Concern around third-party cybersecurity risks continues to increase as organisations are stretched during the COVID-19 pandemic, with the growing realisation that a holistic view of security must extend not only across an organisation, but also along its entire supply chain.
Third-party risk was identified as a top threat by compliance leaders in 2019, according to Gartner. More than 80 per cent of legal and compliance leaders revealed that third-party risks were only identified after initial onboarding and due diligence, suggesting traditional due diligence methods in risk management policy fail to capture new and evolving risks.
The risk continues to grow, with 71 percent of organisations reporting their third-party network contains more vendors than it did three years ago. The demands of managing third-party risk have also grown more pressing amid the supply chain disruptions of the pandemic. More than half of respondents to a Gartner survey of legal and compliance leaders in April 2020 stated that cybersecurity and data breaches are the most-increased third-party risk their organisations face.
That concern is well-placed, with software supply chain attacks leaping more than 300 per cent in 2021. The SolarWinds hack and exploitation of a Microsoft Exchange zero-day vulnerability saw the compromise of a widely-trusted technology partner in order to thwart the security of organisations along supply chains.
In response, sectors such as defence are leading the way in demanding smaller suppliers demonstrate cybersecurity capabilities, to ensure they are not the weakest link in the chain.
The Defence Industry Security Program (DISP) is designed to address and protect Australia's defence supply chain from security vulnerabilities. It assesses a business' processes, procedures and information technology, along with physical, personnel and cyber security. DISP offers an excellent example of the attention to detail which is required to secure a supply chain, says Adam Bennett – founder and CEO of Australian-owned cybersecurity provider Red Piranha.
A Gartner ‘Voice of the Customer” vendor, Red Piranha received Customers’ Choice Distinction for its IT Vendor Risk Management Tools amongst top players in the global IT VRM market.
"We are heavily involved in the Defence Industry Security Program, and enterprises need to take a similar approach to cybersecurity – not just thinking about themselves but also who they are doing business with," Bennett says. "Going forward, the commercial ramifications of not being cybersecure will definitely see more contracts lost."
Third-party risk processes are the key to holding supply chain partners accountable and understanding their true impact on the organisation.
"Vendors need to undergo a vetting process for cybersecurity, plus organisations need transparency into exactly how they're integrated with their vendors and partners," Bennett says.
"The Log4j vulnerability offers the perfect example , with the need to understand exactly where potentially vulnerable technology is embedded into your overall structure and operations – a lack of understanding poses undue risk."
One of the biggest misconceptions, both within organisations and along supply chains, is that specific tools and technologies can offer a silver bullet to protect against all threats.
Technology is an integral part of cybersecurity, but on its own, is not enough to defend against many threats. Organisations can fail to recognise that practical and robust cybersecurity requires an information security management system built on three pillars: people, processes and technology.
"There's an expectation that organisations can simply buy a product or push a button in order to become secure, but that's not realistic," Bennett says. "You may have technological defences in place but if you don't have proper processes and haven’t trained your staff on how to use this technology, then you create vulnerabilities."
"There's no point in investing in a few best of breed solutions while falling well short in other areas, it's like investing in the world's more secure door locks but not bothering to close your windows."
Most organisations have a cybersecurity skills shortage and lack access to the specialist resources they require, Bennett says. As a result, cybersecurity tends to be treated as a checkbox compliance exercise, which leaves them vulnerable.
Red Piranha’s Electronic Chief Information Security Officer (eCISO) with the Crystal Eye platform allows integrated access to advisory and security services on demand. It helps organisations develop a comprehensive strategy that covers technical controls and provides access to the village of specialist security resources needed on-demand through human-machine teaming.
This platform allows organisations to implement an effective plan to embed security consciousness across the entire organisation and into the supply chain. This includes minimising the attack surface, as well as ensuring that people and processes are security-oriented and compliant.
"Annual security assessments and watered-down penetration testing don't cut it, organisations need to focus on risk, not just blind compliance," Bennett says.
"An eCISO program, taking advantage of automation, allows organisations of all sizes to effectively and affordably examine their assets, analyse risks and advise on mitigation in order to take a more robust and holistic approach to cybersecurity."