Vendor related cyber risks are quickly becoming a major contributing factor to data breaches and cyberattacks worldwide. The way business is conducted today often requires little interaction but has massive networks. The coupling of these extensive networks and outsourcing potentials can leave organizations in the dark about their suppliers and partners’ cybersecurity capabilities. In this article, we will discuss some of the top cyber threats that your organization can mitigate using third-party security risk assessment.
What is Cyber Risk Management
Cyber risk management is a blanket term for all risk mitigation strategies that fall under the umbrella of cybersecurity. These strategies could involve:
- Staff awareness training programs to reduce risk associated with employee negligence
- Utilizing anti-malware and other such software to mitigate risks related to software and malicious code injection.
- Employing security control frameworks such as Cybersecurity Maturity Model (CMMC) or Center for Internet Security Critical Security Controls (CIS CSC) for organization-wide cybersecurity implementation.
- Assessing and auditing third-party vendor’s cybersecurity capabilities to reduce the risk associated with the Information and Communication Technology (ICT) supply-chain
These are just to name a few. A robust cyber risk strategy is an involved process that examines many facets within the organizational structure; consider hiring a specialist to assess your cybersecurity capabilities and that of your vendors.
In essence, cyber risk management aims to reduce risks associated with threats to the overall information system. As noted by the National Institute of Standards and Technology (NIST) Special Publication 800 series (SP 800-161), these threats could be adversarial and non-adversarial (more on this later).
Third-party Risk Management
One aspect of cyber risk management, which is also the topic of this article, is third-party risk management. This is also known as vendor risk management or supplier risk management. Third-party risk management, which is specific to cybersecurity, involves a series of security control implementations that should be applied to the information systems of both your organization and that of the suppliers.
Note that as a framework, there is no regulation or law that states the supplier should implement any security controls. Because the framework is not legally binding, any obligation on the supplier and the organization to comply derives from trust.
It may also be required that the organization stipulates with a business contract that security controls must be implemented, by the supplier, before services are engaged.
This is where communication becomes crucial; it is in the best interest of your organization and the supplier that communication remains open. Open dialogue ensures that the security needs of both parties are met, and that there is little disruption to the business operations.
The third-party risk management framework is based on the NIST special publication 800 series; specifically, NIST 800-161 (which is where the control implementation should be taken from). Read more about the NIST 800-161 on our blog.
The strategy asks for a third-party security risk assessment process that requires an audit/assessment of the vendor’s cybersecurity implementation and maturity. Communication is key here, building trust with suppliers through an integrated joint cybersecurity partnership; both organizations can reduce the risk of cyberattacks and data loss drastically.
Assess your Third Party Risk Management
Third-party Cybersecurity Threats
In this section, we will explore some of the top threats that plague supply chain networks, and some strategies the organization can employ to mitigate the likelihood of risks.
Adversarial Threats
Briefly mentioned in previous sections, adversarial threats relate to threats that are maliciously directed towards the organization. They are not accidental or related to poor management practice and can be highly disruptive to business activities while potentially causing significant damage to the organization as a whole.
The Usual Suspects
In the number one spot for threats that require third-party risk management are the usual suspects:
- Malware
- Spyware
- Ransomware
Although not specific to third-party cyber risks, the “ware”-wolves, can undoubtedly cause headaches along the ICT supply chain and should be assessed in the overall third-party risk strategy. Vendors may be unwittingly selling software loaded with one of the “wares.” The organization should do its best to ensure they are not installing and executing those programs or apps.
The Strategy: How do you deal with a “ware”-wolf? Well, a silver bullet, of course. Implementing the NIST third-party risk management framework: security controls require anti-malware (the silver bullet). Within the contracts written up to engage in business, your organization must require vendors to utilize similar software. In the vendor security risk assessment, ensure that these security controls are implemented before business is conducted. It is also prudent to continuously update the anti-malware software and communicate to the vendor when these updates are being done to ensure that they also undergo the process.
Finally, assess that the information systems that both the organization and the vendor share are consistently being scanned for any malicious software or code injections.
Insertion of Counterfeit
One of the adversarial threats named in the NIST framework is the insertion of counterfeit products. These products can prove to be a real hassle if controls are not put in place to reduce the occurrence of counterfeit products. A fake software product, for example, is generally not going to be supported by the vendor and may miss critical updates or patches that address security concerns related to the software.
The strategy: ensure that both the organization and the vendor are involved in the process of quality control/assurance. Within the supply contract, provide a clause that the vendor should use some form of quality assurance. Buy direct from suppliers where possible to reduce the risk of acquiring counterfeit products.
In some cases, counterfeits may be inserted with the intention of being deployed in the organization’s information system. To reduce the risk of malicious counterfeit products being installed or executed, the organization should utilize a sandbox. This environment can safely run software to test whether it may have adverse effects on the information system.
Man-in-the-Middle Attacks
With business interactions becoming more distant and impersonal there is an increased likelihood of a Man-In-The-Middle (MITM) attack. A MITM attack is when an impersonator relays messages between two parties pretending to be one or both parties. They can alter messages or direct one party to give up personal information, encryption keys, or business-sensitive information.
The more complex an ICT supply chain is, the more attack vectors there are for a MITM attack.
The Strategy: the simplest form of defense for a MITM attack is to implement endpoint encryption between communication channels. Most reputable emailing services have some form of endpoint encryption, but some are better than others (consult with us for a full cyber health assessment). If you are choosing to use your domains, then whatever hosting services you employ should undergo some form of vendor security risk assessment.
For more sophisticated forms of MITM attacks that may come in the form of social engineering, a staff training and awareness regime should be implemented to reduce human error/exploitation risk.
Non-adversarial Threats
Non-adversarial threats as laid out by NIST 800-161, are risks that can arise from non-malicious acts. These are sometimes classified as “acts of God”, events like natural disasters that can disrupt business activities. Some can be mitigated against whilst others are purely bad luck.
Here are some of the top non-adversarial cybersecurity threats that the organization should strategize against.
Poor Quality Products or Services
Poor quality in products or services can mean that the organization does not take the necessary steps towards quality assurance. In the case of cybersecurity threats, this could result in an easily compromisable software product, as an example. A low-quality product may also be susceptible to counterfeit as not much effort has to be put in by the counterfeiter to resemble the original.
This is primarily a non-adversarial threat though, as it is not the intention of the supplier to compromise their, or your, information system. But the result of inadequate quality assurance and manufacturing means the product or service they offer is highly susceptible to security risks.
The Strategy: for this threat, there is not much to do on the part of the organization other than do your due diligence on what you are buying. It is often the case that poorly manufactured or designed products will eventually be pushed out of the market. But you don’t want to be the one to test it first.
What the organization can do is check to see if what you are buying, installing, etc. has some reputation preceding it. Usually, there are reviews left by other companies or customers, in the cases where there are none, ask to test the product against your own quality assurance framework.
Poor Design Philosophy
This one differs slightly from the previous threat. It could be that the product or service that is being offered is of high quality, but the design, particularly the security assurance, is lacking. For example, there could be a great product that provides excellent enterprise solutions but is a massive security risk. There is a real-world case study of this, SAP.
Systems, applications, and products in data processing (SAP) is an enterprise software solution platform that helps integrate business operations and customer relations into one platform, in short, an Enterprise Resource Planning app (ERP).
Many users of SAP, exclusively business, found the platform to be of great use, allowing companies to interface with customers easily whilst the software architecture practically takes care of itself. In recent times SAP has fallen under scrutiny for their poor security practices, with reports stating nearly 50,000 companies being vulnerable to security issues found in their cloud-based products.
If your organization has had to deal with or uses SAP cloud-based products, we highly recommend you book a free consultation with us today to assess your organization’s cyber health.
This is a real case of where great quality products can fall short in cybersecurity practices, we refer to this as poor design philosophy. In SAP’s case, it may have also been an oversight in their design of new cloud-based products.
None the less it is vital that your organization ensures that the design and engineering behind acquisitions or purchases are of a good standard.
Recap and Closing Remarks
Third-party security risk management assessment makes up a large portion of the organization’s overall risk management framework. With business to business relations becoming more complex, supply chains can leave organizations in the dark about their acquisitions. This can cause significant cybersecurity issues down the line.
The cybersecurity community has noticed these trends and have developed robust vendor and supply chain cyber risk management frameworks, namely the NIST SP 800-161. Within this framework, there are two primary threat groups, which are:
- Adversarial Threats
- Non-adversarial threats
Adversarial threats consist of threats that have malicious intent; in this article, we discussed three of the more important ones:
- The usual suspects, the “ware”-wolves on the ICT supply chain
- Malware
- Ransomware
- Spyware
- Insertion of Counterfeit products in the supply chain
- Man-in-the-Middle (MITM) attacks – interception of communication between organizations
Non-adversarial threats are threats that arise from “acts of God” or the two discussed in this article:
- Poor quality products or services – badly manufactured or designed software or hardware can leave gaps in the security of the product
- Poor Design Philosophy – potentially great products that do not incorporate security by design and default. We briefly discussed a real-life case study of SAP.
These are not inclusive of all the threats that fall under third-party risk management strategies, but are some notable ones.
The threat landscape is one that requires continuous assessment. New vulnerabilities are being discovered daily; keeping on top of this highly turbulent environment can be a daunting task.
There is no need to worry; we are here to help. RSI Security has a wealth of experience in all things cybersecurity. Whether you are looking for third-party risk management, compliance advisory services, or looking to implement a full cybersecurity architecture we are happy to help. Get in contact today and book a free consultation!