One of the scariest things about last year's SolarWinds data breach, which impacted the world's largest companies and some of the United States' most secure government offices, was how far-reaching it was.
The attack was introduced through SolarWinds, a US firm that counted all those companies and agencies as clients. It is believed to have gone undetected for up to nine months. The accounting of damages might never be complete.
While the full extent of the damage is unknown, it has rightfully initiated many uncomfortable conversations about the IT supply chain and forever changed the way companies interact with third-party vendors.
This is a positive and necessary outcome. It puts organizations in a more comfortable position to demand transparency and seek out answers on cybersecurity. Vendors will now be expected to fully disclose any vulnerabilities and respond appropriately in order to earn clients' trust.
It's not a question of whether another major data breach like SolarWinds will happen, but when. Supply chain attack surfaces are expanding, stretched by remote work, e-commerce, and accelerated cloud adoption, while third-party vendor attacks are becoming more frequent, increasing by 430% in 2020.
Here are three steps you can take to make these third-party conversations less awkward and more effective:
1. Focus on People and Processes
Before starting the third-party risk management conversation, identify who has access to sensitive info, assets most likely to be targeted, and controls required to keep the associated data secure. We still see too many old login methods utilized in cloud environments, and their monitoring capabilities are typically not enough to provide real-time visibility or assessment.
You'll need to acquire the right tools to build a playbook for automation and response. These solutions should help security teams prioritize day-to-day assignments and tasks with alerts, reducing the overall noise of your network.
People and processes are key to unlocking the power of automation. Break down your security team to understand roles, skill gaps, and blind spots. Who is handling alerts? Strategy?
Take the same approach with existing security policies, which are usually too broad. Make sure they are detailed, that clear procedures exist when it comes to third-party engagement, and that the approval process is understood by all employees. Often third-party contractors will affect business continuity and disaster recovery planning directly, so it's best to update those plans as well, specifying specific vendors.
2. Plenty of Help Available in Assessing Third-Party Vendors
More and more, companies are updating third-party vendor contracts. They are sending questionnaires to their software supply chain vendors; assessing capabilities, compliance, and risks; and outlining how the parties will go forward together with the shared goal of better security.
Whether it's a spreadsheet or a fillable form, there is a lot of ground to cover in creating such a questionnaire. There are plenty of resources to aid in this process, some of which have been around for a while but have only recently been brought to the forefront thanks to SolarWinds. Start with the Cloud Controls Matrix (CCM), which provides a basic framework for shared responsibility in a cloud environment that is applicable across supply chain vendors.
Standard Information Gathering (SIG) provides standardized questions to assess third-party risk, built on the expertise of more than 300 organizations and 15,000 third-party risk professionals and updated every year. SIG addresses data storage, data encryption in transit and at rest, and identity access management. It also documents cybersecurity policy and control via compliance and required certifications, members of the dedicated security team, and procedures for incident response, business continuity, and disaster recovery procedures.
Regardless of the tools chosen to build an assessment of third-party vendors, a collaborative approach based on trust, transparency, and communication will make your supply chain more secure.
3. Aim for a Unified Network Security Solution
Attacks on third-party vendors are harder to detect, address, and recover from due to inherent issues with visibility, transparency, and responsibility. As shown above, assessment and monitoring of your software supply chain is complex. Fortunately, solutions are emerging.
Some are turning to third-party risk assessment service providers to provide expert analysis and mitigation and avoid potential calamity. A proactive and direct approach to communications within the vendor relationship will go a long way toward ensuring security.
Advanced unified solutions like security information and event management (SIEM) and security orchestration, automation, and response (SOAR) enable visibility into application infrastructure, provide alerts to suspicious or malicious activities, and speed real-time response to cyberattacks.
Both SIEM and SOAR are excellent for aggregating security data and following up on cyberattacks, but they do not help manage or adapt the network to business changes, increase network performance, or deliver the security to control access to the network based on user identity and context. A unified solution based on the secure access service edge (SASE) framework can help third-party vendors control access to their networks and limit users' activity based on context, mitigating the risk from stolen credentials from spear-phishing. SASE will also enable software vendors to manage policies for secure network access, identify anomalies, and collect logs for compliance and audit purposes.
Getting Back to Awkward Conversations
As much of the world returns to offices, gatherings with family and friends, and public events, we will all once again be able to have those awkward conversations where we disagree, press for more revealing information, or admit past failures.
The current cybersecurity environment demands proactive risk mitigation, and software supply chains require transparency and visibility no matter how much organizations must dig. Now it's possible to ensure detection, protection, and real-time response in collaboration with third-party vendors, taking the guesswork out of data breach protection.
With thoughtful planning, you can avoid the most awkward conversation of all: telling your customers that their data was compromised by a breach.