Virtualization Technology News and Information
RiskRecon 2019 Predictions: Hackers Focus on Third-Party Vulnerabilities

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual series exclusive.

Contributed by Kelly White, CEO and co-founder of RiskRecon

Hackers Focus on Third-Party Vulnerabilities

The start of a new year is rife with intentions and predictions. And while many of the predictions originating from the security sector seem alarmist, data supports the notion that good third-party cyber risk management is now, more than ever, of paramount importance. Here are four well-founded security predictions that should serve to guide your security best practices over the next year and beyond:

1. Third-parties will become a top target for compromising corporate data.

Miscreants will increasingly target third-parties to gain access to corporate secrets. Look no further for evidence of this than the recent disclosed compromises of military subcontractors. The most pointed of tens of recent examples occurred in January, 2018, when Chinese government hackers compromised a US Navy subcontractor, making off with mountains of highly confidential data that included top-secret plans for submarine-based supersonic anti-ship missiles. Other recent incidents include the theft of F-35 Joint Strike Fighter designs, warship schematics, and Department of Defense personnel data-all stolen from defense contractors, not military networks.

Hackers follow the path of least resistance. And, based on the attack chain information available for recent incidents, hackers have discovered the path of least resistance frequently leads them to the third parties of their target. It is a rapidly growing problem for the military, and it is highly likely that hackers targeting commercial enterprises will follow the same play book. After all, why go against a big bank when you can get the same data from one of its many third-party providers?

2. Companies will seek to understand the true extent of their enterprise risk surface.

This year, leading enterprises will seek to better understand their entire risk surface, and regulators will begin motivating others to do the same. This expansion of risk management beyond the internal enterprise will be motivated by the increasing impact of inadequately managed third- and fourth-party providers and partners in both the cyber and physical dimensions. Attacks against Department of Defense subcontractors to steal military secrets will stand as a sharp motivator. So too will physical events, like the May 2018 multi-week halt of Ford F-150 production due to a supplier's failure to maintain safe working conditions and redundant production facilities.

It is common for organizations to focus their resources on understanding the risk in their own systems and operations, having only a superficial understanding of their extended risk surface based on third-party assessment questionnaires. This is a very incomplete understanding of the total enterprise risk, which encompasses an enterprise's operations, reputation, assets, legal compliance, and regulatory compliance.

Recognizing the impracticality of adding armies of additional risk analysts, already in short supply, organizations will arm themselves with well-structured open source intelligence and related tooling to better understand their third- and fourth-party risk surface.

3) Enterprises will hold third-parties to a higher degree of accountability

Recognizing the unacceptable third-party risk exposure, enterprises and regulators will hold vendors to a higher degree of accountability for good cyber risk performance. This will cause two significant changes in how third-party risk is managed: First, underperforming vendors will no longer be granted cyber risk exceptions. Prior granted exceptions will be re-evaluated, and new exceptions will be only granted in the rarest of cases, requiring authorization by the highest reaches of the enterprise.

Second, recognizing that third-party assessment questionnaires and related documentation reviews alone do not yield trustworthy risk outcomes, enterprises will increasingly leverage truly objective data to verify the effectiveness of third-party cyber risk control implementation and operation. Primary among these data sources will be open source intelligence and cyber risk rating data, which can be gathered very efficiently.

4) Enterprises will realize many of their third parties are not capable of managing cyber risk well.

As enterprises hold their third-parties to a higher degree of accountability, they will conclude that a material portion of their third-parties are not capable of managing cyber risk well. A large population of vendors have been able to pass prior assessments where they were only required to respond to questionnaires or provide a guided tour of their security operations. As enterprises leverage truly objective assessment data to understand third-party risk, they will discover that many of their vendors that looked good on paper don't look so great in practice.

Enterprises will find that, in most cases, underperforming third parties will respond very constructively to their requests to improve cyber risk management. In many cases, third-parties are not aware of their gaps; deeper assessments that include the use of objective data will reveal them. In a small number of cases, however, vendors will refuse to address cyber risk concerns, and enterprises will be faced with the executive decision of accepting the risk or transitioning to another provider.

Hackers aren't new; what is new is the rapidity and severity with which they're targeting third-party vendors. If enterprises underestimate the risk their third-party vendors pose to the business at large, it could mean everything from massive data breaches to hefty penalties from regulating bodies. The answer lies in gathering security insights from third-party vendors and providing actionable, prioritized task lists to mitigate those risks and protect enterprises at scale.


About the Author

Kelly White

Kelly White is the CEO and co-founder of RiskRecon where he is transforming third-party cyber risk management. Kelly has held various enterprise security roles, including CISO and Director of Information Security for financial services companies. Kelly was also a practice manager and senior security consultant for CyberTrust and Ernst & Young.

Published Friday, February 01, 2019 7:40 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2019>