The survey concludes that although nearly 80% of respondents believe software supply chain attacks have the potential to become one of the biggest cyber threats over the next three years. Few organizations are, however, prepared to mitigate the risks. Is, then, a third party betraying us or we are just inattentive? This issue must, anyway, be taken seriously and addressed by multi-disciplinary teams.
The CrowdStrike’s report emphasised that 90% of respondents in the study confirmed they incurred a financial cost as a result of experiencing a software supply chain attack. The average cost of an attack amounts over USD 1.1 million! Although so many people believe that they are at risk for supply chain attack, companies are still slow to detect, remediate and respond to this kind of threat. On average, respondents in this study confirmed that it took nearly 63 hours to detect and remediate a software supply chain attack.
The Gartner’s 2018 Roadmap for Improving Endpoint Security also confirms that the software and hardware-based supply chain attacks are trending up. The reputational and brand damage, litigations, loss of productivity, the negative impact on employees drive, the overall business and stock price performance are some of the dire consequences that force boards and C-suite executives to deal with these aftereffects.
The Target Stores breach, for example, caused the termination of their CEO and the C-suite officers responsible for IT and security. The company have spent over USD 250 million just to defend against shareholder and customer lawsuits.
The US Customs and Border Protection (CBP) recently announced that an unnamed subcontractor transferred copies of license-plate images and travellers’ photos from federal servers to its own company network, without CBP’s authorisation. The major concern was that it was not just the breadth of the stolen data but also the number of people exposed by the third party. And the list of examples goes on.
Addressing the third-party cybersecurity risks
Successful third-party risk management involves a great deal of trust between the organisations and their third party suppliers. However, this trust must be verified. Here are a few tips on how to verify the trust in dealing with third-party cybersecurity risk management.
The risk ownership or accountability is being shared among multiple functional areas within the organisation so the third-party risk is a very intriguing area for many companies, believes cybersecurity analyst Jie Zhang. Too many organisations lack a centralised way of evaluating their vendors. Zhang, hence, advises that organisations should develop a comprehensive strategy for managing third-party security risks and avoid over-reliance on any single tool such as vendor security risk assessment, monitoring or just rating services.
The Third-Party Risk Management Guidelines, given by the US Office of the Comptroller of the Currency, are intended for any risk management programme but can be also applied to cybersecurity. These guidelines suggest performing risk management in five phases: (1) planning to manage relationships with third-party vendors, (2) conducting due diligence on the third party selection, (3) legal counsel reviews of all contract proposals, (4) monitoring and periodically reviewing of the third-party relationships, and (5) termination and contingency planning, which can be taken in the event of contract default, breach or termination.
Furthermore, enterprise risk must be dealt with at the Board level. While often convenient, this matter is not within the sole purview of the Chief Information Security Officers (CISOs) or the Chief Information Officers (CIOs). “The Board cannot continue to ignore the down-side of our recent addiction to outsourced technology services and our increasingly intimate cyber-integration with third-party supply-chain vendors and continue to press for more, bigger, faster growth while abdicating their fiduciary duty of care”, says cybersecurity adviser Steve King.
Moreover, third-party organisations should demonstrate that they conduct regular third-party risk and security assessments with their vendors. This includes policies and processes aimed at protecting their and your systems and data. In that regard, the protected network access is one of the utmost important security checks.
A recent example of this practice is Airbus SE, which announced in September that it has taken new steps to guard its systems against cyberattacks through the computer systems of subcontractors. This was provoked by very recent cyberattacks on the two of the company’s suppliers (Rolls-Royce Holdings Plc and Expleo) in an attempt to infiltrate employees’ personal information at Airbus SE.
There are various risk management methods to deal with third-party risks but the key point is to perform a thorough assessment before allowing any vendors to access the organisational networks or informational resources. In other words, the third-party organisations must provide evidence that they are following cybersecurity ‘best practices’ before accessing our networks and resources. However, checking the existence of such practices cannot be done by the cybersecurity technical staff only – the risk management teams must also include people with non-technical expertise.
General criticality of non-technical cybersecurity staff
About 58% of cybersecurity professionals come from fields outside technology and these people are critically needed if the comprehensive cybersecurity is to be achieved. For example, the liberal arts experts are needed to ‘translate’ cybersecurity jargon to business people: “The frequent stories of cybersecurity teams not getting management support for the tools and personnel they need comes down to not effectively telling the cybersecurity story”, says Wesley Simpson, COO of ISC(2).
It is a growing view that there is a need for a greater diversity of thought and backgrounds, which non-technical people bring to the cybersecurity field. According to the Dark Reading research, the following non-technical expertise can be most useful in the cybersecurity multi-disciplinary teams:
Mathematics: Issues faced by cybersecurity teams often require a holistic approach and critical thinking to problem-solving. Being able to look at things from diverse perspectives is advantageous, especially if facing a novel challenges.
Business: Planning and thinking strategically is crucial for a holistic cybersecurity posture. For example, people with expertise in business analysis or project management are of great value in the cybersecurity teams.
Psychology: This discipline brings insight into human behaviour and the soft skills in communication, listening, and other human factors that are critical to success. This is equally important for determining potential malicious insiders and the third party personnel having access to the organisational valuable data and systems.
Sociology: Just as psychology can help a cybersecurity professional to understand how an individual might approach a system, sociology can be useful for understanding how individuals behave as part of a group or how large groups behave when presented with a particular situation.
Philosophy: Cybersecurity is today more human than a technical challenge. Thus, a foundation in ethical thinking and behaviour is equally critical for cybersecurity professionals and those that use organisational information systems. Furthermore, getting multiple perspectives on various cybersecurity issues is the key to forming a concrete and inclusive analysis.
Music: For some, it might sound weird but it seems that the link between musicians and software skills has long been known. It is explained that music sheet readers have the ability to follow a plan and stick to the music – meaning that they are good at following direction and practice at playing the piece perfectly. Meticulously reading the incident sheet and the strictly following analysis in cybersecurity is the key to success.
As we recently advised, it is certainly the role of the top managers and executives to ensure that these experts work together and harmoniously with the CISOs in protecting organisational digital future. In order to do this, it is fundamental that those people understand the concepts of information security and the roles that different groups of expertise should play in securing organisational digital well-being. A meaningful interplay between these people, facilitated by the executives and CISOs, is the key to success.