Summary
Some of the latest data breaches to hit major organizations have been caused by cybercriminals attacking third-party software vendors. As a result, one of the biggest InfoSec challenges CISOs are facing is supply chain and vendor security.
Cybercrime is regularly in the news, but in recent years, many reports of hacks and breaches include references to third-party software or the “digital supply chain.” The last year has seen such attacks hit Bank of America, Home Depot, T-Mobile, Okta, and Citrix. According to the Identity Theft Resource Center’s 2023 data breach report, incidents directed through supply chain vectors reached an all-time high in 2023, affecting more than 2,700 organizations.
The Third-party Vector Risk
From the hackers’ perspective, it’s easy to see the appeal of reaching targets indirectly through vendors and cloud providers. Cybercriminals know that big attractive targets like major financial services and healthcare organizations will have robust defenses around their own assets. But they also know that these organizations likely have relationships with dozens or even hundreds of SaaS applications and other IT providers.
Starting there instead—with third-party software providers—provides access to a multitude of threat vectors that can yield significant results from one exploit. Once attackers gain access to that data and those networks, they can launch ransomware attacks of their own or simply sell access to others.
Will all of these parties maintain comparable defenses? Maybe, maybe not. Just as important: Can the apps’ customers—the intended targets—monitor and police all their vendors to make sure they’re taking all of the appropriate security measures?
Minimizing the Risk Footprint
“There’s a tremendous amount of inheritance risk that you take on with supply chain software—and you don’t always have visibility within your supplier as to what they’re doing about security.” –Chief Risk Officer
Supply chain and vendor security are top of mind for CISOs, including those who took part in the recent Pure Storage CISO roundtable. They named it one of the biggest InfoSec challenges they face. How are CISOs responding to third-party risks?
1. Engage with the reality of the new threat landscape
CISOs and their teams clearly have plenty to do, but there’s an essential task to add to the list: instituting new policies and procedures around procurement, auditing, and monitoring of third-party providers. An ad hoc approach—or hoping vendors will protect you—is definitely not the best path forward.
2. Tame SaaS sprawl
Every additional application is a potential attack vector. Many organizations have multiple integrations with SaaS providers. A thorough assessment might find ways to eliminate some unnecessary apps. Perhaps certain applications lack the benefits to justify newly emergent risks. Others could be made expendable by building applications in-house. Finally, the problem of engineers and staff setting up their own productivity enhancements with third-party providers—known as “shadow IT”—adds to SaaS sprawl.
3. Put providers under a microscope
Develop processes for assessing the security posture of the third parties connected to your networks. In-depth questionnaires and even independent audits might be appropriate, but the process should be thorough. To help, a new class of tools has appeared on the market: Third-party cybersecurity risk management (TPCRM) platforms can help manage both assessment and ongoing monitoring.
4. Create custom compliance
Audits can determine security posture and risk assessment, but often this information will simply conform to compliance using established standards like SOC 2 and ISO 27001. But these are baseline, one-size-fits-all guidelines. If your business’s risk profile is more complex, consider developing your own compliance regime, with specifics derived from actual business processes to screen prospective vendors and monitor ongoing relationships.
5. Foster collaboration
Decisions to procure third-party solutions often involve numerous departments such as IT, purchasing, and InfoSec. With so many stakeholders, it’s essential to have processes that allow for input while providing a roadmap to a codified set of agreements with a limited number of hoops to jump through.
6. Employ a least-privilege model for data access
Many cloud workflows lack access controls, giving users more access than needed for them to perform their jobs. This can be a boon to hackers, who can use one set of credentials to move laterally through data and increase their footprints. A least-privileged access model, one that restricts what users can access from their environment, could protect against this situation.
7. Advocate for regulation
This might seem like odd advice (who wants more regulations?), but in truth, the standards, benchmarks, and enforcement of regulation could help improve compliance, and more importantly, transparency around third-party vendor relationships. A model for regulation could be the EU’s Digital Operational Resilience Act (DORA), which strengthens and standardizes IT security and compliance for financial entities such as banks, insurance companies, and investment firms.
8. Encourage development teams to “shift left, secure right”
In the spirit of accountability and ownership, focus on implementing “shift left” security testing earlier in the development lifecycle. In shift left security, security testing is integrated earlier into the beginning stages of development, compared to shift right security, which focuses on testing in the production environment with monitoring. Shift left encourages teams to find vulnerabilities earlier and fix defects. Learn how to build an enterprise-grade secure platform in this DevSecOps technical blog series.
Hear how CISOs are facing this and other challenges head-on with our exclusive CISO report.
