Three best practices for mitigating digital third-party risks

Published: Friday, 11 June 2021 07:38

As businesses continue to evolve in response to COVID-19, rapidly moving towards digital transformation, there’s a risk they’re exposing themselves to more third-party risk than is necessary. Aaron Dobie suggests three steps that can help mitigate some of these risks.

Over the past eighteen months, businesses have experienced a tectonic shift that many are still struggling to negotiate. Businesses had to rapidly accelerate their digital transformation strategies, with roughly 70% of businesses across the technology, retail and finance sectors reporting a dramatic increase in their plans for digitalization as a direct result of the pandemic. Any change in the digital landscape tends to come with increased risk, and this past year has been no exception. As businesses continue to rapidly evolve there’s a risk they’re exposing themselves to more third-party risk than is necessary. In this article, we’ll outline some of those third-party risks, how businesses are exposing themselves, and what they can do about it.

Increased risk and exposure

There has been a significant increase in cyber attacks and breaches around the world since the beginning of the pandemic. This is no doubt partly due to businesses embracing remote and hybrid working, rapidly implementing new tools and software from vendors in order to help them solve the many new challenges involved. The end result is a tangled web of applications, a far cry from the neat and manageable architecture that the term ‘supply chain’ evokes. Even organizations as formidable as Microsoft, Cisco, and the US government were badly impacted by the SolarWinds breach in December 2020 – all as the result of a hijacked software update that seemed perfectly trivial.

One of the ways in which businesses of all sizes – but especially small and medium-sized ones – are exposing themselves to third-party digital risk is by making the mistake of overlooking free open-source software that has no financial footprint during vulnerability assessments. If an application isn’t documented and doesn’t have a financial trail, it’s likely to slip through the net when establishing a network’s vulnerability.

Similarly, it’s tempting for businesses to get lax with permissions when they’re enlisting the help of so many apps and tools from third-party vendors. It’s not uncommon for a business to give full admin rights to a seemingly innocuous application that’s designed to do something quite trivial, just because it’s more convenient and the app in question isn’t seen as a threat. Why bother to make a set of access controls for a small piece of throwaway software that might be forgotten a few months down the line? Even worse if it’s going to become critical to a company’s day-to-day operations.

Best practices for increasing risk posture

Third-party risk management (TPRM) is important to get right, but even with the most perfect risk strategy in place, there’s a possibility that things can still fall through the net. With that in mind, there are best practices that all businesses should now be embracing – regardless of size – as we emerge into the so-called ‘new normal’:

Limit access through least privilege

Just because an application is free or has a small network footprint doesn’t mean it shouldn’t have tight access controls applied to it. If a breach does occur and an app becomes compromised, you want it to have the lowest possible level of access that it needs to perform its job. Put the time into setting strict and tailored access controls for individual applications and tools, no matter how trivial they may seem or how much your business is planning on using them.

Ranking vendors in terms of risk

Many businesses are guilty of only focusing their vetting and assessment resources on big vendors that have a mission critical role to play within their organization. This is good, but smaller, less obvious, apps that are waved through and overlooked can have just as catastrophic consequences as more pervasive software. Ranking vendors in terms of potential risk rather than simply their size is a better approach.

Don’t rush patching

Patches are generally good. They tighten security and fix errors. But rushing out patch after patch as soon as they become available can cause all kinds of headaches, from unwanted downtime to new vulnerabilities being exposed. Rank patches in order of importance, and apply them gradually with a solid backup strategy in place.

By combining a solid third-party risk management strategy with a few basic best practices, businesses can dramatically improve their risk posture as we navigate through from one of the most turbulent digital times in a generation.

The author

Aaron Dobie is Adversary Simulation Lead at SureCloud.