Key to Proactive Cyber Security Is Management of Third-Party Vendor Risks

The hack of the MOVEit file transfer platform, developed by Progress Software and used by businesses of all sizes, serves as a reminder of the potential vulnerabilities faced by third party vendors.

In this June 2023 hack, attackers exploited a vulnerability in the MOVEit software. Through a structured query injection (SQL) injection of malicious code, they gained unauthorized access to the platform and stole data from multiple organizations.

And this is not the only high-profile attack blamed on vulnerabilities in third-party software. In December 2020, the SolarWinds hack, caused by vulnerabilities in SolarWinds Orion software allowed attackers to infiltrate the networks of multiple organizations.

The implications for businesses cannot be underestimated. Such vulnerabilities pose risks not only from data breaches but also from business interruption, which can be particularly dangerous for manufacturing companies. The restoration process may take weeks, leading to production halts and loss of business. In other industries, if a vendor-provided software system controls critical infrastructure, a vulnerability in that software could significantly affect its availability.

Rather than solely focusing on individual vulnerabilities, it is crucial for businesses to adopt a comprehensive approach to cyber processes and manage vulnerabilities based on their severity. A collaboration between the cyber insurance industry and clients is necessary to strengthen the focus on vendor risk management policies.

Such collaboration involves identifying and assessing risks posed by vendors more accurately by going beyond simplistic vendor questionnaires to active testing and awareness training. To assure a minimum standard, vendors may be required to implement additional controls to gain the client’s trust and ultimately sign the deal to become an approved service provider. The maintenance of a cyber insurance policy may be part of the requirements too.

By implementing these steps, businesses can reduce their exposure to vendor-related vulnerabilities. Additionally, sharing reports generated by cyber security vendors during the assessment phase with the insurance market can help gain a better understanding of risk quality and save clients time by eliminating lengthy questionnaires.

It is important to note that the risk landscape is constantly evolving, and vendor-related vulnerabilities will continue to evolve as well. An example of some of these trends are: increased reliance on cloud-based software; the growth of the Internet of Things (IoT) connecting businesses to more devices and systems beyond their direct control; and the rise of artificial intelligence (AI) and increased dependence on AI-powered software for critical decision-making.

To stay ahead of these risks, businesses must proactively manage third-party risk. Here are nine crucial steps that companies should adopt to safeguard their businesses against vendor-related risks:

• Vendor selection and control. Rather than solely screening vendors during the onboarding process, continuous reviewing and auditing of their standards should be implemented.

• Hardware and software inventory. Businesses must have an accurate understanding of their network infrastructure. Network schemes should be established to assess network segregation, identify servers and applications, and document the services they perform.

• Cloud services configuration and monitoring. Cloud services are not inherently secure and require proper configuration and management. It is crucial to understand how vendors handle cloud services and security in terms of IT security best practices.

• Monitoring third-party activities. Establishing and monitoring a safe channel of communication between your company and the vendor is important. Providing them with a separate environment with multiple layers of security, such as through virtual desktop infrastructure (VDI) or other secure systems, can help mitigate risks.

• Patch management. Prompt and effective patch management is essential not only for operating systems but also for third-party software. Patches should be executed without delay to address any known vulnerabilities promptly.

• Data encryption. Encryption should be implemented both at rest and during transit. By encrypting data, businesses significantly increase the difficulty for cybercriminals to access and misuse valuable information.

• Vendor cyber insurance. Consider vendors who have their own cyber insurance policies, including liability and first-party coverage. This provides an additional layer of protection and reassurance in the event of a cyber incident involving the vendor.

• Business impact analysis and preparedness. Implementing and regularly testing business continuity, disaster recovery, and incident response plans are essential. Define recovery time objectives and recovery point objectives to ensure a swift and efficient response.

• Cultivate security awareness. Educate employees and management about common attack vectors and the importance of cautious behavior. Stress the fact that attacks can begin with a simple click in an email. Vigilance and attention to potential threats can prevent many cybersecurity incidents.

With cyber threats becoming increasingly complex – and with the level of sophistication of cyber attacks increasing and posing a significant risk – companies must act now. The cost of being hacked can be devastating, underscoring the need for organizations, regardless of their size, to prioritize cyber security. Investing in advanced threat detection and prevention technologies, employing regular employee training programs, implementing robust access controls, and conducting regular security audits are vital steps to take to defend against evolving cyber threats. Of course, cyber insurance is important to help businesses mitigate the risk should the worst happen.

Topics Cyber