Do You Have Blind Faith in Your External Partners?

A key point: Cyber criminals are finding success exploiting vulnerabilities in outsourcing arrangements due in large part to the “blind faith” complacency with which many businesses manage third-party vendor relationships.

As guardians of the enterprise, business leaders should ask themselves these critical questions when considering a third-party vendor arrangement: Is our organization entering into the relationship with blind faith? Has our organization identified, assessed and mitigated the risks presented by our intricate external partner network?

The bottom line: Organizations that have not itemized and reconciled their third-party relationships against consistent risk criteria, business-critical processes and applications are exposed to a broader range of vulnerabilities and misadventures. They should begin to create a circle of trust by taking the five critical steps outlined below.

Go deeper: Consider, for example, the rise of cloud technology and services, which has resulted in a boom in as-a-service offerings, artificial intelligence/machine learning (AI/ML) and Internet of Things (IoT), among other emerging technologies. Companies are implementing these technologies at an incredibly fast pace to be competitive, potentially compromising security in the process. It is this blind faith in giving more third-party vendors privileged access to systems and data, without appropriate checks, which can introduce vulnerabilities and risks to the organization.

The cyber supply chain attack on MOVEit, allegedly by the Russian-linked Clop criminal ransomware group, is a notable example and a sure sign that companies need to step up their security and resilience efforts. The attack exploited a vulnerability within the MOVEit services that allegedly allowed Clop to gain access to customer information. The vulnerability was traced to a single service provider that was part of a spiderweb of interconnectivity between the service provider and customers. According to the initial damage assessment, more than 200 organizations and at least 17.5 million individuals were affected by the breach.

The MOVEit attack, like many others, should prompt every business leader to ask: “Has our organization identified, assessed and mitigated the risks posed by our intricate external partner network?” It should also cause every organization to consider creating a circle of trust through established due diligence frameworks and processes. The following five critical steps can help organizations on this journey:

1. Correlate all external partners and the services they provide to the organization. This exercise would help to:

• • Identify assets and services within the organization delivered through external partners.
  • Identify threats, vulnerabilities and consequences from the organization’s relationship with those external partners.
  • Determine the risk tolerance and tradeoffs related to the protection of those assets and services.
  • Implement a continuous monitoring program.

2. Establish a Cyber Supply Chain Risk Management (CSCRM) framework. This process involves:

• • Conducting a SCRM assessment.
  • Auditing the SCRM processes.
  • Documenting assessment results, clarifying findings, and incorporating lessons learned into the SCRM policies and processes.
  • Establishing mitigation actions.
  • Identifying all stakeholders and individual responsible owners (hub and spoke).

3. Perform a comprehensive due diligence on suppliers of products, services, materials and contractual agreements. This process entails:

• • Conducting research and due diligence on suppliers’ risks, with a particular focus on sanctions, cyber issues, financial strength, reputational risk, foreign ownership control or influence (FOCI), operational issues, and overall risk score.
  • Building an understanding of suppliers’ risk.
  • Conducting a Service Level Agreement (SLA) and/or contractual audit.
  • Aligning suppliers with cyber vulnerabilities.

4. Develop and implement an asset management system for software and hardware. This is done by:

• • Establishing a Software Bill of Materials (SBOM) to create a comprehensive inventory of the components used to make a piece of software.
  • Establishing a Hardware Bill of Materials (HBOM) to create a comprehensive inventory of the components used within the organization’s infrastructure.

5. Deploy a mitigation strategy to manage risk. This is critical to:

• • Determining the breadth and depth of the threat and vulnerability.
  • Establishing risk posture.
  • Establishing approval and escalation procedures.
  • Developing and deploying a training program.
  • Automating mitigation processes where applicable.

Here’s the bottom line — and it cannot be overstated: Organizations that have not itemized and reconciled their third-party relationships against consistent risk criteria, business-critical processes and applications are exposed to a broader range of vulnerabilities and misadventures. The absence of a circle of trust is equivalent to blind faith.

This post was adapted from an article that appeared on the Forbes Technology Council.