For good cyber hygiene, organizations must continuously monitor third-party risk
Listen to the Podcast:
Insurance, regulations, security experts are boosting awareness of the threat landscape
In the past couple of years, third-party risk has grown from a topic only discussed by cybersecurity circles to a companywide concern. The tipping point may have been in 2014 when Target’s point-of-sale (POS) system was compromised, and the details of 110 million in-store customers were stolen.
How did the hackers do it? They were able to embed BlackPOS malware inside Target’s network by using log-in credentials handed out to a third-party heating, ventilation and air conditioning company.
Earlier this year, third-party risk came into play in Hollywood. A film production company working on the hit Netflix show “Orange is the New Black” was breached. Access via a third-party supplier is being widely discussed as a likely contributing factor. The stolen intellectual property subsequently has been leveraged as part of a blackmail attempt.
Currently, between 60 percent and 70 percent of breaches are attributed to a third party. For hackers, the easiest path into a well-protected organization often is through business connectivity. The more businesses connect with one another, share log-in credentials, and provide remote access to servers, the more likely third-party attacks will become.
I sat down with Pete Agresta, chief revenue officer for LookingGlass Cyber Solutions, at Black Hat 2017 in Las Vegas to discuss rising awareness of gaping third-party exposures. Some takeaways from our talk:
Incentives are encouraging organizations to implement third-party risk programs. As the threat of third-party attacks has spread, so has the awareness. Regulatory requirements are becoming much more common. In New York state, for instance, every finance organization is required to have a third-party risk program. Insurance companies also are beginning to provide a commercial incentive for organizations to have the best third-party hygiene possible in the form a different type of underwriting.
One-time assessments of suppliers are not enough. Organizations are beginning to carry out assessments of the state of their suppliers’ cybersecurity. But doing this once at the start of a relationship isn’t enough. Continuous monitoring and a switch to a real-time approach whereby companies can assess the health and hygiene of partners on the go is the future.
Hire a third-party to help with assessments. It might seem counter-intuitive, but the innovation and expert knowledge of outside specialists will help organizations mitigate third-party risks. Companies like LookingGlass, for instance, can help organizations understand what is discoverable in their environment and how that might be exploited.