How you can ensure you are performing the necessary security assessments and evaluations while keeping your onboarding process as flexible and agile as possible.
Almost a year later, the story hasn’t gone away. Last month, a U.S. magistrate judge ruled that Capital One must provide forensic details about the hack to attorneys representing a group of customers suing the bank.
As fallout from the breach continues, here are key lessons security and business leaders can learn to protect their organizations from a similar fate.
Implement a robust third-party risk management program
The court decision in the Capital One case sets a new precedent that could require organizations to disclose incident response reports detailing the circumstances around a breach. This requirement could expose companies to greater public scrutiny of their security programs, and open them up to financial and reputational damage.
A key takeaway from the ruling is that the onus is very much on security teams to demonstrate an unparalleled standard of care as they conduct business with vendors. To do this, they must provide evidence that they have a robust third-party risk management program in place — one that continuously monitors for cyber risk within their supply chain.
With such a program, security teams can identify potential vulnerabilities within their third-party networks, and accelerate vendor onboarding processes without sacrificing their security postures. They can also work alongside their vendors to help them understand where risk exists in easily understood terms so that informed decisions can be made about where to prioritize remediation efforts — before those vulnerabilities are exploited.
Reduce liability by understanding the shared responsibility model
The Capital One breach allegedly occurred when a former Amazon Web Services (AWS) employee exploited a misconfigured web application firewall to gain unauthorized access to a cloud-based server.
This had significant liability ramifications for Capital One. Under the AWS shared responsibility model, Capital One was responsible for implementing security on that server and was therefore held accountable for the breach.
To be fair, much confusion still exists surrounding the shared responsibility model. When surveyed, only 10% of CISOs reported that they fully understood the model, while 82% claimed to have experienced security events due to confusion in the model.
In order to mitigate cyber risk effectively, organizations must understand the shared responsibility model for every cloud vendor they work with — and ensure each cloud instance is configured securely.
Visualize and assess risk across the attack surface
As an organization’s digital ecosystem expands, so does its attack surface. This makes it increasingly difficult for security teams to understand where all their digital assets live — and any inherent risk present there.
BitSight Attack Surface Analytics addresses this challenge by providing organizations with continuous, broad visibility into their expanding digital ecosystems — on-premise, in the cloud, and across remote office environments.
This context empowers teams to shine a light on unknown vulnerabilities, infections, and misconfigurations that could lead to a breach or other security incident. With this insight, they can quickly assess the inherent risk of cloud-hosted assets — and bring them into line with corporate security policies.
Get one step ahead of accountability
As pressure mounts for organizations to be more transparent about their security practices (and potential failings), it’s critical that security teams find ways to continuously monitor their third parties so that they can gain visibility into key areas of cyber risk within their networks. Furthermore, as the digital ecosystem expands into the cloud, organizations need a strategy to discover risk across this increasingly complex attack surface. After all, they can’t secure what they can’t see.
Only then can companies demonstrate to customers that they take proactive measures to achieve a standard of care in their security performance management and third-party risk management programs.