Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2020
02:00 PM
Jake Olcott
Jake Olcott
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Third-Party Risk Management Has Never Been More Important

Given today's coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here's how to start.

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.

In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce. In responding to real business needs, they now face a variety of new, complex cybersecurity challenges from an expanding attack surface — both internally and within their third-party networks.

Work from Home & Insecure External Networks
Under the best of circumstances, it's difficult for security teams to enforce stringent controls and policies when employees are operating from disparate locations on various networks and devices. In the wake of COVID-19, with newly remote home workers logging on to unpatched machines through unsecured Wi-Fi networks that haven't connected to the corporate VPN in days or weeks, the dangers are even more of a threat.

In fact, new concerns about "external network" security have become top of mind for security teams. The National Institute of Standards and Technology recently issued an urgent bulletin outlining challenges and best practices, suggesting that "organizations should also assume that communications on external networks, which are outside of the organization's control, are susceptible to eavesdropping, interception, and modification." Organizations are now seeking to better understand the security posture of the external network.

Compounding this challenge, opportunistic hackers are taking advantage of the ongoing fear to target individuals with phishing emails that appear to come from an official source, such as the Centers for Disease Control (CDC). These emails contain a malware-ridden attachment that infects the computer in question and steals the individual's personal information. These risk factors are hard to assess and mitigate in your own organization — and even more difficult to monitor when it comes to third- and fourth-party networks, where you have less visibility and control.

Vendor Assessment and COVID-19
Given the current coronavirus pandemic, the need for companies to collect cybersecurity data about their vendors has never been more critical. That being said, recent travel bans and widespread WFH policies prevent on-site evaluations from being a viable option, completely upending traditional ways of assessing third-party risk. In addition, organizations that have previously leveraged consultants to aid in evaluation processes will now need to rethink their approach because most consultants will no longer be traveling, at least for the short and medium term.

Of course, existing or new manual assessment processes will be slower and more stressful due to the challenges that come with a newly remote workforce, not to mention a reduced access to the latest technology, such as video conferencing for brainstorming sessions and planning meetings that will be increasingly difficult when everyone is in a different location and relying on potentially flawed home Wi-Fi networks.

To promote efficient and effective vendor assessment and onboarding processes in these conditions, it's critical to streamline and automate wherever possible. Many organizations will need to completely rethink their assessment schedule and policy to include more remote monitoring capabilities. By leveraging a dynamic, standardized cyber-risk key performance indicator (KPI), like security ratings to assess each potential vendor's security posture side-by-side, you can immediately identify areas of risk that require attention — and make data-driven evaluation decisions under the limited remote resources you have today due to the coronavirus. [Disclosure: The author is an executive of a company that provides security ratings to help companies evaluate third-party risk.]

Developing Remediation Contingencies
Once a vendor has been onboarded, it's critical to continuously monitor their security posture to ensure they're maintaining the previously agreed-upon risk thresholds. As security ratings are updated on a daily basis, you can easily leverage this data to track any security shifts in your third-party network from your remote working location.

Of course, monitoring only goes so far. If you identify critical vulnerabilities that pose a risk to your ecosystem, you need to have a remediation plan in place. That being said, in this brave new world of mandated WFH policies, your previously agreed-upon plans will likely need to be reassessed and updated.

As part of your third-party risk management initiative, make sure you align how your current vendors will handle any security issues that arise within your remote workforce over the coming weeks and months. For instance, you should confirm that they have a plan in place to resolve any data center vulnerabilities, given that no employees will likely be permitted to travel there.

As is the case whenever you update vendor security expectations, make sure that any and all contingencies are documented in writing and agreed upon. Outline the preferred forms of communication and be as specific as possible when defining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.

Closing the Security and Communication Gaps
During these uncertain times, it's more important than ever to be proactive and vigilant when it comes to your organization's cybersecurity. Don't let a security incident be the first time you reconnect with your third parties about new processes and standards you need to implement during this global crisis. As the workforce goes remote and new targeted threats become increasingly prevalent, it's critical to have a plan in place to continuously evaluate and manage both your security posture and that of your vendor ecosystem.

Of course, given the current resource restrictions and unprecedented stress on the overall digital supply chain, all organizations will need to start by reassessing (and potentially overhauling) their existing policies and procedures. In many ways, this is uncharted territory, and no security leader is going to have all the right answers immediately. You must be willing to think outside of the box to accomplish your responsibilities, support your team, and protect your network in this new and evolving risk environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Evict Attackers Living Off Your Land."

Jake Olcott is vice president at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27254
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encrypti...
CVE-2021-27255
PUBLISHED: 2021-03-05
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of...
CVE-2021-27256
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists wit...
CVE-2021-27257
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via...
CVE-2021-26705
PUBLISHED: 2021-03-05
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the...