Third-party security risks require a comprehensive, enterprise-wide approach according to Chief Information Security Officers (CISOs)
In the wake of a series of high-profile cyber attacks, such as NotPetya, the 2017 CCleaner hack, and the recent SolarWinds supply-chain attack, corporations are reassessing their risk posture. Thousands of U.S. companies are now taking a closer look at their vendor relationships and privileged access points as potential entry points for attacks against targeted customers.
Rockwell Automation, a leading manufacturer of industrial control products, is at the forefront of this shift. The company is conducting a risk analysis and threat models of its build environment, and has formed a working group with other companies to review this critical aspect of its operations. Dawn Cappelli, VP and CISO at Rockwell Automation, has highlighted the new threat vector in which companies' products can be compromised to attack customers.
Similarly, Edna Conway, VP and chief security & risk officer at Microsoft Azure, emphasises the need for corporations to build operational resilience across the entire security spectrum. Conway suggests a blend of security and resiliency as the key to protecting against third-party risk, as demonstrated by the SolarWinds attack.
The New York Times, too, has been vigilant in its cybersecurity measures. During the SolarWinds attack, strong security programs at the company saved it from the brunt of the attack, not by answers to 4,000 questions from the vendor about its security programs, as is often assumed. Erinmichelle Perri, CISO at The New York Times, prefers using a centralised source like Security Scorecard or Bitsight for real-time information.
Companies are also stepping up assessments and monitoring of third-party vendors. Annual assessments with thousands of questions are not always considered an efficient method of ensuring safety, according to Perri. Instead, corporations are demanding extensive compliance checklists and using other screening methods for third-party vendors.
Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, with the question "Are we a target?" being a key concern. Following the SolarWinds supply-chain attack, corporate risk officials are advised to adopt a more holistic approach to security, considering factors like business continuity policies, physical security, operational security, and environmental sustainability.
In conclusion, the rise in supply chain threats has prompted a significant shift in cybersecurity priorities. Companies are recognising the importance of operational resilience, third-party risk management, and a holistic approach to security to protect themselves against potential threats. As the landscape continues to evolve, it is clear that vigilance and adaptability will be key in maintaining cybersecurity.
){kind=link}