For good cyber hygiene, organizations must continuously monitor third-party risk

Insurance, regulations, security experts are boosting awareness of the threat landscape

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

In the past cou­ple of years, third-par­ty risk has grown from a top­ic only dis­cussed by cyber­se­cu­ri­ty cir­cles to a com­pa­ny­wide con­cern. The tip­ping point may have been in 2014 when Target’s point-of-sale (POS) sys­tem was com­pro­mised, and the details of 110 mil­lion in-store cus­tomers were stolen.

How did the hack­ers do it? They were able to embed Black­POS mal­ware inside Target’s net­work by using log-in cre­den­tials hand­ed out to a third-par­ty heat­ing, ven­ti­la­tion and air con­di­tion­ing company.

Ear­li­er this year, third-par­ty risk came into play in Hol­ly­wood. A film pro­duc­tion com­pa­ny work­ing on the hit Net­flix show “Orange is the New Black” was breached. Access via a third-par­ty sup­pli­er is being wide­ly dis­cussed as a like­ly con­tribut­ing fac­tor. The stolen intel­lec­tu­al prop­er­ty sub­se­quent­ly has been lever­aged as part of a black­mail attempt.

Relat­ed arti­cle: Third-par­ty risk touch­es com­pa­nies of all sizes

Cur­rent­ly, between 60 per­cent and 70 per­cent of breach­es are attrib­uted to a third par­ty. For hack­ers, the eas­i­est path into a well-pro­tect­ed orga­ni­za­tion often is through busi­ness con­nec­tiv­i­ty. The more busi­ness­es con­nect with one anoth­er, share log-in cre­den­tials, and pro­vide remote access to servers, the more like­ly third-par­ty attacks will become.

Pete Agres­ta, Look­ing­Glass Cyber Solu­tions chief rev­enue officer

I sat down with Pete Agres­ta, chief rev­enue offi­cer for Look­ing­Glass Cyber Solu­tions, at Black Hat 2017 in Las Vegas to dis­cuss ris­ing aware­ness of gap­ing third-par­ty expo­sures. Some take­aways from our talk:

Incen­tives are encour­ag­ing orga­ni­za­tions to imple­ment third-par­ty risk pro­grams. As the threat of third-par­ty attacks has spread, so has the aware­ness. Reg­u­la­to­ry require­ments are becom­ing much more com­mon. In New York state, for instance, every finance orga­ni­za­tion is required to have a third-par­ty risk pro­gram. Insur­ance com­pa­nies also are begin­ning to pro­vide a com­mer­cial incen­tive for orga­ni­za­tions to have the best third-par­ty hygiene pos­si­ble in the form a dif­fer­ent type of underwriting

One-time assess­ments of sup­pli­ers are not enough. Orga­ni­za­tions are begin­ning to car­ry out assess­ments of the state of their sup­pli­ers’ cyber­se­cu­ri­ty. But doing this once at the start of a rela­tion­ship isn’t enough. Con­tin­u­ous mon­i­tor­ing and a switch to a real-time approach where­by com­pa­nies can assess the health and hygiene of part­ners on the go is the future.

Hire a third-par­ty to help with assess­ments. It might seem counter-intu­itive, but the inno­va­tion and expert knowl­edge of out­side spe­cial­ists will help orga­ni­za­tions mit­i­gate third-par­ty risks. Com­pa­nies like Look­ing­Glass, for instance, can help orga­ni­za­tions under­stand what is dis­cov­er­able in their envi­ron­ment and how that might be exploited.

For a deep­er drill down, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to third-par­ty risk:
SMBs need to bulk up secu­ri­ty to pro­tect against third-par­ty risk
Com­pa­nies should assess their risk pro­file and align it to a secu­ri­ty solution
Orga­ni­za­tions need to step up efforts to man­age third-par­ty risks