The SolarWinds breach, while incredibly serious, is a flash in the pan brought upon by a simple vulnerability that was leveraged to gather intelligence, mine data, and to sow animosity and resentment between organizations. It is not the first breach, nor will it be the last, that reverberates through a web of connected enterprises, and government institutions.
Unfortunately, even organizations with mature security programs are still at high risk. While they may feel insulated from the consequences of a breach like SolarWinds, the vulnerabilities exploited in this attack demonstrate that even the most robust security programs can be undermined by less secured third-party vendors and/or supply chain partners.
The time is now for organizations to prioritize understanding or appreciating the exposure brought on by expanding their vendor ecosystem. By acknowledging the common need to protect ourselves and making strategic changes to how we manage vendors, ideally by creating consistent and comparative pictures of risk and exposure, organizations can work together to mitigate the greatest vulnerabilities.
Here are some steps organizations can take to ensure a more secure future:
Assess the security posture of companies within your vendor ecosystem
One out of every five enterprises are connected to high-risk third parties within a given cyber ecosystem. Unfortunately, even when just one vulnerable organization is breached, severe consequences can occur to a variety of organizations, even if they hold stronger security postures. These types of detrimental third-party security incidents have resulted in some of the biggest breaches known today, such as Target, Experian, Quest Diagnostics, Facebook, Lord & Taylor, the FBI, and many others. When an organization is able to identify which third-parties and supply chain partners pose the highest risk, they can ensure the proper security controls are in place to best mitigate risk.
Communicate and share intelligence and data amongst organizations
A recent study found that organizations tend to focus on assessing the same set of vendors, but it is often the vendors they aren’t looking at that pose the greatest risk. In order to keep up with the sheer volume of developing cyber risks and security vulnerabilities, the individual, and siloed management of third-party cyber risk must pivot to more comprehensive, collaborative solutions. Creating a safe cyber ecosystem will take all organizations within it. Understanding exposure cannot be done in a silo; it's imperative that we not only break down the cybersecurity silos within an organization, but also break down these silos between vendors as well. Perimeter security is no longer sufficient, so a more collaborative security is the best approach moving forward.
Use standardized risk data to create comparative pictures of risk
We encourage a standardized approach to identifying and mitigating risk which provides organizations with insights about potential risks assumed in a partnership as well as a validated understanding of the controls third parties and supply chain partners have in place to prevent threats. Using such an approach enables enterprises to make informed decisions about new and existing vendors and also allows organizations to disseminate comparable information via a risk exchange or other channels. As a result, enterprises can create and visualize consistent and comparative pictures of risk, crowdsource efforts, and work collectively with third parties to mitigate the greatest vulnerabilities.
Over 60 percent of breaches are linked to third parties - whether they are a supply chain vendor, cloud provider, or POS provider - and it's time to reduce and manage these third party risks. Until organizations realize how interconnected they are within cyber ecosystems and just how much damage a tangentially-related cyberattack can do, bad actors who understand these connections will stay a step ahead. Time is overdue for enterprises to take charge of the common, mundane, and everyday attacks that happen because of unknown, unassessed vendors and suppliers. Until then, devastating breaches will continue to happen as this issue remains the biggest cybersecurity issue no one is talking about.