Anders Norremo, VP, Product Management for TPRM, Bitsight

Below is an insight into what can be expected from Anders’ session at Vendor & Third Party Risk Europe 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

What does the current cybersecurity landscape amongst third parties look like?

The current cybersecurity landscape amongst third parties is complex and presents a range of challenges. Many organizations rely on third-party vendors, suppliers, and partners to support and scale their operations, but this introduces potential vulnerabilities. Third parties may have access to sensitive data or critical systems, making them attractive targets for cyberattacks.

Cybercriminals often exploit weaknesses in the security practices of these vendors to gain unauthorized access to valuable information. Consequently, organizations need to assess and manage the cybersecurity risks associated with their third-party relationships effectively through holistic third-party risk management (TPRM) programs.

However, many organizations still struggle with manual, time-consuming approaches to TPRM that make programs difficult to scale as the business grows and engages with more third parties.

How can we ensure maturity of vendor cybersecurity practices?

To ensure the maturity of vendor cybersecurity practices, organizations can take several steps:

1. Establish clear security requirements: Define and communicate your organization’s cybersecurity expectations to vendors. This includes specific security controls, incident response protocols, data protection measures, and compliance standards.
2. Conduct thorough assessments: Regularly assess the cybersecurity practices of your vendors through comprehensive audits and risk assessments. Evaluate their security controls, policies, procedures, and track record in handling sensitive data.
3. Implement contractual obligations: Incorporate cybersecurity requirements into contracts and service-level agreements (SLAs) with vendors. Clearly define their responsibilities regarding security practices, patching cadence, breach notifications, and incident response.
4. Continuous monitoring: Implement ongoing monitoring mechanisms to track the cybersecurity posture of vendors. This can include automated monitoring tools, regular vulnerability scans, and periodic audits. With data insights into vendor activity, you can scale and take a much more targeted approach to risk assessments.
5. Provide training and support: Offer resources, training, and guidance to vendors to help them improve their cybersecurity practices. Share best practices and findings from your assessments so they can address security gaps.

How can we ensure effective handling and treatment of data?

A golden rule in third-party risk management is to only share the minimum information your vendors need, in order to limit your exposure as much as possible.

To ensure effective handling and treatment of data, organizations should implement data classification and access controls best practices, including encryption, data lifecycle management, classifying data based on sensitivity, and limiting unauthorized access through strong authentication mechanisms (such as MFA or zero trust).

These practices are the foundation for setting clear expectations for your vendors, which should be cemented into your contracts. As part of risk assessments, security teams need a deep dive into the security controls of any vendor that will handle data, including data storage procedures, security certifications, backup strategies, and encryption at rest policies, plus proof of implementation of said measures.

How can we gain visibility across the entire supply chain?

The key is to take a risk-based approach. Prioritizing the vendor inventory helps organizations determine whether a vendor needs a more in-depth assessment or not, and what requirements to include in it. Their handling of sensitive data (or lack thereof) and their criticality to the business are key factors to consider.

To improve visibility, organizations require solutions that can identify their entire digital footprint and offer continuous visibility into the attack surface, plus tools to mitigate risks and reduce exposure. This may include the network perimeter, the third-party supply chain, digital assets and activities that lie outside the firewall, shadow IT, cloud services, remote offices, and assets that may not be on current inventory.

Dedicated solutions such as those offered by Bitsight can discover all of these assets automatically and identify where they are located for quick remediation—with dashboards broken down by cloud provider, geography, and business unit—as well as the corresponding cyber risk associated with individual assets. Based on this data, teams can gauge which assets represent the greatest proportion of risk and leverage additional context to make informed decisions and prioritize remediation efforts.

For example, managers can discover if multiple cloud instances are at play, perhaps as the result of an acquisition, such as an instance of Google Cloud in a business unit —a surprising find for IT managers who thought their cloud footprint was limited to AWS.

Beyond third parties, what are some of the biggest vulnerabilities within the supply chain?

As companies increasingly rely on digital assets and cloud infrastructure to conduct business, their attack surface grows exponentially, leaving them vulnerable to a wide range of cyber threats or attacks, such as those suffered by Kaseya and SolarWinds. These types of supply chain compromises allow adversaries to move laterally within the network once they’ve breached an organization, which can involve installing additional backdoors or other means of persistent access.

In response, attack surface and exposure management are emerging as critical capabilities for organizations to protect their digital assets and reduce the risk of data breaches and cyber attacks.

Risks can also reside in hardware and software components across the supply chain. As the market demands quicker software release cycles, many code components are not thoroughly scanned for vulnerabilities, creating more opportunities for malicious actors to compromise the supply chain. This can involve injecting malware or backdoors into software updates or compromising the integrity of hardware devices during manufacturing or distribution.

Similarly, physical threats or even geopolitical, legal, economic, and social factors can compromise the supply chain’s resilience. Think new regulations, a war, or a pandemic. To address these vulnerabilities, organizations need a comprehensive approach to managing supply chain risks. This entails conducting thorough risk assessments, continuously monitoring the supply chain, and implementing proactive strategies to mitigate risks.