Beyond the scoring: Managing the third and fourth party attack surface

Will Gray, Area Director Europe North, SecurityScorecard

Below is an insight into what can be expected from Will’s session at Vendor & Third Party Risk Europe.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Why is it important for organisations to manage the security risks associated with their third and fourth parties?

An organisation’s attack surface spans beyond just the technology that they own or control. As organisations increasingly rely on third-party vendors, they grow their cybersecurity risk. Our research with the Cyentia Institute found that 98% of organisations have a relationship with at least one third-party that has experienced a breach in the last two years.

Organisations need visibility into the security posture of their entire third- and fourth-party ecosystem so that they can know in an instant whether an organisation deserves their trust and can take proactive steps to mitigate risk.

Legislation such as the Digital Operational Resilience Act (DORA) and NIS2 Directive, which impact customers across industries including the financial, manufacturing, and critical national infrastructure sectors, recognise the risk posed by the extended supply chain and mandate that organisations improve their capabilities in this space.

How can businesses establish standardised methods of measuring security risk across their entire ecosystem?

Much like in consumer finance, where “credit checks” are performed on applicants, organisations need a standard approach for assessing the cyber risk of their suppliers.

Just as a poor credit rating is associated with a greater probability of default, a poor cybersecurity rating is associated with a higher probability of sustaining a data breach or other adverse cyber event. SecurityScorecard calculates risk with an A-F letter-grade rating system, while also identifying security issues that result in incidents. Organisations with an F rating are 13.8x more likely to have a data breach than companies with an A rating.

Using this standard grading system which looks at predictive factors of a breach, coupled with the current and historical security posture of an organisation, businesses can start to anticipate which suppliers are likely to suffer a security incident and even more importantly, take steps to mitigate the risk.

What steps should businesses take to assess and evaluate the security posture of each link in their supply chain?

SecurityScorecard’s Global Third-Party Cybersecurity Breach Report found that 75% of third-party breaches targeted the software and technology supply chain. With that in mind, organisations should aim to obtain a view of risk which is as complete as possible. This can be achieved through a combination of Due Diligence Questionnaires (DDQs) and assessment of a vendor’s external-facing attack surface, two methods that complement each other.

DDQs focus on policies, procedures, and controls, though they have some limitations because they are only true at a given point in time and are also self-attested. An independent, external assessment of security, performed in addition—and on a continuous basis—enables businesses to achieve a 360-degree view of the risk posed by their extended supply chain.

What are the considerations organisations should keep in mind when it comes to incident management?

Practice makes perfect.

In a world where cybercriminals continuously evolve their threat methodologies, most security professionals believe that it’s no longer a question of “if” an organisation will experience a data security event but rather “when” it will happen. For this reason, organisations would benefit by establishing a robust incident response plan.

Conducting Red Teaming exercises is a crucial function within your incident management process. Red Teaming gives your team a clear roadmap on how to bolster security defences and determine risk acceptance across the organisation. Incident response requires involvement from the Boardroom to the basement. In the current world of social media, what the CXO is going to say to the press is just as important as how your team on the ground contains the incident. This is why conducting tabletop exercises that involve all stakeholders is critical. Tabletop exercises simulate cyber incidents to help your organisation evaluate key personnel’s readiness and ability to respond during a crisis.

How can organisations balance the need for speed and agility with compliance to standards such as DORA?

Incremental improvements are key. Organisations should ask themselves the following questions:

Do I have a tried-and-tested approach to assessing my third parties that involves not only reporting risk, but mitigating it as well?

Can I realistically manage the risk of all of my Nth parties? Probably not. However, I can take steps to understand where I have concentrated risk related to an Nth party because a significant percentage of my direct suppliers rely on them. SecurityScorecard’s report, “Redefining Resilience: Concentrated Cyber Risk in a Global Economy” found that just 15 companies control 62% of technology products and services worldwide. Because of their considerable influence, these companies have greater potential to inflict third-party harm on their customers due to their extremely large market share and vast attack surfaces.

Therefore, it’s key to leverage capabilities such as Automatic Vendor Detection to instantly understand which suppliers are vulnerable and take the appropriate steps. Similarly, it is critical to understand exposure to the vulnerabilities that are actively being exploited and to apply automation to this process via tooling. Beyond that, consider augmenting security teams with Vendor Risk Management experts via managed services.

Most firms that fall under the scope of the new legislation will have some of these policies and protocols already in place, but this is an opportunity to really streamline cybersecurity and become more cyber resilient overall.