Navigating the New Cybersecurity Landscape: Dissecting the Twice-Removed Third-Party Risk

The recent cybersecurity incident involving financial services companies brings into stark relief an evolving threat landscape: the twice-removed third-party cyber risk. This incident has underscored the complex, intertwined nature of our business ecosystem, revealing the pressing need for a comprehensive, multi-layered approach to cybersecurity.

Dissecting the Incident

The breach occurred two steps away from the affected financial services companies, implicating a third-party data transfer supplier, GoAnywhere. This compromise led to the exposure of clients’ names, social insurance numbers, and personal addresses, demonstrating the far-reaching implications of cyber threats in our increasingly interconnected world.

Recognizing the New Threat Landscape

This incident highlights the emerging risk in today's hyper-connected business environment: the twice-removed third-party cyber threat. As we navigate this new threat landscape, the potential surface area for cyberattacks extends beyond organizational boundaries, encompassing the intricate web of third-party vendors and their own set of suppliers.

Evaluating the Risk of Third-Party's Third-Party Vendors

Identifying and evaluating the risk associated with third-party's third-party vendors is a significant challenge. It involves a deep understanding of the complete supply chain, rigorous risk assessment processes, and continuous monitoring. The process starts by conducting thorough due diligence on the immediate third-party vendors, which should encompass an evaluation of their own third-party risk management practices. The question is, where do we stop? The answer lies in understanding the criticality of the service provided by the vendor and the sensitivity of data handled, which should determine the extent of the risk assessment process.

Reinforcing the Cybersecurity Framework: The Three Vital Phases

Addressing this evolving threat requires a robust, adaptable, and comprehensive approach to cybersecurity, encapsulating proactive preparedness, swift response, and reflective recovery after a breach. Often, these stages are not given the attention they deserve, leading to potential gaps in the organization's cybersecurity framework.

Before the Breach: The focus here should be on proactively strengthening the cybersecurity framework. This includes regular evaluations of cybersecurity posture, scrutinizing third-party and twice-removed vendor risks, and testing the efficacy of incident response plans. Equally important in this phase is cybersecurity training for all employees, turning a potential liability into a robust line of defense.

During the Breach: This phase requires swift action, clear decision-making, and transparent communication. Having a well-defined incident response plan that outlines roles, responsibilities, and procedures to contain the incident and protect sensitive data is crucial. But equally critical is ensuring backup plans not just for data and systems, but for people too – cross-trained staff who can step in and manage a crisis situation effectively. Maintaining open lines of communication with stakeholders throughout is vital to manage expectations and maintain trust.

After the Breach: The post-breach phase is all about learning and adapting. Organizations must conduct a thorough post-incident review to understand the root cause, learn from the incident, and use these insights to bolster future security measures. Minimizing reputational damage and rebuilding trust with partners, customers, and suppliers is also a key focus area.

At CGI , we understand the complexities of this evolving cybersecurity landscape and offer comprehensive services spanning these critical stages. We partner with organizations to evaluate their security posture, develop robust cybersecurity strategies, manage third-party risks, and prepare for potential breaches. We also provide pre, during, and post-breach support, assisting with incident response, communication, post-incident review, and recovery efforts.

As we traverse this new threat landscape, the emphasis must be on collective responsibility and proactive adaptation. The journey may be challenging, but with strategic foresight, proactive efforts, strong partnerships, and a commitment to continuous learning and improvement, we can navigate it successfully together.