On a Friday morning in October 2016, millions of people across North America attempted to visit popular websites including Spotify, Reddit, and the New York Times, only to find that they were inaccessible.
A number of services experienced hours of downtime that day, and it was all because of a cyber attack on a single DNS provider called Dyn. A series of DDoS attacks prevented Dyn from getting completely back online until later that evening.
In other words, a single point of failure caused hours-long operational interruptions for many of America’s most popular web services. The costs of these interruptions vary from business to business, but estimates indicate system outages like these end up resulting in $20,000-$100,000 in losses per business per hour.
Analysts like to write about the “interconnectedness” of modern business, but the Dyn cyber attack demonstrates an important fact they often omit: many businesses are connected to the same few cloud service providers.
These mutual connections — companies like web hosting platforms, DNS providers, and cloud-based productivity apps — are weak points in the larger business landscape. Because of their popularity, a well-aimed cyber attack, like the one at Dyn, can wreak havoc on the bottom lines of businesses of all kinds.
When it comes to preventing downtime, it’s not just direct business relationships that organizations have to worry about. Outages at fourth-party connections (your vendors’ vendors) could also have ripple effects that end up knocking your services offline.
For example, your organization might not rely on a particular cloud hosting platform, but it’s very possible that your IT ticketing system, your collaboration apps, or your password manager do. If these services go down, your business can’t operate as normal.
Making a Map
To solve this problem, CIOs, CISOs, and other risk and security professionals need a complete map of their vendor connections. Unfortunately, creating a map like this is easier said than done. Large enterprises could rely on hundreds of IT vendors, and each one of these vendors could have hundreds of connections as well.
By the time a vendor risk management team maps and analyzes all of these thousands of connections, the data they used to assess the relationships between them won’t necessarily be accurate. With cyber risk changing on a moment-by-moment basis, the gaps between assessments could present opportunities for cyber criminals to strike.
Luckily, there are services available that create these maps automatically and update them continuously. One such service is Bitsight Discover.
Charting a Course
Once risk management teams are armed with a complete, up-to-date assessment of vendor connections, they can take a variety of steps to protect themselves from unexpected downtime (and all of the costs that come with it).
For example, risk professionals can assess their operational risk by determining how many critical vendors in their network rely on the same service providers. For instance, if 80% of your network relies on Google Apps for Business, then you can quickly understand the risk associated with potential failure of that service.
Equipped with this knowledge, risk professionals can also start conversations with executives and the Board about developing backup and contingency plans. In other words, you can see exactly which of your services would be affected in the event of a major outage, and have risk-informed conversations with your business partners about putting alternative options into place. That way, if a major cyber attack does take down a particular service that you or a third party rely on, you can maintain operations instead of being forced to shut down for hours or days.
With cyber attacks on the rise and businesses becoming more and more connected, the frequency of major outages is likely to increase. By establishing vendor risk programs and equipping teams with the tools they need to analyze vendor connections, like a vendor due diligence checklist, organizations can protect themselves from the next historic outage.