Why Third-Party Security is So Essential for Organisations

Since 2004 the month of October has been designated as Cybersecurity Awareness Month. Many organisations, countries, and supranational bodies use the month to have events that raise awareness about security. For example, see the?Renaissance's Spotlight page, the?Ireland NCSC page, the USA?CISA page, and the EU's?European Cybersecurity Month?page.

The goal for everyone promoting and participating in Cybersecurity Awareness Month events and activities is to help combat the tide of cyberattacks. A tide that has been rising over the last few years, especially recently due to the surge in ransomware.

Thinking about the Broader Cybersecurity Landscape

One often overlooked aspect of cybersecurity awareness is the security of an organisation’s supply chain. Most organisations have dozens, hundreds, or even thousands of third-party suppliers for services and goods. Most interactions in the supply chain are digital. From email at one end of the spectrum to full integration of particular business systems at the more complex end.

When cybersecurity planning occurs, any strategy devised to protect the organisation has to include an evaluation of the security in place in the organisations in the supply chain. This needs to encompass the multi-cloud hybrid nature of most modern web-based applications and services. There needs to be an evaluation of what cloud and other third-party IT systems suppliers are using in addition to their on-premise IT systems.

The Panorays Third-Party Security Risk Platform makes the process of evaluating the cybersecurity of supply chain partners much easier, as we describe below.

Supply Chain Attacks Are on the Rise

Cybercriminals are always looking for ways to attack and breach cyber defences. The bad actors have seen that suppliers in the complex interlinked modern supply chain provide a vector to attack and infiltrate their targets. In 2021 we have seen high profile supply chain attacks such as the SolarWinds and Kaseya attacks. Both attacks used software stacks that provide services to multiple other organisations to bypass security and deploy ransomware and other malware in thousands of organisations. These two supply chain attacks were not the only ones — Microsoft, Accellion, and Codecov all disclosed breaches in which cyber criminals used their software services to attack and breach other organisations. More direct supply chain attacks in which the attackers compromise a third party and then use the IT links to infect others in the supply chain are also common.

The trend of criminals targeting the supply chain is only going to increase. In July, the EU Agency for Cybersecurity (ENISA) published a report called Threat Landscape for Supply Chain Attacks, in which they predict that supply chain attacks will quadruple. A quote from the conclusions of the report:

As the cost of direct attacks against well-protected organisations increases, attackers prefer to attack their supply chain, which provides the additional motivation for a potentially large-scale and cross-border impact. This migration has resulted in a larger-than-usual number of supply chain attack cases reported, with a forecast of four times more supply chain attacks in 2021 than in 2020.

Supply Chain Regulations

Ensuring that the supply chain is secure is more than good business practice for some sectors; it is required by many regulations. For example, businesses operating in the finance sector in the EU must follow guidelines issued by the European Banking Authority (EBA). When banks and other financial institutions in the EU use third-party suppliers, they must ensure that the vendors provide the same level of protection for their customers as the primary financial organisations are required to implement.

Demonstrating compliance with the EBA third-party vendor guidelines is challenging, as is outlined in the Panorays blog The Impact of EBA Guidelines on Third-Party Risk Management. Showing good cybersecurity in the supply chain more generally is also a challenge, but one that auditors and other interested parties increasingly require even in non-regulated sectors of the economy.

Panorays Third-Party Security Risk Platform

The Panorays Third-Party Security Risk Platform provides an excellent way to vet the security provisions of suppliers in the supply chain on an ongoing basis. It combines automated, dynamic security questionnaires with non-intrusive external attack surface assessments and business relationship context analysis to provide organizations with a rapid, accurate view of supplier cyber risk. It is the only supply chain assessment platform that automates, accelerates, and scales third-party security evaluation and management. It simplifies and speeds up third-party security risk evaluation and the process of vetting potential supplier security.

The Panorays platform continuously monitors and evaluates supplier cybersecurity and alerts about any security changes or breaches that occur in third parties. As a result, it allows businesses to decide quickly whether to risk dealing with new suppliers and whether to continue the relationship if their cybersecurity posture deteriorates.

Panorays supports the entire third-party security risk management process:

·?????????Analysis - evaluating the supplier’s security posture, combining information from both security questionnaires completed by the vendor and an external attack surface assessment performed by the Panorays platform. The platform then performs a deep gap analysis of all security information gathered.

·?????????Engagement – communicating with the supplier through the platform to achieve clarity regarding its security and privacy capabilities.

·?????????Remediation - working with the supplier on closing the cyber gaps. Organizations can share with their vendors prioritized remediation plans generated by the platform, including cyber gaps identified in both questionnaires and the external assessment.

·?????????Approval - approving the supplier or rejecting it based on the company’s risk tolerance.

·?????????Monitoring - continuing to monitor the supplier to detect any cyber gaps. Panorays continuously updates the cyber risk assessment based on changes to the supplier’s external footprint and responses to questionnaires. The organization’s security team receives live alerts about any security changes or breaches to the supplier.

Conclusion

A third-party security risk evaluation and management platform is essential for all organisations to ensure that their suppliers are not introducing a security risk. Renaissance is the distribution partner for Panorays in Ireland. Together, we can ensure that organisations and security providers of all sizes have the best platform to evaluate third-party risk. More importantly, we can address and remove any risks so that profitable supply chain partnerships can flourish.?Contact us?today to find out more and see the?Panorays website?for a deep dive into the platform.