CISO Stress Report, Dole Supply Chain Disruption Alert, Identifying Risky Vendors
In this episode of GRXcerpts:
- Are CISOs too Stressed?
- The Dole Supply Chain Disruption
- Ongoing Challenges for LastPass
- The Latest TikTok Ban
- GoDaddy’s Breach Fallout
Plus, we have good news on risk identification.
Are CISOs too stressed?
According to new research by Gartner, 25% of cybersecurity leaders will pursue different roles over the next two years due to work-related stress. Gartner analyst Deepti Gopal reports, “CISOs are on the defense, with the only possible outcomes that they do or don’t get hacked. The psychological impact directly affects decision quality and the performance of cybersecurity leaders and their teams, translating to burnout.” CISOs have had to deal with an unrelenting volume of cyber attacks year after year, and from a similar Cynet study, 93% of CISOs say they are spending more time on tactical tasks vs. strategic, high-quality work. CyberGRX CISO Dave Stapleton agrees, adding, “CISOs largely believe that security should be a priority for our organizations, including at the executive level. However, many CISOs spend the majority of their day performing tactical tasks that prevent them from staying in the executive-level headspace, thus hindering their ability to demonstrate that strategic value.” Garter’s research confirms Stapleton’s sentiment, revealing that higher attrition rates occur where risk management is not viewed as a critical function of an organization’s success. Indicators that risk management is not a business priority include compliance-centric cybersecurity programs, low executive support, and subpar industry-level maturity. Gartner’s analyst also notes that “eliminating stress is an unrealistic goal, but people can manage incredibly challenging and stressful jobs in cultures where they are supported.”
Dole Supply Chain Disruption
For restaurants and hospitality establishments dependent on fruits and vegetables supplied by Dole, be aware the company was the victim of a ransomware attack that temporarily shut down its North American operations. As Dole’s production and distribution are tightly coordinated to minimize waste and cost, any disruption caused by a cyberattack can have a ripple effect throughout the supply chain, leading to shortages and inevitable price increases. A CNN business report noted that some grocers were having difficulty stocking Dole salads, although the produce giant is still investigating the impact of the incident.
Last Pass Challenges Continue
Password manager LastPass continues to feel the pain from their breach last August in which a threat actor was able to steal both encrypted and plaintext customer data. We’ve since learned that the threat actor gained access by targeting a DevOps engineer’s home computer and exploiting a vulnerable third-party media software package to capture the employee’s master password and enter the LastPass corporate vault. Once the threat actors were inside the decrypted vault, they exported the entries, including the decryption keys needed to access production backups, other cloud-based storage resources, and related database backups. It is unknown if LastPass has a device trust policy prohibiting using unmanaged personal devices to access company systems and data, which could have made a significant difference in the outcome of this attack.
TikTok Banned from Employee Phones
To improve its cybersecurity measures, the European Union’s executive branch has temporarily banned TikTok on personal devices employees use for work. The ban reflects the widening apprehension from Western officials over the Chinese-owned video-sharing app. TikTok remains under scrutiny from both Europe and the US, citing security and data privacy concerns that the app could be used to promote pro-Beijing views, collect user information, or track user behaviors. Half of the states and congress have banned TikTok from official government devices in the US. The EU ban goes into effect on March 15, although representatives have not provided any details on how the ban will be enforced.
GoDaddy Breach and Fallout
For those who use GoDaddy as their web hosting provider, new details regarding past breaches have been released. Bad actors stole source code and installed malware on servers running the web hosting control panel customers use to manage their sites and shared servers. Customer websites have been randomly redirected to malicious sites, with intermittent site redirects starting in December 2022. The incident is believed to be the work of a sophisticated and organized threat actor group targeting hosting services. GoDaddy hasn’t revealed the potential impact of the multi-year intrusion of its systems. However, speculation is all 21 million customers are possible victims due to the long dwell times of the threat actors.
Good News - Identifying Risky Vendors
And we end with good news as CyberGRX recently announced the ability to view your entire third-party portfolio and identify your riskiest vendors according to your preferred framework. The new feature, called Portfolio Risk Findings, leverages both attested assessment data and predictive risk profiles to produce a score to help customers identify where third parties fall on the risk spectrum, from low to high risk. Given the number of vendors, partners, and suppliers an organization has coupled with the evolving threat landscape, CyberGRX CEO Fred Kneip believes it’s “no longer enough to know that a third party is risky, but where these risks lie and how critical they are to your company.” Portfolio Risk Findings helps cybersecurity teams to “find that needle in a haystack” and is the only tool of its kind. To learn more or to see your risks, book a demo now.
All information is current as of March 1, 2023. Subscribe to receive future episodes as they are released.