Standing Tall: The Role of Security Posture in Keeping Companies Safe
A resilient security posture shouldn’t be taken for granted, especially with a constantly changing threat landscape. Global cyberattacks rose 38% in 2022 compared to the year before. It's a worrying but not unexpected trend — as more companies make the shift to long-term remote or hybrid work options for staff, overall attack surfaces are increasing.
Attackers, meanwhile, are both pushing the envelope and getting creative. We’ve recently seen the rise of new threat vectors such as OneNote malware meant to circumvent Microsoft's default disabling of macros in Office 365, while more traditional tactics such as phishing attacks are also gaining ground as attackers leverage new technologies such as natural language processing (NLP) to circumvent automated detection tools.
The result? Effectively combating both emerging and existing threats requires companies to ensure their third-party providers have security postures that combine agility, speed, and strength. Here's what that looks like in practice.
What is Security Posture?
An organization's security posture refers to its overall readiness to handle malicious attacks. This posture is a combination of the people, processes, and policies that help companies detect, identify and defend against attacks.
Consider the analogous example of physical posture. As noted by Harvard Health Publishing, poor posture has been linked to health issues ranging from back and neck conditions to balance problems and breathing difficulties. The same applies to cybersecurity. Poor posture can impact a company's ability to quickly take action and recover after security threats have been contained.
Security postures cover five broad areas:
Networks underpin all IT operations. From the movement of data to the integration of hardware and software tools to the operations carried out by end users, everything happens on the network. As a result, creating an effective security posture isn't possible without first considering the scale, scope, and inherent security risk of network services.
By understanding how third-party providers monitor and manage current network connections and how these connections interact, IT teams can get a better sense of what's working, what's at risk, and what needs to change.
As the volume and variety of data handled by third parties continue to increase, businesses must understand its role in effective security posture. In part, this means ensuring that data is effectively protected by encryption at rest, in transit, and in use, but it also means cataloging and categorizing this critical resource. Where is data stored? How is it accessed? What role does it play in day-to-day operations? Who has access to this data?
Hardware and Software
From servers to PCs, peripherals to mobile devices, hardware is a common compromise point for companies. Consider an attacker that manages to infect a third-party mobile device, move laterally into networks, and then make the jump into first-party systems. If this attack goes unnoticed, malicious actors could spend weeks or months carrying out reconnaissance to determine the ideal path of attack.
Connected applications and software, meanwhile, create an ever-expanding attack surface that puts organizations at risk. One current example is the use of chat-based customer service programs to infect corporate networks — malicious actors are now using these platforms to deliver malicious payloads by convincing customer service agents to download infected files masquerading as images that show the extent of customer account issues. If successful, these attacks can carry out everything from keylogging to data exfiltration to the installation of malicious plugins.
82% of breaches involve a human element. In most cases, this human element is accidental rather than malicious, but regardless of intent, the outcome is the same: Compromised third-party systems or networks that put corporate data at risk. As result, a solid security posture must include both ongoing employee education and regular assessment of staff security competency.
Security posture refers to an organization’s overall state of cybersecurity readiness. The better an organization understands the security posture of its third-party providers, the better prepared it is to mitigate those risks — better controls and improved oversight mean fewer opportunities for compromise.
Third parties can present new vulnerabilities to an organization. By identifying third-party security gaps, risk management teams now have focus, and can work with the third party to remediate unacceptable levels of risk, thereby strengthening their security posture.
However, visibility across your portfolio can be challenging. And that’s why CyberGRX developed Portfolio Risk Findings, to help you gain visibility of unmet controls across your third-party ecosystem. See how it works:
Building a More Resilient Security Posture
Strong and agile security postures aren't built overnight. Instead, they require support from C-suite executives, collective effort from IT staff, and buy-in from front-line employees. While the specifics of security posture differ based on company priorities and industry requirements, the building basics remain the same.
The goal of strong security postures is to protect against incoming attacks, but what those attacks look like can differ based on a company's current mix of technology. For example, a business with substantial cloud investments may want to focus on the development and implementation of robust identity and access management (IAM) tools that help ensure the right people can access the right resources at the right time. An organization with more servers and software on-site, meanwhile, may prioritize employee education.
Policies and Processes
To ensure security postures can handle incoming threats and reduce total risk, businesses must create operational policies that define an organizational response. Consider phishing threats. While detection tools and employee education can help spot digital hooks, what happens next is just as important — how do staff report these issues? Who handles investigations? What happens next?
Once companies have established processes and policies, it's time for implementation. This includes testing and deployment of new services and solutions along with training for staff to ensure they understand how tools work and how to identify potential threats.
Continuous monitoring forms the final pillar of effective posture building. In the same way that business processes evolve, cybersecurity threats are constantly changing. From new malware vectors that may leverage machine learning (ML) or artificial intelligence (AI) to social engineering attacks that rely on the nature of humans to be helpful, security postures must also adjust to stay relevant and effective.
The Impact of Third Parties on Security Posture
While the first four areas of security posture — networks, data, hardware and software, and people — fall under the direct control of companies, third parties exist partially outside corporate oversight. This creates a paradox: While these third parties play a critical role in business operations, they also represent an increased security risk. It's now a familiar tale: If attackers gain access to third-party servers or networks, they may be able to move laterally into corporate IT environments and begin exfiltrating or destroying data. Even more worrisome? If third parties don't detect these attacks, malicious actors may spend days or weeks operating unnoticed in the background, giving them ample time to create persistent back doors that allow ongoing access.
Consider that 20% of a company's third-party portfolio exhibits inherently high risk — risk that comes with the absence of security controls. Given that the typical enterprise now uses 5,800 third parties and 50% of organizations believe they're ineffective at conducting due diligence on them, the conditions are set for the perfect storm.
Put simply, even if all other aspects of security posture are strong, if you don’t know where your risks are within your third-party portfolio and the control gaps that are leaving you vulnerable, you’ve created the ideal opportunity for attackers to compromise systems without being detected.
How to Monitor the Security Posture of Third Parties
As companies continue to leverage third parties to support essential business functions, the organizational risks will only grow. This is what we call the “TPRM dilemma” - or the challenge of increasing third-party adoption vs. the limited resources to effectively evaluate the risks posed to your organization.
To ensure your security posture doesn't break down outside of corporate control, security teams should adopt a systematic and scalable approach to managing third-party risks.
For maximum efficiency, we suggest structuring your TPRM program into three stages:
Identify and Assess
First, companies must identify and assess third-party risks to understand where your vulnerabilities are, then prioritize these risks based on the impact they may have on your operations.
Analyze and Report
Next up, you’ll want to analyze and report on your risks. By mapping threat data against industry or custom frameworks, security teams can better understand their third-party risks through the lens that matters most to your company. Then, the use of in-depth analytics provides immediate, actionable insights that organizations can report, document, and take action to solve.
Monitor and Secure
Finally, to effectively monitor and secure your organization, you’ll want to keep tabs on changes occurring within your third-party portfolio. By continuously monitoringyour third parties, you’ll be able to detect changes before the negatively impact you, and proactively address control gaps before they can be exploited.
Posture Makes (Almost) Perfect
While a strong security posture can't eliminate all third-party threats, it plays a critical role in both current and evolving defense against new and emerging threats.
Get Cyber Risk Intel delivered to your inbox each week: