If Total Risk Elimination is Impossible, How Do You Best Minimize Third-Party Cyber Risk?

by CyberGRX

Zero isn't possible. 

No matter how much money you spend on cybersecurity, how many people are on your infosec team, or how many security tools you deploy, there's no such thing as zero risk.

Here's why: Even as security tools and best practices evolve, so do attacker efforts. From the use of AI to learn protective patterns and hide in corporate networks to the evolution of ransomware-as-a-service (RaaS) marketplaces that allow cybercriminals to purchase ransomware payloads (complete with customer support), malicious actors are keeping pace with new security tools. This creates a kind of IT arms race; even as new techniques are deployed to limit risk, attackers deploy new ways to go under, around, or through defensive barriers. 

And while the recognition that it's impossible to solve every security problem and detect every threat is frustrating, it also presents an opportunity. Instead of focusing on what you can't do — completely secure every environment, all the time — the non-zero approach lets you focus on what you can: Reduce the overall risk of attacks and mitigate their impact when they occur.

Cybersecurity Risks: What You Don't See Can Hurt You

Before you can create a plan to reduce cyber risk, you need to know what you're up against.

Some threats are obvious. For example, distributed denial-of-service (DDoS) attacks are often accompanied by sudden spikes in network traffic coupled with significant process slowdowns. Phishing campaigns, meanwhile, can often be mitigated if companies create a culture of security that sees staff flagging and reporting these emails rather than simply deleting them (or worse, responding).

Where risk really ramps up, however, is when it's effectively invisible. To deliver this disappearing act, attackers often use a two-pronged strategy. First, they look for solutions, services, or hardware that exist outside of day-to-day operations. These might include connected devices at the periphery of networks that allow lateral movement when compromised, or threat actors might opt for a hiding-in-plain sight approach by finding new vulnerabilities in widely-used tools.

Next, attackers look to obscure their actions by targeting third-party services that are one (or more) levels removed from critical corporate networks. By using this outside-in approach, malicious actors can compromise devices or software that are both physically and digitally distant from key operations and then work their way back to the center undetected.

Consider two recent examples. 

First is Log4Shell, in which attackers leveraged an open-source logging library known as log4j. Used by millions of applications and services worldwide to keep a running list of activities performed, log4j had few restrictions on what type of data could be saved. Attackers discovered that by posting specific strings of characters into chat messages or other recorded activities, they were able remotely to execute code on supposedly secure servers. Despite the massive potential for damage, the vulnerability was completely unknown until it was detected on sites hosting Minecraft servers, in turn leaving companies scrambling to find and deploy a fix.

On the hardware side of security risk, meanwhile are always-connected Internet of Things (IoT) devices. Not only are these devices manufactured and sold by third parties, but they often contain limited (or absent) firmware security controls. This creates a scenario of unknown risk: Any device could be a potential compromise point. That's exactly what happened at a casino in 2018: Hackers managed to breach a connected fish tank thermometer, move laterally into the casino network, steal the high roller database, and then exfiltrate it to the cloud via the thermometer. 

Set the Stage Early (and Often) That Cyber Risk Is Never Zero 

It's now when rather than if for network compromises and data breaches. So what can companies do to reduce their total risk?

This starts with the company-wide recognition that risk is never zero. From C-suite executives to IT leaders to front-line staff and third-party vendors, it's critical to make it clear that the goal isn't to sweep security threats under the rug but rather to be clear and up-front about potential problems and make a plan to address them. 

Five strategies can also help set the stage for better security:

1. Assess new third-party vendors

Before bringing on any new tool or service, it's worth completing a formal assessment of the vendor, their product, and their current security posture. 

In practice, this means creating a consistent evaluation framework that can be used with all new vendors. This framework should include an examination of the product or service for any obvious vulnerabilities — such as the lack of firmware security or the inability to update this firmware — along with a discussion about the security practices and controls put in place but the third party itself. This is especially critical for cloud-based services that see data stored off-site (and possibly out of the country).

2. Ongoing monitoring of third-party vendors

Next, make sure you have a process in place to monitor existing vendors and ensure their security practices meet your needs. If issues are detected, it's best to remediate them before bringing on a new service or solution. This helps ensure you don't compound an already-existing security issue.

3. Create a reliable, repeatable process

When it's time to bring on a new vendor, reliable and repeatable processes can help you avoid security risks. By creating a series of steps that you follow with each new potential partner, you can limit the chance that key concerns are overlooked. In addition, your security team can focus on the big picture rather than trying to pinpoint the right questions to ask.

4.  Have a formal prevention, detection, and response plan

Despite best efforts, incidents happen. And when they do, you need to be prepared. While you can't anticipate exactly what threats or damages will look like, you can streamline the security process by developing a formal response plan. This plan should include a clear description of the responsibilities of each security team member along with a set of steps and associated tools to detect, identify, contain, and remediate issues.

5. Consider internal risks

Last but never least? Don't ignore the risk of internal threats. Even if it were possible to eliminate all outside threats (it isn't), accidental or malicious insider risks still exist and could act as a deployment pipeline for malware. According to recent survey data, 99% of CISOs and CIOs see malicious insiders as a significant risk.

Best Practices for Mitigating Third-Party Vendor Risk 

No matter how many third-party applications, services, and devices you deploy, the ultimate responsibility for data security rests with your company. Consider organizations that collect and handle protected health information. Under HIPAA, any third parties used by businesses must be compliant with all relevant data management and storage regulations. If a breach occurs, however — even if it's entirely due to issues with third-party software or tools — your business is on the hook. 

To help reduce third-party risk, it's worth implementing best practices such as:

Due diligence before any integration

Reducing risk starts with due diligence. This means developing an evaluation process for all potential vendors that ensure they have appropriate security controls given the type of data they will be handling, and that their day-to-day practices are compliant with local, state, and federal regulations. 

Continual monitoring of risk

Next is continual monitoring. Just because a vendor is compliant when you first deploy their solution, this doesn't guarantee future solution compliance. As a result, it's critical to continually monitor network risk to determine if specific services or devices are creating opportunities for compromise.

Limit single sign-on (SSO) access to your network only

SSO is a great way to keep networks secure without impacting user workflows. The caveat? This approach should only be used on local networks and never for third parties. By ensuring that third-party access is always governed by strong authentication and permissions are regulated by use cases, you can reduce access-related risk.

Ensure configurations match your security profile

Different vendors have different security configurations. Before bringing on any third-party solution, ask about their current configurations and see if it matches your own. If not, determine if changes can be made to ensure alignment. If this isn't possible, consider another option.

Keep your ear to the ground

As the Log4Shell vulnerability demonstrates, threats can emerge from any vector at any time. To help reduce the chance of unexpected compromise, it's important to stay in the loop about new security weaknesses, compromise points, and threat vectors.

Practice shared responsibility

Corporate culture also plays a role in effective security. If C-suite execs and front-line staff assume that security is a purely IT responsibility, the result is a retroactive response, since teams must handle issues after they occur. By creating a culture that makes security a shared responsibility, however, businesses have a better chance of detecting threats ASAP. 

How Low Can You Go?

Zero cybersecurity risk is impossible, but there's still plenty of room for improvement. While your team can't eliminate all threats, conscious efforts to manage and monitor third-party solutions can significantly reduce total risk, in turn making incidents less frequent and giving your team more opportunity to design effective strategies that minimize overall impact.

To see how other CISOs are managing and monitoring third-party risk, we invite you to book a CyberGRX demo. With over 200,000 companies and 12,000 risk assessments in our Exchange platform, we help you shift your focus from gathering information to actioning it and developing appropriate risk mitigation strategies. Book a demo now.