Risk management is all about data: learn how with CyberGRX
Amid the many millions of words written about the SolarWinds breach that continues to affect tens of thousands of organizations, either directly or indirectly, a word that has cropped up several times is “inevitable.” An inevitability of a cyber breach of some description or another is statistically a certainty that many organizations try to forget. A cybersecurity adage states that it’s not if it will happen; it’s when it will. The sophisticated hack, where a compromised software update from IT monitoring company SolarWinds resulted in nine federal agencies and 100 private companies being accessed, was always a possibility.
Astute decision-makers in organizations are cognizant of this fact of life and are also aware that with the greater number of suppliers or third parties with whom they — and their technology stack — interact, comes the greater the risk to the core enterprise. The SolarWinds event made the headlines because the company was along the supply chains of many large organizations, and so a single instance of malware affected many, many companies and public institutions.
The proper assessment of the risk profile of the often thousands of third parties involved with the enterprise is an inordinately complicated and time-consuming process. Fifty years ago, it was less of an issue: companies would maybe run financial background checks on potential supply chain partners and ask for written references. In 2021, relationships with third parties are invariably digital at some level, and every interaction could potentially be a threat to both parties.
Prioritizing risk assessment of supply chain partners is an essential step to take. Each organization’s role and access to data must be considered from the point of view of cyber risk, but even with a limited number of cases to consider, the work overheads are significant.
Risk needs to be prioritized according to the best available information but always assuming that safety can never be guaranteed. That’s a safe assumption in an era where, for instance, a supply chain partner can be given temporary access to data for just a few hours in a discrete project via APIs. If keys are never revoked, that fleeting contact opens a potential attack vector — this is the speed and agility of today’s business environment. It may be cliche, but the digital world does change quickly, making managing cyber risk a moving game of parts.
Getting the security low-down
Risk managers in the daily process of assessing third-parties’ risk profiles may wish to consider the flip side of the coin. Supply chain bodies may also wish to evaluate the larger organizations with whom they trade. Furthermore, those same supply chain partners can ill afford to submit assessments to every single enterprise they serve. It’s time-consuming, frustrating, and often, a process slow enough to render the results out-of-date for both sides. What is required are control based assessments complemented by cyber-reputation derived from continuous monitoring.
One digital solution to some of the issues dogging both sides of the situation is an objective repository of security risk information held by an independent third party. The advantages of using an exchange are numerous for both parties. Large enterprises can enter into supplier agreements with assurances already available regarding potential risk — to examine, act as the basis for SLAs, and act as evidence of due diligence.
Organizations that supply others with goods or services as part of extended supply chains submit only one version of a broad-reaching assessment. They also have the opportunity to amend and improve their status by mitigating the cyber risks that were identified, further protecting the organizations with whom they trade.
With an exchange, supply chain partners authorize the release of their cyber credentials openly, in an evolutionary manner, to many companies simultaneously. Overheads of hitting multiple standards for multiple partners are slashed, and additionally, the vetting and risk assessment process is two-way. Organizations and third parties collaborate in a one-to-many fashion to crowdsource data, insights, and remediation strategies.
There are parallels here with the cybersecurity information networks that many security teams access or subscribe to. But rather than an evolving catalog of existing malware and methods, the third-party cyber risk assessment approach is more proactive. It can potentially lower the chance of cybersecurity breach before any signature is attached to a contract and continually drives up standards.
While risk is always present, with resources like CyberGRX available — the prime example of such a risk information exchange that we at Tech Wire Asia have come across — the chances of untoward data breaches are made as low as possible.
Having zero risk is impossible, but striving to reach that figure will mean that organizations of all sizes, suppliers or buyers, will remove themselves from the “low hanging fruit” category for cybercriminals. To learn more, start your test-drive of CyberGRX and see how your third parties measure up.