Embed Size (px)
Citation preview
Cyber Resilience Strategies to mitigate third party risks
Secure the Invisible Perimeter
Secure the Invisible Perimeter 2
Sean Hugo CISO at Department of Home Affairs – Australia
Cyber resilience recognises that a security event or a security incident is inevitable, and it is going to happen.
Do not be afraid of it, but understand, and what the job is as a security professional is to detect it, contain it, and respond to it while keeping the other parts of the business operational.”
“
Secure the Invisible Perimeter 3
Table of Contents
Introduction 4
Top Risks from Third-party Vendors 5
Top Risk Management and Mitigation Practices 6
Top Security Management and Monitoring Mechanisms 9
Top Challenges in Managing and Mitigating Third-party Risk 11
How to Best Manage Third Party Risks 13
Conclusion 14
Secure the Invisible Perimeter 4
As a security and risk officer, it is challenging
to control the level of security awareness or
security infrastructure at the end of third-party
service providers.
With COVID-19 related move to a digital
workplace and looming uncertainties in the
geopolitical environment, these vulnerabilities
have significantly increased. In the past five
months, many organisations have faced
disruption in business areas that were
contracted or outsourced to external vendors.
The concerns for ANZ organisations have
extended to business impact and revenue
loss. Hence, security and risk professionals
must reconsider their cybersecurity strategy
for a new environment dominated by an
invisible perimeter.
ADAPT, and RSA partnered to understand
the current state of third-party risk mitigation
strategies adopted by Australian and New
Zealand organisations to help CISOs, CSOs,
CROs and CIOs create a secure perimeter
while enabling their organisations to utilise
an efficient third-party ecosystem.
This report is an amalgamation of six
interviews from large organisations from the
defence, government and financial services
and energy sector.
All these organisations work with third-party
vendors, partners, and contractors of varying
sizes - large corporations, small and medium
businesses (SMBs) and individual contractors.
In a connected ecosystem, every organisation works with partners, contractors, and professional services providers. In many industries, traditional firms are moving to digital ways of working while the partner ecosystem is often inept at understanding the digital tools, creating a security vulnerability.
Secure the Invisible Perimeter 5
Business Continuity
One of the biggest concerns raised by some of
the respondents was the actual business impact
of a security attack that incapacitates a third-
party vendor to offer their services or a business
situation that puts the vendors out of business.
One of the respondents quoted an example
where the organisation had to acquire a small
business supplier when it went bankrupt as it
was strategic for the business.
In other cases, some of the offshore supplier
contracts had to suspend as they posed a
high-risk threshold in a lockdown environment.
As a result, their work was brought back to in-
house teams and domestic suppliers.
This raises long term concerns around the
impact of over-reliance on select third-party
providers and suppliers, especially within the
manufacturing industry.
Given the geopolitical situation of Australia
with China, the threats around suppliers and
third-party contractors from China must be
considered a potential risk for businesses.
Information Access
Sharing critical and sensitive information with
third party contracts and vendors came out as
a key security risk for all respondents.
This becomes even more complex for
government sector organisations who cannot
information with the third party or let them
access their systems.
Most organisations provide limited information
to their vendors based on due diligence,
contract type and criticality of the information.
In most cases, SMBs pose a higher threat as
they often struggle to have adequate security
infrastructure and resources, hence more
vulnerable to attacks.
In the case of defence organisations, minimal
to no information is shared with third-party
contractors. In contrast, the financial services
sector shares limited information with third-
party vendors based on the project and
contractual agreements.
Top Risks from Third-party VendorsRespondents understand the overall risk posed by a third-party ecosystem of suppliers, including data, governance, and compliance complexities, apart from the security threat and customer privacy breach. However, two types of risks came out strongly from the respondents.
Secure the Invisible Perimeter 6
Risk Assessment
All respondents alluded to the use
of a risk framework to assess, qualify,
and segregate vendors.
The risk frameworks vary in their detail and
depth to assess the overall risk exposure from
a vendor. Nonetheless, most of them include
the critical evaluation criteria around the
stability of security infrastructure, resources
and criticality of project and information.
Vendor Questionnaire
Most organisations conduct due diligence
using standard questionnaires. Some
respondent organisations use an in-depth
questionnaire while others are trying to simplify
the process, especially for SMB vendors.
Some of the detailed questionnaires also
include questions around data access, public
cloud usage, data location (onshore vs
offshore) and data management systems.
Top Risk Management and Mitigation Practices All the industries have standards for data privacy, compliance, regulations, and legislation. Most organisations use these standards to underpin their risk exposure and the clauses that are included in vendor contracts.
Most of the organisations do not ask for
evidence from their third-party vendors
to support the answers furnished in these
questionnaires. This has been highlighted
as an existing challenge for which CISOs
seek a better solution.
There is a high level of trust that goes in,
assuming that the vendors have filled the
questionnaires with accurate information.
Risk Threshold
Different organisations have set risk
thresholds and further steps around
hiring vendors with high-risk exposure.
In the case of a government respondent, there
are exceptional cases where high-risk projects
are carried out with certain caveats in place.
An essential component of these caveats
is the communication between the project
team and the risk team to continuously
monitor the temporary risk posed by the
vendor within the project.
Secure the Invisible Perimeter 7
Risk Mitigation
The most common ways to mitigate or
minimise risks are embedded in governance
processes, service level agreements (SLAs)
and contract terms.
Contracts and SLAs
Once the due diligence is done, vendor
contracts are used to ensure that governance,
compliance, and legislative risks are clearly
mentioned and accounted for by the third-
party vendors.
A specific example for the insurance sector is
the CPS 234 legislation which is a mandatory
inclusion in the contract clause for a third-
party vendor. Similarly, ISEA 3402 for SOC
compliance is included in contract clauses.
Governance policies, controls and practices
are used to set the protocols of information
access and network access
for the suppliers.
Only a few organisations conduct a periodic
audit of their vendors and partners to ensure
the validity of risk assessment. While most
respondents have an extensive network of
third-party contractors and vendors, not
everyone reviews and audit their supply
chain regularly. In some cases, the multi-year
contracts that began a few years ago did not
include many security clauses at the time of
the contract commencement.
Now, these contracts are being revised
to add security and governance clauses
as the legislations within Australia are
becoming stringent.
In cases where independent contractors
are hired, they are onboarded and treated
as an employee. They work within the firewall
of the company and get access to the VPN
and applications.
Different respondents have different
mechanisms to account for the tenure of
access for these contractors. In a particular
case, the process of hiring and providing
access is dependent on the business and
operations teams while in another case,
the employee is formally brought into the
system by the HR.
The former situation brings in inconsistencies
and vulnerabilities because the business
nd operations teams forget to inform the
IT teams once the contract gets over.
In the latter case, since the contractor is on
the HR system, there is an automated process
of communication and consequent suspension
of access to the contractor.
Cybersecurity Education
Interestingly, not many respondent
organisations conduct a cybersecurity
awareness education program for their
third-party vendor organisations.
• Drives are conducted only for individual
contractors who are brought into the
system through the HR.
• However, for other vendors, the
cybersecurity risk is mitigated and
managed only through SLAs and
contractual clauses.
Secure the Invisible Perimeter 8
Processes and Technology
Most of the organisations use VPN,
Citrix environment or a complete virtual
desktop environment to provide access
to third-party providers.
Privileged access to applications is usually
provided through two-factor authentication
or multi-factor authentication.
• One of the respondents mentioned
completing a modernisation project
recently, that enabled them to implement
multi-factor authentication for everyone
who accessed their environment.
• Interestingly, in some cases, the lack
of digitalisation of the processes and a
manual procurement order often helps
prevent online fraud. The procurement
process, which in other organisations
have come under phishing attack,
have been avoided in case of a particular
respondent in the defence sector
because the approval process
requires human intervention.
• For example, if an email for an invoice
processing comes into the accounts
department, it will be dismissed or
disapproved, by default, if there is
no corresponding invoice generated
within the system.
Governance policies, controls and practices are used to set the protocols of information access and network access for the suppliers.”
“
Secure the Invisible Perimeter 9
Security Monitoring and Management
Currently, the time is taken to detect fraud,
or an incident is within a few hours. Some
respondents could not identify a particular
time, yet confident that the time taken is
enough to mitigate the attack.
• DLP, website traffic monitoring, data
encryption in outgoing customer emails,
and software upgrades have been some
of the more effective ways through which
organisations can monitor and manage
phishing and DoS attacks.
• Most organisations have ramped up the
internal cybersecurity awareness drives to
help mitigate a social engineering attack
that could impact customer credentials
and cause a data breach.
Top Security Management and Monitoring Mechanisms Majority of the respondents revealed that in the past five months, the number of social engineering attacks and attempts to breach the network has significantly increased. This includes the state-sponsored attack on the Australian federal government that has brought a real focus on cybersecurity.
Although the respondent organisations have been able to triage these incidents successfully, the threat surface has significantly expanded due to the lockdown. The threats are expected to increase, compelling respondents to conduct a cybersecurity refresh within their organisations.
• When asked about the impact of third-
party security attack on customer-facing
applications, most respondents were
confident that the customer applications
were not connected to or dependent
on third-party networks.
• In case of compromised credentials,
adequate processes were in place to
check the customer’s identity.
• Although, with the lockdown and
work from home, verifying customer
identity has become more difficult.
Hence, organisations have applied
caution to change credentials in the
slightest case of suspicion.
Secure the Invisible Perimeter 10
Future Security Strategy
Organisations are not yet ready to adopt
holistic, future-ready technology solutions
such as password-less tech or AI-based
threat intelligence and monitoring.
Only one government organisation currently
uses an AI-based behavioural analytics tool
for threat detection and mitigation.
• One of the respondents mentioned
the creation of a sperate shared
environment built on cloud-based
services and residing outside the
corporate Perimeter to limit contractors’
access to this environment rather than
the entire organisational network.
• Another respondent revealed that the
focus would be on bolstering the different
modules for risk management (incident
management and response) and internal
audits to test these modules against the
risks to ensure they are effective.
• One of the respondents has deployed
network access control to ensure that all
network ports and wireless points in a
physical location can be completely
cut-off in case of a security breach.
• The organisation also deployed
vulnerability scanning tools and intrusion
detection to monitor traffic location into
and from the network.
The focus would be on bolstering thedifferentmodules for risk management and internal audits to test these to ensure they are effective.”
“
Secure the Invisible Perimeter 11
Data Sovereignty and Compliance
For the majority of the respondents, especially
within the defence and the government sector
organisations, complying with increasingly
stringent data sovereignty and privacy
requirements, was extremely difficult.
One of the grave concerns for many
organisations is the visibility around the
location of the customer and organisational
data. The Australian government has
increasingly tightened regulations around
storing data within the national boundaries,
even for cloud storage vendors.
Skills Shortage
Respondents across sectors agreed that
the required skills within the industry for
cybersecurity professionals were scarce.
Consequently, there is a limited talent pool
available for all organisations that spike the
cost of acquiring resources.
Top Challenges in Managing and Mitigating Third-party Risk Cybersecurity has been an afterthought for most organisations around the globe. It has also been an afterthought in the technology development process. Hence, despite tools, technologies, and detailed processes, CISOs and risk officers still struggle in ensuring certain critical areas of security.
Risk Assessment Process
One of the respondents also mentioned
the fragmented state of risk and compliance
assessment as a challenge. Within their
organisation, owing to different processes and
methods used to assess compliance risk, the
number of risks presented in the official risk
register were significantly duplicated.
Hence, the team had to go through a process
of consolidating all issues in the risk registers
from the penetration test and auditor’s reports
to recreate the risk register. As a result, they
found one common way of getting an action
plan around the risk register and run a review
with customers every two months.
Secure the Invisible Perimeter 12
The Invisible Perimeter
Most respondents will be adopting a hybrid
work environment. This holds true for the
third-party vendor ecosystems as well.
With extensions in physical boundaries,
the Perimeter has become way blurrier and
more invisible than before.
Amidst this scenario, most organisations find
it challenging to determine if a data breach
has taken place at the third-party contractor
organisation. This has been cited as a critical
business challenge where CISOs and CROs
have limited visibility and control.
• Most of the third-party vendors do not
report a security or data breach that
happens within their network. Currently,
CISOs and CROs do not have a
comprehensive tool or policy framework to
ensure transparency of an incident.
• This significantly amplifies the risk
exposure of an organisation and puts them
in an unknown situation.
• Another challenge cited by a respondent
was the fact that work from home and
the consequent flexibility in the working
environment gave employees the option to
work at odd hours and weekends.
• In such cases, VPN access must work
all the time, and one of the concerns is
that if an employee’s device gets infected
while being offline, it cannot be detected
until it gets connected to the network.
In contrast, by the time that happens,
the network will be compromised.
The organisation has hence adopted
telemetry to manage and mitigate the risk
and secure the endpoints.
Most of the third-party vendors do not report a security or data breach that happens within their network.”
“
Secure the Invisible Perimeter 13
Understanding the Probability of Risk
Organisations must shift their thinking
from cyber resilience to digital resilience.
Digital resilience requires digital visibility –
having a view of everything that is happening
across the entire environment, including the
key digital assets.
One of the most significant components of
visibility and risk exposure is the way vendor
information is collected, analysed and used for
current and future risk purposes.
Organisations must move to digital
questionnaires on a third-party cloud platform
with the following capabilities.
1. Cloud location that allows vendors of all
sizes and types to fill forms conveniently
across different teams.
2. Have different varieties of questionnaires
for different types of vendors
How to Best Manage Third-party Risks There are different facets of risk in general. However, there two most salient parts of risk - understanding the likelihood of something going wrong, and understanding the corresponding loss associated with that event. Organisations that can manage these two areas will be highly effective in mitigating risks from third-party vendors.
3. Auto-fill capabilities that help existing
vendors to easily fill-out forms for
revaluation and audit.
4. Authentication capabilities to verify
compliance certificates and similar
evidence online.
5. Apply AI-based models to verify answers
and forecast the risk exposure based
on information provided within the
questionnaire
These capabilities will minimise errors and
misinformation at the beginning of the
risk assessment process while shortening
the onboarding time for the third-party,
consequently, helping the business.
Once this is achieved, organisations must
seek to integrate compliance and governance
requirements, risk registers and digital
questionnaires to automate the risk framework
and scoring models.
Secure the Invisible Perimeter 14
This will further require organisations to
broaden the scope of their cybersecurity
strategy and minimise risks not just through
risk frameworks but through awareness
programs and automated security and risk
mitigation tools.
There is an increased understanding among
the leadership teams around the importance
of cybersecurity. CISOs have received new
funding to bolster security.
Most organisations are looking at hiring new
team members and upgrading their existing
tools to monitor the attack surface better, pre-
empt and mitigate threats and shorten the time
taken around attack notifications.
No organisational perimeter can be fully
protected from a security attack, irrespective
of processes, technologies and awareness
programs.
However, if the risks are accurately
and adequately ascertained, then
consequences can be managed well
within time. Security technologies can
be the core infrastructure that bridges
these two ends of a security strategy.
ConclusionThe Australian government will soon be introducing the National cybersecurity strategy policy that introduces new legislation around data protection, sovereignty, and governance along with other cybersecurity requirements for organisations that provide critical infrastructure.
About ADAPT ADAPT’s vision is to make Australia & NZ more commercially competitive and productive, for us and for future generations. For nearly 10 years, we have enabled this by connecting and equipping executives with the knowledge, relationships, inspiration and tools they need to gain advantage. With a deep understanding of modern business challenges, ADAPT deliver unique local research and advisory.
For more information visit adapt.com.au
[email protected] +61 (2) 9435 3535
This work is restricted under copyright and for the intended individual only. Apart from any use permitted under the Copyright Act 1968, no part of this work may be copied, reproduced, transmitted, shared by any process, nor may any other exclusive right be exercised, without the permission of ADAPT Ventures Pty. Ltd. Copyright 2020. For additional information please refer to our Privacy Policy, Content Usage Policy and Website Terms Of Use or contact us at [email protected]
Secure the Invisible Perimeter 16
ABOUT RSA
INNOVATION• Encryption• Authentication• Omni-Channel Fraud Risk Engine• SIEM/SOAR• Integrated Risk Management
TRUST• 35+ years• 12,500+ customers• 50M+ identities• 2B consumers• 94% of the Fortune 500
LEADERSHIP• Recognised leadership by analyst
firms• Industry leading events and
thought leadership• Expertise, guided by proven
frameworks
ECOSYSTEM• 700+ practitioners• 400+ global partners• 1100+ product integrations• Robust customer community
ADDRESSING CRITICAL RISKS OF TRANSFORMATION• Cyber-Attack Risk• Third-Party Risk• Dynamic Workforce• Cloud Transformation• Data Privacy & Governance• Business Resiliency• Process Automation• Compliance Modernisation
©2020 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered trademarks o r trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademards are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice.
