Third-party SaaS apps (and extensions) can significantly extend the functionality and capabilities of an organization’s public cloud environment, but they can also introduce security concerns. Many have permission to read, write, and delete sensitive data, which can have a tremendous impact on security, business, and compliance risk.
Assessing the risk of these applications is the key to maintaining a balance between safety and productivity. How can organizations take advantage of these apps’ convenience while also maintaining a secure environment?
Understanding the risk
In an ideal world, each potential application or extension would be thoroughly evaluated before it is introduced into the environment. However, with most employees still working remotely and administrators having limited control over their online activity, reducing the risk of potential data loss is just as important after the fact. In most cases, the threats from third-party applications from two different perspectives:
- The third-party application may try to leak your data or contain malicious code
- The application may be legitimate but be poorly written, leading to security gaps – poorly coded applications can introduce vulnerabilities that lead to data compromise
Google takes no responsibility for the safety of the applications on Marketplace, so any third-party app or extension downloaded by your employees becomes your organization’s express responsibility.
Application security best practices
While Google has a screening process for developers, users are solely responsible for compromised or lost data. Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security?
- Properly evaluate the vendor or application
- Screen gadgets and contextual gadgets carefully
Google notes that you should evaluate all vendors and applications before using them in your Google Workspace environment. To analyze whether or not a vendor or application is acceptable to use from a Google Workspace security perspective before you install the application:
- Look at reviews left by customers who have downloaded and installed the third-party application. Reviews are listed for all Google Workspace Marketplace apps
- Contact the third-party application vendor directly regarding grey areas that may be questionable
The process of analyzing hundreds of applications across a large environment can create a situation that’s nearly impossible to manage. Administrators need a solution that can allow them to see all the apps on their environment in one place and assess the riskiness of each, allowing them to easily take action on those with the most vulnerabilities.
Employee risk factors
Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions.
- Sensitive data transfer – an employee installs an app that connects to the Google Workspace environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company.
- Employee termination – When a company fires an employee, IT admins usually suspend the user account. When you suspend a Google Workspace account, all the apps still have access to sensitive data accessible by the user. This can potentially lead to a data breach.
- Compromised third-party apps – An app can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before the attackers start downloading or migrating an abnormal amount of data or change the scope of permissions, which constitutes strange behavior.
As you can see, the risk of downloading external apps extends even beyond an employee’s tenure at the organization.
Automated security vs. manual analysis
The number of threats, variants, complexities, hybrid networks, BYOD, and many other factors makes it nearly impossible for organizations to rely on manual efforts for adequate security. Computers are simply more effective and efficient at parsing logs and correlating activities.
Humans tend to be much less detail-oriented when it comes to repetitive, monotonous tasks such as crunching numbers and examining data. Additionally, computers don’t get fatigued and can work on an ongoing basis.
Machine learning takes advantage of technology and leverages complex mathematical algorithms to learn about an environment and linked applications and recognize deviations from “normal.”
Finding a security solution powered by machine learning that includes an application assessment component is the best way for administrators to protect their cloud environments from third-party threats effectively.
Third-party risk management (TPRM) professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk, according to RiskRecon and Cyentia Institute.
As a result, the study found more enterprises are moving towards data-driven third-party risk management programs.
Many firms use questionnaires to assess vendor security risk
The research, based on a survey of 154 active TPRM professionals, found that 79% of firms have a TPRM program, 84% of which use questionnaires to assess vendor security risk.
While 81% of enterprises report that at least 75% of their vendors claim perfect compliance to their security requirements, only 14% are highly confident that vendors actually perform those requirements.
“In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide,” said Kelly White, CEO, RiskRecon.
“Increasingly, third-party risk teams are adapting the risk management strategies deployed to protect their internal enterprise – rapid acquisition and analytics of objective data that reveal the reality of the quality of each vendor’s risk management program. For example, rather than just trusting vendors’ word that they are properly patching systems, they are using security ratings services and other information sources to objectively assess the quality of their patch management program.”
While the adoption of TPRM surges, there’s still more to be learned
- Companies are critically dependent on third parties, trusting them with their most sensitive data and operations functions. The survey found that one out of three TPRM programs manage more than 100 vendors per year. On average, respondents said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claim that half of their entire network could trigger severe impacts.
- Lack of proper resources and support continues to be a challenge for effective risk management. 57% of respondents say that staffing levels regularly limit their ability to keep up with the responsibilities of managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. And more than 25% of programs report severe personnel shortages, which prevents critical tasks from being completed.
- Professionals do not trust questionnaire-based assessments; adding objective data to close the gap. Only 14% of surveyed professionals report being highly confident in the accuracy of vendor questionnaire responses. For this reason, 42% of respondents use cybersecurity ratings, along with other measures as part of their assessment mix.
“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner, Cyentia Institute.
“While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined.”
A CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. Each insight was gleaned from proprietary assessment data gathered from a sample of 4,000 third parties.
Twenty percent of an organization’s third parties are high risk
Based on the third-party population ingested by enterprise customers, on average, 20% of an enterprise’s third-party portfolio pose high inherent risk. This means that if these third parties become compromised or unavailable, the fallout of that event will have a high impact on the enterprise.
Unlike residual risk, inherent risk is the risk absent any security controls, but it is critical in helping organizations identify where to focus their due diligence efforts.
Third parties in certain industries still have significant gaps
Third parties in certain industries are more likely to have mature cybersecurity programs, but still have significant gaps. Organizations in the financial, technology, telecom, and healthcare industries are oftentimes third parties themselves.
These third parties tend to have strong controls in place to mitigate risks associated with incident containment, threat removal, and identity authorization and authentication.
Company size correlates with security maturity and coverage
Larger organizations do not necessarily equate to greater risk. In fact, as companies get smaller, data shows they have fewer controls in place and less mature programs.
These smaller companies can retain significant access to sensitive data and systems, and it should not be assumed they pose less risk.
The most common third-party security gaps
The most common third-party security gaps are desktop and laptop protection, server protection and virtualization protection (on-premise or cloud-based).
No matter the reported maturity of their security program, all industries researched reported areas of weakness across the following five areas: desktop and laptop protection; server protection; virtualization protection (on-premise or cloud-based); data at rest protection; and data in motion protection.
These gaps in protections are considered basic security controls. The lack thereof leaves companies—and those in their third-party ecosystem—open to risks such as ransomware attacks, website defacement, data modification, exfiltration, and malicious use of PII.
Vendors posing the greatest risk
Organizations tend to focus on the same set of vendors, but it is often the vendors they aren’t looking at that pose the greatest risk. Many companies tend to focus on the same set of third parties, and often on their larger third parties when they determine who to assess.
But according to research data, vendors with a history of being assessed are incentivized to improve, and often have more mature security programs in place. Whereas, smaller or lesser known companies may pose significant risk.
This finding makes it evident that using a scalable and repeatable approach that allows companies to review deeper layers of their vendor ecosystem is critical, because that is where significant risk often sits.
Why this matters
According to a 2020 Ponemon survey, the typical enterprise has an average of 5,800 third parties, and that number is expected to grow by 15 percent in the next year. As digital transformation continues to drive increased reliance on third parties, the criticality of third-party cyber risk management will only increase.
The report illustrates the incredible value of data to drive the prioritization and reduction of third-party risk. Replacing false positives and static assessments with standardized, validated data and insights empowers organizations to better understand their third-party ecosystem and transition from simply assessment collection to robust risk management.
CyberEdge conducted a web-based survey of 600 enterprise IT security professionals from seven countries and 19 industries in August 2020 in an effort to understand how the pandemic has affected IT security budgets, personnel, cyber risks, and priorities for acquiring new security technologies.
Impacts from the work-from-home movement
Prior to the pandemic, an average of 24% of enterprise workers had the ability to work from home on a full-time, part-time, or ad hoc basis. As of August 2020, that number more than doubled to 50%.
Many enterprises without existing BYOD policies were instantly compelled to permit employee-owned laptops, tablets, and smartphones to access company applications and data – in some instances without proper endpoint security protections.
Resulting IT security challenges
A 114% increase in remote workers coupled with a 59% increase in BYOD policy adoption has wreaked havoc among enterprise IT security teams.
The top-three challenges experienced by enterprise IT security teams have been an increased volume of threats and security incidents, insufficient remote access / VPN capacity, and increased risks due to unmanaged devices.
Furthermore, an astounding 73% of enterprises have experienced elevated third-party risks amongst their partners and suppliers. Adding fuel to the fire, 53% of these teams were already understaffed before the pandemic began.
Healthy 2020 and 2021 IT security budgets
While most enterprises searched for ways to reduce overall operating expenses in 2020, 54% of those surveyed increased their IT security operating budgets mid-year by an average of 5%.
Only 20% of enterprises reduced their overall IT security spending after the start of the pandemic. With regard to the impact of the pandemic on next year’s security budgets, 64% of organizations plan to increase their security operating budgets by an average of 7%.
Increased demand for cloud-based IT security investments
Arguably the biggest impact that the COVID-19 pandemic has had on the IT security industry is an increased appetite for cloud-based IT security solutions. This is primarily driven by the massive increase in remote workers but may also be influenced by having fewer IT security personnel available on site to install and maintain traditional on-premises security appliances.
Exactly 75% of respondents have indicated an increased preference for cloud-based security solutions. The top-three technology investments to address pandemic-fueled challenges are cloud-based secure web gateway (SWG), cloud-based next-generation firewall (NGFW), and cloud-based secure email gateway (SEG).
Reducing IT security personnel costs
Despite increased funding for cloud-based security technology investments, 67% of enterprise security teams were forced to temporarily reduce personnel expenses through hiring freezes (36%), temporary reductions in hours worked (32%), and temporary furloughs (25%). Fortunately, only 17% were forced to lay off personnel.
Training and certification make a huge difference
78% of those with IT security professional certifications feel their certification has made them better equipped to address pandemic-fueled challenges.
Next year, enterprises anticipate increasing their security training and certification budgets by an average of 6%.
Taking third-party risks seriously
The doubling of remote workforces has significantly increased third-party risks. As a result, 43% of enterprises have increased their third-party risk management (TPRM) technology investments. 77% are seeking technologies to help automate key TPRM tasks.
Securing employee-owned devices
In an effort to secure employee-owned devices connecting to company applications and data, 59% of enterprises are providing antivirus (AV) software, 52% are investing in mobile device management (MDM) products, and 48% are acquiring network access control (NAC) solutions.
Security professionals enjoy working from home
Not surprising, 81% of IT security professionals enjoy working from home. Once a COVID-19 vaccine is developed and the pandemic is over, 48% would like to continue working from home part-time while 33% would like to work from home full-time.
80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average organization had been breached in this way 2.7 times, according to a BlueVoyant survey.
The research also found organizations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses 1409 vendors.
The study was conducted by Opinion Matters and recorded the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organizations with more than 1000 employees across a range of vertical sectors including business and professional services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy. It covered five countries: USA, UK, Mexico, Switzerland and Singapore.
Third-party cyber risk budgets and other key findings
- 29% say they have no way of knowing if cyber risk emerges in a third-party vendor
- 22.5% monitor their entire supply chain
- 32% only re-assess and report their vendor’s cyber risk position either six-monthly or less frequently
- The average headcount in internal and external cyber risk management teams is 12
- 81% say that budgets for third-party cyber risk management are increasing, by an average figure of 40%
Commenting on the research findings, Jim Penrose, COO BlueVoyant, said: “That four in five organizations have experienced recent cybersecurity breaches originating in their vendor ecosystem is of huge concern.
“The research clearly indicated the reasons behind this high breach frequency: only 23% are monitoring all suppliers, meaning 77% have limited visibility and almost one-third only re-assess their vendors’ cyber risk position six-monthly or annually. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”
Multiple pain points exist in third-party cyber risk programs as budgets rise
Further insight into the difficulties that are leading to breaches was revealed when respondents were asked to identify the top three pain points related to their third-party cyber risk programs, in the past 12 months.
The most common problems were:
- Managing the volume of alerts generated by the program
- Working with suppliers to improve security performance, and
- Prioritizing which risks are urgent and which are not.
However, overall responses were almost equally spread across thirteen different areas of concern. In response to these issues, budgets for third-party cyber risk programs are set to rise in the coming year. 81% of survey respondents said they expect to see budgets increase, by 40% on average.
Jim Penrose continues: “The fact that cyber risk management professionals are reporting difficulties across the board shows the complexity they face in trying to improve performance.
“It is encouraging that budget is being committed to tackling the problem, but with so many issues to solve many organizations will find it hard to know where to start. Certainly, the current approach is not working, so simply trying to do more of the same will not shift the dial on third-party cyber risk.”
Variation across industry sectors
Analysis of the responses from different commercial sectors revealed considerable variations in their experiences of third-party cyber risk. The business services sector is suffering the highest rate of breaches, with 89% saying they have been breached via a weakness in a third-party in the past 12 months.
The average number of incidents experienced in the past 12 months was also highest in this sector, at 3.6. This is undoubtedly partly down to the fact that firms in the sector reported working with 2572 vendors, on average.
In contrast, only 57% of respondents from the manufacturing sector said they had suffered third-party cyber breaches in the past 12 months. The sector works with 1325 vendors on average, but had a much lower breach frequency, at 1.7.
“Thirteen percent of respondents from the manufacturing sector also reported having no pain points in their third-party cyber risk management programs, a percentage more than twice as high as any other sector.
Commenting on the stark differences observed between sectors, Jim Penrose said: “This underlines that there is no one-size-fits-all solution to managing third-party cyber risk.
“Different industries have different needs and are at varying stages of maturity in their cyber risk management programs. This must be factored into attempts to improve performance so that investment is directed where it has the greatest impact.”
Mix of tools and tactics in play
The survey investigated the tools organizations have in place to implement third-party cyber risk management and found a mix of approaches with no single approach dominating.
Many organizations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by 40%. However static, point-in-time tactics such as on-site audits and supplier questionnaires remain common.
Jim Penrose concludes: “Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way.
“Visibility into such a large and heterogenous group of vendors is obscured due to lack of resources and a continuing reliance on manual, point-in-time processes, meaning real-time emerging cyber risk is invisible for much of the time.
“For organizations to make meaningful progress in managing third-party cyber risk and reduce the current concerning rate of breaches, they need to be pursuing greater visibility across their vendor ecosystem and achieving better context around alerts so they can be prioritized, triaged and quickly remediated with suppliers.”
There’s a predictive relationship between responsible privacy practices and security outcomes, according to Osano.
Companies with inadequate data privacy practices are 80 percent more likely to suffer a data breach than those with the highest-ranked privacy practices and will face fines seven times larger than companies with the best scores in the event of a data breach.
- Companies with the lowest privacy scores lost 600% more records than high-scoring companies.
- The worst privacy actors are the least likely to be able to retrospectively identify the root cause of a breach.
- Of the entities that get breached, governments have the worst scores.
- Educational and government websites are 15x more likely to experience a breach than commercial sites.
“In the face of nonstop breaches and increased data security awareness, consumer and shareholder confidence in businesses is slowly eroding. Businesses that fail to protect sensitive data will face serious negative consequences, and the report proves just how these phenomena move hand-in-hand.” said Osano CEO, Arlo Gilbert.
“There is a perception that privacy issues are akin to a speeding ticket – a risk worth running. Companies that don’t change their perception are facing higher odds of experiencing a data breach and losing the trust they’ve built with their customers.”
Third parties responsible for most data breaches
The average company shares its data with 730 different vendors, and according to the Internal Auditors Research Foundation, third parties were responsible for two out of every three data breaches.
Many companies are lagging behind current data privacy requirements. By prioritizing best-in-class privacy practices, companies can reduce the risk of security incidents and demonstrate trustworthiness to customers.
The client-side landscape has been overrun by third-party script attacks executed by malicious attackers utilizing formjacking or other methods made famous by the Magecart attack group.
Many companies assume their current security stack ensures protection for these seemingly basic attacks, but in reality, they open a can of worms and you may not even know you’ve been attacked. Take a read below to see some of the common misconceptions regarding client-side protection, these dedicated threats and if your business is in fact safe.
Myth #1 – I don’t need to worry about client-side security unless I have a virtual shopping cart/eCommerce
While formjacking is heavily concentrated in online retail, there is a significant weakness in other pertinent verticals as only a few lines of code can interrupt any organization that collects personal information on a website.
Myth #2 – I have a firewall, WAF and a secure connection so I’m safe from these attacks
Firewall, WAF, secure connection and many other solutions are focused on securing internal servers and the communication between the browser and these internal servers. Formjacking and Magecart attacks are executed on the user’s browser and in many cases, load from a remote server. This client-side connection operates completely outside of the security capabilities an organization deploys to secure the server side of the browser session.
Myth #3 – RASP or DASP catches formjacking and Magecart-type attacks
Dynamic Application Security Testing (DAST) is usually active on a pre-production environment and does not cover live sites. The few who run DAST on a live site will simulate a few user profiles but cannot possibly scale this solution to monitor and detect all web sessions.
As third parties change their behavior from user to user, DAST is largely ineffective in detecting attacks on large production networks and completely ineffective at preventing these types of attacks. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.
RASP is Runtime Application Self-Protection; it exists only on the Java virtual machine and .NET Common Language Runtime. Since it will not run on the actual live site, third parties are outside of its detection scope. Again, RASP is not intended as a prevention solution. Detection methodologies do not help organizations fulfill compliance guidelines requiring customer data privacy.
Myth #4 – CSP and other page headers will stop Magecart attacks
CSP is often being suggested as the solution for Magecart attacks. Although it can be part of the solution, by now we know that a lot of the Magecart attacks are being done from trusted domains. Take for example the 24/7 chat hack that captured payment card information from huge enterprises websites such as Delta Airlines, Sears, Kmart, and BestBuy. This tool was trusted by those firms and needs to be whitelisted by the CSP in order to work.
Other headers such as HSTS are sometimes also mentioned as a possible solution but all of us understand that by now attackers are sophisticated enough to use SSL (https) when loading their payload to avoid this header as well.
Myth #5 – Magecart hackers need to use a “drop server” to capture the data
In most of the known Magecart attacks, the payload is being delivered by a trusted domain (for example a third party vendor) and the data it collects is being sent to the hacker server, also called “drop server”. In some of the attacks we are seeing the hackers are using domain names that look legit to avoid detection, for example, the drop server in the British Airways attack was under the domain “baways.com”.
But the more sophisticated hackers will avoid using a drop server altogether and create an account in one the third parties the website use in order to capture the information in an undetectable way.
Using Google Analytics to capture user credentials
Myth #6 – You can detect all Magecart attacks from the outside without implementing code to your website
Using a tool to scan the website from the outside in order to capture those attacks is a VERY low barrier that can be overcome by simply using one of the most common methods almost all third-party vendors use. By nature, third party code is dynamic and can adjust to run only for specific users – for example, when you go to a website, you will see an advertisement that is related to your browsing history, and some else will see completely different advertisements according to his history.
Hackers are using those same methods to avoid detection so the hack payload will be applied to real users and not shown to an outside scanner, sometimes limiting the hack to be sent only to a small percentage of the site visitors to avoid detection by humans. In order to detect Magecart, you need real-time all the time protection.
Myth #7 – If I am being attacked right now my team would definitely be aware of it
As proven by the Magecart attack that affected over 800 websites for 3 years, many dedicated attacks are very hard to detect. If you Google “undetected Magecart attacks” the search will return a number of recent threats that top Fortune 100 companies unfortunately experienced. While security teams are trained in responding to DDoS and bot attacks, these vectors are new and evolving establishing additional operational costs in dedicated man hours and more than likely a third-party solution alternative.
Myth #8 – Third-party risks are the top concern your company should be worried about
While third-party risks present the largest issues at hand, you can’t diminish fourth- and fifth- party risks that come as extensions of third parties.
Even the most security-driven websites, who audit and test the vulnerabilities of the third-party scripts they interact with (which is in itself rare and difficult to follow through), still remain exposed through the fourth- and fifth- party scripts these suppliers interact with. This makes the process of fully protecting websites and their users from attack scripts much more challenging.
Since the onset of COVID-19, more than half of legal and compliance leaders believe that cybersecurity and data breach is the most-increased third-party risk their organizations face, according to Gartner.
Which third-party compliance risk has increased (or could increase) the most at your organization as a result of COVID-19?
Third-party compliance risk
“Remote working has been hastily adopted by suppliers to keep their business running, so it’s unlikely every organization or employee is following best practices,” said Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice.
“Legal and compliance leaders are concerned about the new risks this highly disruptive environment has created for their organizations.”
Bribery and corruption, privacy, fraud, and ethical conduct were all noted as the most-increased third-party risks (10% of respondents for each) for a signification number of respondents.
“Legal and compliance leaders need to act now to mitigate third-party risk while still enabling their supply chain partners to flex to the current pressures on the system,” said Ms. Balasubramanian.
“This will likely mean managing the contractual risks and opportunities of current relationships, mitigating emerging issues, and streamlining due diligence for new third-parties. Legal and compliance leaders will also be looking at other ways to reduce the compliance burden on third parties.”
Navigate the contractual relationship
Legal and compliance leaders are managing the contractual risks of disrupted supply chains by:
- Working with procurement or supply chain leaders to identify which critical suppliers have manufacturing facilities, or a portion of the workforce, located in high risk areas.
- Contacting high-risk, critical suppliers to understand their preparedness for COVID-19, and the likelihood that they will meet contractual obligations.
- Anticipating ongoing financial or business disruption by conducting a review of existing contracts with high-risk suppliers to identify those with force majeure and other relevant clauses.
Mitigate amplified third-party risks
Several emerging practices from the survey respondents were identified:
- Reviewing third-party compliance activities, including third-party work from home policies, as well as privacy and security training plans
- Updating contracts to include clauses intended to mitigate cybersecurity & data privacy risks (e.g., clauses on VPN use, data use)
- Reducing the compliance burden on suppliers by:
- Entering into temporary “workaround agreements” by amending contracts to maintain services in a remote environment
- Postponing supplier audits until later in the year
- Modifying payment structures to those suppliers needing to boost cash flow
Streamline third-party due diligence
Emerging practices in this area include:
- Talking to functional partners about working with new third parties if needed to alleviate supply chain issues.
- Identifying critical, zero tolerance risks and revising due diligence processes to flag these.
- Identifying and prioritizing critical third parties and helping them manage risk throughout the pandemic.
- Conducting remote audits.
- Decreasing the amount of information requested from potential suppliers about general risks.
“Legal and compliance leaders have had to pivot quickly to support their supply chain and other business partners as part of this rapidly shifting third-party risk landscape,” Ms. Balasubramanian said.
“The most progressive companies have approached this crisis as an opportunity to clarify and streamline compliance obligations, strengthen current relationships, and focus their risk management efforts on the most critical, urgent risks.”
Many companies are not dedicating proper resources to assess third-party risks, and those that are still lack confidence in their programs, according to Prevalent.
Supply chain disruptions
As a result, there are real consequences including loss of revenue, loss of productivity, and loss of reputation – all of which can jeopardize resiliency and are amplified given today’s supply chain concerns related to COVID-19.
“Organizations are starting to ask the question about what happens to them if their supply chain partners go out of business. Sadly, most companies don’t have the risk visibility into their supply chains to answer that question,” stated Brenda Ferraro, VP of third-party risk at Prevalent.
“How can they expect to adequately manage their own risk without understanding the risks vendors and partners pose?”
Key findings from the report
- Lack of confidence in the program inhibits results: 54% of organizations have some meaningful experience in conducting third-party risk assessments, yet only 10% are extremely confident in their programs.
- Significant consequences: 76% of respondents said that they experienced one or more issues that impacted vendor performance – resulting in a loss of productivity (39%), monetary damages (28%) and a loss of reputation (25%).
- Unsatisfactory number of assessments: 66% of respondents say they should be assessing more than three-fourths of their top tier vendors but aren’t doing so.
- Costs, resources and lack of process are inhibitors to success: Lack of resources (74%), cost (39%) and insufficient processes (32%) are keeping respondents from assessing all their top-tier vendors.
- No one seems happy with their existing toolset: Satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction caps out at 3.8/5.0. GRC tools have an especially long way to go with a 41% satisfaction rate.
Third-party risk management program
Growing and maturing an adaptable and agile third-party risk management program that is resilient in times of crisis doesn’t have to be a complex and time-consuming process. The report concludes with five recommendations to jump start vendor risk activities:
- Develop a programmatic process
- Build a cross-functional team that extends beyond risk and compliance
- Be comprehensive without being complex
- Maintain options for assessment collection and analysis for agility
- Complement your decision-making with risk-based intelligence
In this podcast recorded at RSA Conference 2020, Sean Cronin, CEO of ProcessUnity, talks about the importance of third-party risk management and how companies can get started with a proven process that works.
Here’s a transcript of the podcast for your convenience.
We’re here with Sean Cronin, CEO of ProcessUnity. Can you tell me about the company and what kind of services and products do you offer?
First off, it’s great to meet you. Thanks for taking the time with us. At ProcessUnity we have a governance risk and compliance platform that’s a SaaS-based platform. Our flagship product is a vendor risk management product that really focuses on third-party risk and vendor management.
These days, certainly a lot of heavily regulated industries, financial services firms, healthcare firms, pharmaceutical firms, are starting to be concerned with who their vendors are, their suppliers, their third parties, and how their data is either exposed or how they’re using that data. We help them understand that relationship.
At this point we’re growing quite rapidly because it’s certainly a hot space. We were talking earlier, third-party risk is kind of becoming a first type of priority for a lot of organizations. And now we’re seeing organizations, that aren’t as heavily regulated, start to say: “It makes sense for us to understand who we’re doing business with”. And then as we expand that footprint, we also help folks in other risk pillars, things outside of third-party risks like policies and procedures, contract management. We’re doing more in tangential areas of third-party risk.
Tell our listeners why should companies be paying attention to third-party risk management?
Third parties certainly are having a lot to do with data breaches these days. You read any study, Deloitte, Ernst & Young, any of the unbiased studies out there, a number of the data breaches are actually coming from third parties and vendors, so that we recognize that you might have your four walls or your firewalls under control, but what you’re doing with other vendors and other folks in your supply chain, certainly puts your data at risk. We think that’s certainly important.
A lot of these heavily regulated industries are actually getting audited and examined to understand how they understand the ecosystem of third parties. But we’re also seeing it go down-market. Not just the heavily regulated industries, but other areas and other verticals are starting to really think about how they interact with third parties, what data they’re sharing, and also what kind of value they could get from those third parties.
Are they understanding the metrics, the measurements that they measure those vendors on? Are they getting what they paid for? Are they getting the level of performance they expect? And because of that, I think we can optimize a lot of those relationships and help them better understand that ecosystem in which they behave.
Well It sounds like a really popular industry. So, how do you see ProcessUnity differentiating itself in the market?
First and foremost, we really took our time to hire subject matter experts in our industry. We’ve got lots of practitioners that have years and years and years of governance risk and compliance expertise. They’ve run third-party risk programs for some of the largest banks and financial institutions in the world. They’ve run risk programs at heavily regulated industries. Our people, first and foremost, is a huge differentiator.
Number two, our products. It’s incredibly configurable, incredibly easy to use. But that’s such a common thing that folks claim. I actually like to say it’s easy to administrate. Some of the platforms that, if you will, we compete with. You can do those things, but you need to pay IT developers or other developers or even the company that you purchase the system from, to configure it for you. From our perspective, we like to empower our clients to really run the programs and configure the applications on their own. And so, from that perspective, I like to say, ease of administration.
It’s also easy to use. First and foremost, not just for our clients, but for the vendors. So, think about it, if you’re an important vendor in a vertical like financial services, you’re getting a million of these questionnaires. Wouldn’t it be nice if when you came in, it was a simple to follow survey that you can click and add policies and procedures, and connect everything really simply and easily?
And that’s one of those things that I get proud about because every once in a while some of my large clients say “hey, I just got this email from a vendor” and they said “hey, we just filled out your questionnaire, and it was one of the easiest systems to use”. And I think from my perspective, that’s us being good stewards to our compadres out there who are vendors. We’re a vendor too. We’re helping eliminate vendor fatigue because it just makes it easier so that people want to go in, fill in their information, be more proactive with their end user, and actually provide the right information. That’s a point of pride for me, certainly, that vendors and other third parties kind of like filling out the information and find it very intuitive.
Given all that, what kind of advice would you give to a company who is looking to start a third-party risk management program?
First and foremost, whether it’s with our product or other products, think about why you’re doing it, right? Think about what you’re doing with your third-party risk program. What you want to accomplish. And a lot of people used to tell me from a governance, risk and compliance perspective: “I’d like to get through my examination. That’s not good enough. Tell me what you want to understand.” And some of my CISOs, CIOs, chief procurement officers say: “We’d like to have a geographical representation of our vendor population. Let’s look at what the geographical concentration looks like. Let’s look at the vendor inventory. Do we have overlap? Do we have too many vendors in one particular area or third parties in one particular area, where we could unify with the best practices?”
I just highlighted best practices. Go with somebody who understands the third-party risk challenges. Nowadays, a lot of folks, because it’s such a hot space, people are saying: “Oh, I do third-party risk!” But when you dig a little deeper, you find that they don’t have the depth of expertise. And so you want somebody that you want to partner with to really be able to bring best practices to bear on your organization. Because if you’re a very mature organization, we have a really powerful product and we can configure it to your exact use cases and we can make it work for you.
But what happens if you’re a little bit more immature in this vendor management and third-party risk area? Well, don’t worry. We’ve got a best practices product. It’s actually a kind of a turnkey solution, which will really already have preconfigured workflows, use cases, all of the user roles, all of the questionnaires set up for you. So, if you just want to get started and you want to have a more prescriptive best practices capability at your disposal, we can help with that as well.
If you’re just starting out in this area, I would say take a look around. It’s important. And then really look at the folks that you’re trying to work with and the depth in which they understand the vendor risk management and third-party risk management area. And if it makes sense, an out of the box program like we have is a really great start.
What’s most important about the out of the box product, and my product strategists and product managers always make me promise to say this – it’s prebuilt, but you can configure and make it better. So, you can mature it as your own program gets that level of maturity, that takes it to the next level.
Thank you for the insights Sean! Is there anything else you would like to share with the Help Net Security audience?
I think at the end of the day, I touched on it earlier, third-party risk is a first world priority, it’s a first type of risk priority. It’s no longer “nice to have”. The reality is, it’s never going to go out of style to understand who you’re doing business with and where your data, your customer data, if you’re in healthcare, your patient data is.
So, understanding that ecosystem, understanding how you interact with those third parties is really important. So, we just stress that. Think about it, whether you’re in a heavily regulated industry or a different vertical, it’s really important to think about what that ecosystem looks like.
I would just like for you to finish by inviting listeners to come to your website for information about your products and solutions. Just give the URL and invite them to come to the website.
Certainly we appreciate your time and welcome everyone to come visit our website – www.processunity.com. We have lots of information, materials to help you understand the space. It’s educational as well as it certainly has lots of information about all our product offerings and certainly a lot of our use cases from our clients and other areas.
Hackers are using hidden mobile apps, third-party login and counterfeit gaming videos to target consumers, according to McAfee.
Worldwide detections of LeifAccess, 2019
Last year, hackers targeted consumers with a wide variety of methods, from backdoors to mining cryptocurrencies. Hackers have expanded the ways of hiding their attacks, making them increasingly difficult to identify and remove, which makes it seem like 2020 will be the year of mobile sneak attacks.
Hidden apps: The most active mobile threat
Hidden apps are the most active mobile threat facing consumers, generating nearly 50% of all malicious activities in 2019- a 30% increase from 2018. Hackers continue to target consumers through channels that they spend the most time on- their devices, as the average person globally is expected to own 15 connected devices by 2030.
Hidden apps take advantage of unsuspecting consumers in multiple ways, including taking advantage of consumers using third-party login services or serving unwanted ads.
“Consumers are connected more than ever, and as we look at the current security landscape, as well as future risks, we want to make sure we are doing everything to help consumers protect what matters more to them- their personal data, as well as their family and friends,” said Terry Hicks, Executive Vice President, Consumer Business Group at McAfee.
“Mobile threats are playing a game of hide and steal, and we will continue to empower consumers to safeguard their most valued assets and data.”
Hackers use gaming popularity to spoof consumers
Hackers are taking advantage of the popularity of gaming by distributing their malicious apps via links in popular gamer chat apps and cheat videos by creating their own content containing links to fake apps. These apps masquerade as genuine with icons that closely mimic those of the real apps but serve unwanted ads and collect user data.
Researchers uncovered that popular apps like FaceApp, Spotify, and Call of Duty all have fake versions trying to prey on unsuspecting consumers, especially younger users.
New mobile malware uses third-party sign-on to cheat app ranking systems
Researchers have uncovered new information on mobile malware dubbed LeifAccess, also known as Shopper. This malware takes advantage of the accessibility features in Android to create accounts, download apps, and post reviews using names and emails configured on the victim’s device.
Researchers observed apps based on LeifAccess being distributed via social media, gaming platforms, malvertising, and gamer chat apps. Fake warnings are used to get the user to activate accessibility services, enabling the full range of the malware’s capabilities.
Unique approach to steal sensitive data through legitimate transit app
A series of South Korean transit apps, were compromised with a fake library and plugin that could exfiltrate confidential files, called MalBus. The attack was hidden in a legitimate South Korean transit app by hacking the original developer’s Google Play account.
The series provides a range of information for each region of South Korea, such as bus stop locations, route maps, and schedule times for more than 5 years. MalBus represents a different attack method as hackers went after the account of a legitimate developer of a popular app with a solid reputation.
“There exists a growing trend for many apps to remain hidden, stealing precious resources and important data from the device that acts as the remote control to consumers digital world,” said Raj Samani, McAfee Fellow and Chief Scientist.
“Now, more than ever, it is critical consumers make themselves aware of modern threats and the steps they can take to defend themselves against them, such as staying on legitimate app stores and reading reviews carefully.”
While cybersecurity professionals are certainly aware of the growing threat posed by sharing data with third parties, many seem to lack the urgency required to address this challenge.
If there is one work-related New Year’s resolution I’d like CISOs to make as we enter 2020, it’s to give the challenge of third-party cyber risk the attention it needs. In fact, I no longer see this as optional or as an extension of an enterprise risk and cybersecurity strategy, because third-party data breaches will dominate the threat landscape in 2020.
Data breaches and third-party cyber risk
This is not a new challenge. Headlines over the last few years are filled with major breaches caused by hackers accessing companies’ data through their third-party vendors.
Six years ago, attackers breached Target by using login credentials stolen from a company that provided HVAC services to the retailer. That breach should have been a wakeup call for enterprises and cybersecurity vendors to address the challenge of third-party cyber risk, but years later these types of incidents are becoming even more frequent.
In the last year, for example, an unauthorized user gained access to data on 11 million Quest Diagnostics patients through the company’s partner debt-collection agency. Another bad actor accessed data on millions of Capital One credit card applicants through a misconfigured Amazon cloud container.
Estimates indicate that around 60 percent of data breaches are linked to third parties, and we can expect that percentage to increase as more companies embrace digital platforms and new operating models that require sharing of data with partners and service providers.
Enterprise boundaries will continue to blur in 2020 with more organizations investing in cloud computing, using file sharing platforms such as DropBox, Google Drive or OneDrive, and connecting more devices on the edge of their networks.
If CISOs continue to focus cybersecurity tools and resources within the company perimeter, they are fighting the wrong battle in an increasingly multi-front cybersecurity war.
Elevating third-party cyber risk to a C-suite and board imperative
One of the most important things CISOs can do to put the appropriate focus on third-party cyber risk is to make it a corporate reputation issue requiring support and oversight from C-suite and board executives.
Along with the opportunities for greater innovation, productivity, operational efficiency and customer engagement, digital transformation has created new vulnerabilities across the enterprise – and beyond its borders – that could impact corporate reputation if exploited.
With the average enterprise engaging with several hundred partners and other third parties, it’s not a question of “if” the data will be exposed, but of “when” and how much corporate reputation will suffer as a result of loss of trust.
CISOs must get better at educating business leaders about these unintended consequences of digital transformation. The reality, however, is that 63 percent of CISOs don’t regularly report to their boards, according to a recent Ponemon Institute study. Worse, a stunning 40 percent of CISOs said they never report to their boards at all. This lack of connection and accountability at the C-suite and board level is a major problem.
What CISOs should do
CISOs in 2020 must become stronger advocates for shifting from reactive to proactive cybersecurity postures. They must advocate for creating more resilient and cyber-aware cultures where cybersecurity is seen as everyone’s responsibility.
CISOs should also start to align their investments in cybersecurity with the new reality that threats are more likely to materialize through third parties.
That means not only assessing third parties for potential vulnerabilities, but using new approaches and tools coming to market that can identify actual data that a third-party inadvertently exposed, and that can enable immediate remediation.
Are you optimistic?
I am optimistic about the cybersecurity industry’s ability to rise to this challenge, provide those tools and help CISOs shift and elevate their organization’s cyber posture when it comes to third-party and other emerging risks. It’s why I left the FBI to join the industry after 20 years working in the bureau’s cyber, counterintelligence and counterterrorism branches.
I’ve seen firsthand how damaging third-party data leaks can be for businesses and other institutions, and I’ve seen the struggles CISOs undertake to just keep up.
With the right resolve and the right support from the cybersecurity industry, CISOs can take charge of this challenge in 2020, commit to shifting their focus toward third-party cyber risk, and engage C-suite and board executives about the strategic importance of doing so.
Many organizations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks, One Identity reveals. Most organizations grant third-party users access to their network Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organizations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors … More
The post Do third-party users follow security best practices and policies? appeared first on Help Net Security.