The more things change, the more they stay the same.
It's a well-worn adage that — in most cases — aligns with human experience. When it comes to cybersecurity risk, however, your mileage may vary.
Here's why: While traditional threat vectors such as phishing and ransomware continue to circumvent security protections, the methodologies behind these attacks are constantly evolving to help criminals compromise new frameworks. The result? It's time for a new approach to cybersecurity, and it all starts with risk assessments.
In this piece, we'll break down the current state of cyber risk, examine the efficacy of existing assessment efforts, and offer insight into the next generation of effective protection: Security Assessments 2.0.
Cyber Risk: From "If" to "When" to "How Often"
Data breaches are breaking records. According to the Identity Theft Resource Center (ITRC), the number of data breaches reported in 2021 smashed the previous record by 23%. Ransomware attacks, meanwhile, doubled in 2020 compared to 2019 and doubled again in 2021. Add in the growing impact of ransomware-as-a-service (RaaS) offerings that allow even low-skilled attackers to leverage highly effective code (complete with customer support) and it's no surprise that attacks on corporate networks aren't a matter of "if" or even "when". Now, the question is "how often?"
Several factors contribute to this ongoing attack increase.
First is the expanding attack surface. Fueled by the growth of IoT deployments across organizations and the increasing use of multiple cloud solutions to maximize performance and minimize cost, attackers have more choices than ever before when it comes to compromising corporate networks. And this attack surface is still growing. As noted by the President of CyberGRX and ProcessUnity, Fred Kneip, as companies both expand their ecosystem of digital suppliers and bring in third-party solutions to enable digital transformations, it becomes increasingly difficult to effectively manage cyber risk.
Want more on the security impact of digital transformation? Get our free eBook, Cyber Risk Intelligence in a Digitally Transformed World
Pandemic pressures also play a role in growing risk. Not only did the shift to remote and hybrid work come with a massive uptick in the number of connected devices on business networks, but also introduced an opportunity for attackers to compromise data in transit from remote workers to central offices.
The breaches speak for themselves: In 2022, attackers have gone after everything from tech giants like Microsoft to cryptocurrency exchanges to supply chains and even the Red Cross.
Facing the Reality of Risk
It's not possible to completely eliminate risk. Not the news that companies want to hear, but true nonetheless — no matter the approach, no matter the technology, and no matter the human effort applied, 100% protection is a myth. In fact, efforts to achieve this goal are counterproductive. Given the changing nature of cybersecurity, defenses with reliable records of success will become outdated as attackers find new avenues. Holding fast to existing tools because of previous security success is exactly what attackers want — and what puts data at risk.
But it's not all bad news.
With the right approach, companies can significantly reduce their total risk, and improve their ability to detect potential problems before they turn into active security threats. It all starts with the four components of cyber risk:
Threats are defined as any entity, event, or circumstance that could potentially cause harm or have an adverse impact. For example, a phishing email that contains a malicious link is a threat.
Vulnerabilities are weaknesses that could allow threats into systems if effectively exploited by bad actors. Consider the threat example above; a vulnerability could take the form of staff lacking sufficient security training to recognize phishing emails when they arrive in corporate inboxes.
Inherent risks combine to form the total amount of risk that exists within an organization in the absence of any controls to mitigate this risk.
Residual risks represent the risk remainder after controls are applied. For example, if 5 of 10 phishing emails were successful without security training and controls, and just 1 of 10 were successful after, 50% is the inherent risk and 10% is the residual risk.
Security Assessments: Generation 1.0
Security assessments are essential to help reduce third-party risk. According to Kneip, 60% of breaches now come from third parties. Why? Because the farther attackers get from the data they're after, the weaker security controls get. If cybercriminals can compromise the networks belonging to critical suppliers — or supplier's suppliers — they can potentially make lateral moves into enterprise networks, in turn giving them access to key data. The Target data breach, a result of credentials stolen from a third-party vendor, is a prime example.
Gaining access through a third party makes it possible for attackers to put in even less effort for the same results. "If I know a company is taking the time and effort to protect their environment," says Kneip, "I'm going to look at their third parties and say 'who are they sending their data to?' I don't really care if I get the data from them or one of their partners."
Conducting third-party security assessments makes it possible to reduce overall risk by identifying potential paths of compromise and evaluating the likelihood of those threats. To streamline this process, many companies adopt what's known as a third-party risk management (TPRM) strategy that helps them limit the potential risk of data breaches, data theft or exfiltration, malware, fraud, phishing attacks, and malicious insider attacks. In practice, TPRM frameworks look to collect self-reported risk data from business partners and suppliers, correlate and curate this data and then use this cleaned data to determine overall risk.
The hard truth? While security assessments of any kind are better than flying blind, companies often face four stumbling blocks with first-generation efforts.
Because first-generation practices rely on self-assessments from third parties, many companies find themselves chasing down these assessments — asking again and again for updates only to be told "soon." It makes sense: In the same way that in-house IT teams are overburdened trying to manage current cybersecurity hygiene and stay ahead of emerging threats, completing assessments for other companies probably isn't top of mind for third-party IT pros.
Once assessments are chased down, the data is often confined to a spreadsheet. The problem? The static nature of spreadsheets means they're almost instantly outdated. Information added months or even weeks ago may no longer be applicable, and may actually lead to increased risk.
All Data, No Insight
With data comes insight, right? Not necessarily. Simply collecting and analyzing data doesn't guarantee actionable insight. Here's why: If you're only looking at individual assessments, you may be missing the forest for the trees. Patterns and trends in data that you can't see may hold the key to addressing the root causes of compromise. In isolation, meanwhile, this data can help you treat symptoms but the problems will reoccur.
As third parties become indispensable for procurement, supply chain, data collection, and process management efforts, many companies find themselves unable to keep pace with their growing third-party landscape. The result is a lack of scalable assessment efforts and in turn greater security risk.
Security Assessments 2.0: The New Kid on the Block
Organizations now work with 5,800 third parties on average. This creates a massive number of possible compromise paths that attackers could use to access key data or disrupt critical systems.
It also means that first-generation security assessments simply can't keep up with the scale and scope of third-party threats. To help address this concern, there's a new kid on the block: Security Assessments 2.0. Building on the work of its predecessor, these next-generation assessments focus on continual data collection to empower real-time decision-making that scales along with business needs.
Key advantages of the 2.0 model include:
By automating the process of data collection, IT teams don't need to spend their time chasing assessments. Instead, they've got access to the data they need, when they need it, to make decisions about new or current partners and suppliers.
Utilizing a one-to-many approach that democratizes the use of assessment data, companies can shift from reactive to proactive threat assessments by using real-time data to create up-to-date threat models that account for shifting security conditions. Instead of pivoting to a new protective posture after attacks are underway, threat tools help organizations stay one step ahead of attackers.
Attack Path Mapping
The more businesses know about preferred attack paths, the better equipped they are to take effective action. Given the sheer number of potential compromise pathways, understanding the likely route taken by potential threats makes it possible to shore up protection where it's needed most, and respond quickly if attackers change routes.
It's Time for Security Assessments 2.0
"At its core, CyberGRX is a third-party risk management platform built on the concept of a one-to-many exchange, where we help companies evaluate their partners and suppliers," says Kneip. In other words, CyberGRX sets the stage for companies to gain complete visibility into their third-party risk profile and take action to mitigate and manage this overall risk.
And with the announcement of CyberGRX and ProcessUnity's merger, the two platforms take security assessments 2.0 even further. Together, these well-matched companies bring to market the only integrated, end-to-end solution for third-party and cyber-risk assessments that exponentially increases the number of assessments that can be completed and accessed for analysis, as well as impacts the speed-to-completion as more customers and vendors engage with the ecosystem.
The next generation of security assessments has arrived. Say goodbye to assessment chasing and hello to a more effective way to manage your third-party risks. See what Security Assessment 2.0 is all about– book a demo today.