Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/31/2020
02:00 PM
Jake Olcott
Jake Olcott
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Third-Party Risk Management Has Never Been More Important

Given today's coronavirus pandemic, the need for companies to collect cybersecurity data about their business partners is more critical than ever. Here's how to start.

Over recent weeks, the ongoing spread of the COVID-19 coronavirus has forced companies around the country to make difficult decisions about how to protect their employees — as well as their communities as a whole.

In an effort to halt the spread of the virus, many organizations are instituting mandatory work-from-home (WFH) policies, engaging with new cloud service providers, and shifting resources toward supporting an expanding remote workforce. In responding to real business needs, they now face a variety of new, complex cybersecurity challenges from an expanding attack surface — both internally and within their third-party networks.

Work from Home & Insecure External Networks
Under the best of circumstances, it's difficult for security teams to enforce stringent controls and policies when employees are operating from disparate locations on various networks and devices. In the wake of COVID-19, with newly remote home workers logging on to unpatched machines through unsecured Wi-Fi networks that haven't connected to the corporate VPN in days or weeks, the dangers are even more of a threat.

In fact, new concerns about "external network" security have become top of mind for security teams. The National Institute of Standards and Technology recently issued an urgent bulletin outlining challenges and best practices, suggesting that "organizations should also assume that communications on external networks, which are outside of the organization's control, are susceptible to eavesdropping, interception, and modification." Organizations are now seeking to better understand the security posture of the external network.

Compounding this challenge, opportunistic hackers are taking advantage of the ongoing fear to target individuals with phishing emails that appear to come from an official source, such as the Centers for Disease Control (CDC). These emails contain a malware-ridden attachment that infects the computer in question and steals the individual's personal information. These risk factors are hard to assess and mitigate in your own organization — and even more difficult to monitor when it comes to third- and fourth-party networks, where you have less visibility and control.

Vendor Assessment and COVID-19
Given the current coronavirus pandemic, the need for companies to collect cybersecurity data about their vendors has never been more critical. That being said, recent travel bans and widespread WFH policies prevent on-site evaluations from being a viable option, completely upending traditional ways of assessing third-party risk. In addition, organizations that have previously leveraged consultants to aid in evaluation processes will now need to rethink their approach because most consultants will no longer be traveling, at least for the short and medium term.

Of course, existing or new manual assessment processes will be slower and more stressful due to the challenges that come with a newly remote workforce, not to mention a reduced access to the latest technology, such as video conferencing for brainstorming sessions and planning meetings that will be increasingly difficult when everyone is in a different location and relying on potentially flawed home Wi-Fi networks.

To promote efficient and effective vendor assessment and onboarding processes in these conditions, it's critical to streamline and automate wherever possible. Many organizations will need to completely rethink their assessment schedule and policy to include more remote monitoring capabilities. By leveraging a dynamic, standardized cyber-risk key performance indicator (KPI), like security ratings to assess each potential vendor's security posture side-by-side, you can immediately identify areas of risk that require attention — and make data-driven evaluation decisions under the limited remote resources you have today due to the coronavirus. [Disclosure: The author is an executive of a company that provides security ratings to help companies evaluate third-party risk.]

Developing Remediation Contingencies
Once a vendor has been onboarded, it's critical to continuously monitor their security posture to ensure they're maintaining the previously agreed-upon risk thresholds. As security ratings are updated on a daily basis, you can easily leverage this data to track any security shifts in your third-party network from your remote working location.

Of course, monitoring only goes so far. If you identify critical vulnerabilities that pose a risk to your ecosystem, you need to have a remediation plan in place. That being said, in this brave new world of mandated WFH policies, your previously agreed-upon plans will likely need to be reassessed and updated.

As part of your third-party risk management initiative, make sure you align how your current vendors will handle any security issues that arise within your remote workforce over the coming weeks and months. For instance, you should confirm that they have a plan in place to resolve any data center vulnerabilities, given that no employees will likely be permitted to travel there.

As is the case whenever you update vendor security expectations, make sure that any and all contingencies are documented in writing and agreed upon. Outline the preferred forms of communication and be as specific as possible when defining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.

Closing the Security and Communication Gaps
During these uncertain times, it's more important than ever to be proactive and vigilant when it comes to your organization's cybersecurity. Don't let a security incident be the first time you reconnect with your third parties about new processes and standards you need to implement during this global crisis. As the workforce goes remote and new targeted threats become increasingly prevalent, it's critical to have a plan in place to continuously evaluate and manage both your security posture and that of your vendor ecosystem.

Of course, given the current resource restrictions and unprecedented stress on the overall digital supply chain, all organizations will need to start by reassessing (and potentially overhauling) their existing policies and procedures. In many ways, this is uncharted territory, and no security leader is going to have all the right answers immediately. You must be willing to think outside of the box to accomplish your responsibilities, support your team, and protect your network in this new and evolving risk environment.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Evict Attackers Living Off Your Land."

Jake Olcott is vice president at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.