and mitigate in your own organization — and even more difficult to monitor when it comes to third- and fourth-party networks, where you have less visibility and control.

Vendor Assessment and COVID-19
Given the current coronavirus pandemic, the need for companies to collect cybersecurity data about their vendors has never been more critical. That being said, recent travel bans and widespread WFH policies prevent on-site evaluations from being a viable option, completely upending traditional ways of assessing third-party risk. In addition, organizations that have previously leveraged consultants to aid in evaluation processes will now need to rethink their approach because most consultants will no longer be traveling, at least for the short and medium term.

Of course, existing or new manual assessment processes will be slower and more stressful due to the challenges that come with a newly remote workforce, not to mention a reduced access to the latest technology, such as video conferencing for brainstorming sessions and planning meetings that will be increasingly difficult when everyone is in a different location and relying on potentially flawed home Wi-Fi networks.

To promote efficient and effective vendor assessment and onboarding processes in these conditions, it's critical to streamline and automate wherever possible. Many organizations will need to completely rethink their assessment schedule and policy to include more remote monitoring capabilities. By leveraging a dynamic, standardized cyber-risk key performance indicator (KPI), like security ratings to assess each potential vendor's security posture side-by-side, you can immediately identify areas of risk that require attention — and make data-driven evaluation decisions under the limited remote resources you have today due to the coronavirus. [Disclosure: The author is an executive of a company that provides security ratings to help companies evaluate third-party risk.]

Developing Remediation Contingencies
Once a vendor has been onboarded, it's critical to continuously monitor their security posture to ensure they're maintaining the previously agreed-upon risk thresholds. As security ratings are updated on a daily basis, you can easily leverage this data to track any security shifts in your third-party network from your remote working location.

Of course, monitoring only goes so far. If you identify critical vulnerabilities that pose a risk to your ecosystem, you need to have a remediation plan in place. That being said, in this brave new world of mandated WFH policies, your previously agreed-upon plans will likely need to be reassessed and updated.

As part of your third-party risk management initiative, make sure you align how your current vendors will handle any security issues that arise within your remote workforce over the coming weeks and months. For instance, you should confirm that they have a plan in place to resolve any data center vulnerabilities, given that no employees will likely be permitted to travel there.

As is the case whenever you update vendor security expectations, make sure that any and all contingencies are documented in writing and agreed upon. Outline the preferred forms of communication and be as specific as possible when defining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.

Closing the Security and Communication Gaps
During these uncertain times, it's more important than ever to be proactive and vigilant when it comes to your organization's cybersecurity. Don't let a security incident be the first time you reconnect with your third parties about new processes and standards you need to implement during this global crisis. As the workforce goes remote and new targeted threats become increasingly prevalent, it's critical to have a plan in place to continuously evaluate and manage both your security posture and that of your vendor ecosystem.

Of course, given the current resource restrictions and unprecedented stress on the overall digital supply chain, all organizations will need to start by reassessing (and potentially overhauling) their existing policies and procedures. In many ways, this is uncharted territory, and no security leader is going to have all the right answers immediately. You must be willing to think outside of the box to accomplish your responsibilities, support your team, and protect your network in this new and evolving risk environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Evict Attackers Living Off Your Land."

Jake Olcott is vice president at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.