Russia’s invasion of Ukraine has elicited a unified response from NATO, the EU and the UN, with member nations imposing severe sanctions on Russia as punishment. Considering that some of the most severe third-party cyberattacks – such as SolarWinds, Colonial Pipeline and JBS Foods – have been traced to Russia, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned businesses and governments to stay vigilant against potential ransomware attacks originating from Russia in retaliation for imposing these sanctions.
How should third-party risk management professionals respond? Here are five actions to take immediately:
- Inventory all suppliers.
Begin by ensuring that the organization has centralized visibility into all suppliers because unmanaged, rogue vendors can present hidden risks to the organization. Third-party risk management platforms offer capabilities to automate vendor onboarding, reducing the time and effort required to manage vendors. Then, during the onboarding process, inherent risk scoring features can help determine how to assess suppliers on an ongoing basis according to the risks they pose to the business.
- Build a comprehensive profile for every supplier.
As part of the inventory process, build a comprehensive profile for every vendor that includes industry and business insights, demographics, fourth-party technology relationships, corruption perception index (CPI) scores, and other important information. This will help zero-in on potentially geo-politically exposed vendors. Instead of relying on multiple non-integrated tools to gather this information, look for single monitoring solutions that automatically build that database for the organization.
- Identify technology concentration risk.
One of the enduring lessons from the SolarWinds breach was that organizations should have known which of their suppliers or vendors were using the technology to better understand their own third-party attack surfaces. As part of the profiling process in Step 2, leverage the collection of fourth-party technologies deployed in the company’s supplier ecosystem to determine which would potentially be exposed to a targeted breach. Identifying relationships between the company and third parties based on technology usage will help the team discover dependencies and visualize attack paths into the enterprise.
- Proactively assess suppliers for business resilience and continuity plans.
Don’t wait for a cyberattack to determine the business resilience plans of suppliers. Instead, proactively engage vendors now with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161 and ISO 27036. Results from these assessments will help target needed remediations to close potential security gaps, for example in software development lifecycle management – a common weakness cited in software supply chain breaches. Good solutions will offer built-in recommendations to speed the remediation process and close those gaps quicker.
- Continuously monitor for potential cyberattacks.
Start by centrally managing vendors, understanding concentration risk, and being more proactive about assessing vendor business resilience plans. However, stay continuously vigilant for the next attack. Look for signals of an impending security incident by monitoring the internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.
Typical sources of third-party intelligence include:
- Cyber: Criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases.
- Business: Mergers and acquisitions activity, business news, negative news, regulatory and legal information, operational updates.
- Financial: Turnover, profit and loss, shareholder funds.
- Reputational: Global sanctions lists (OFAC, EU, UK) and lists of state-owned enterprises from sanctioned countries.
As in Step 2, monitor these sources separately, or look for products that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise.
Many organizations struggle to get timely information about security incidents impacting their supply chains. Delays between a vendor incident and the company’s own risk identification, analysis and mitigation will leave the organization exposed to operational disruptions. The five steps we outline here are best practices for most situations, but are increasingly important as the Russia-Ukraine crisis drags on and threats from cyberattacks increase.
Brad Hibbert, COO and CSO, Prevalent