Download our vendor portfolio risk report sample to get an exclusive look at the actionable reporting capabilities third party risk management teams can use to reduce critical portfolio risk.
Blog written by Marc Saltzman, Technology Journalist & Podcast Host of Tech It Out
As we start a new calendar year—nearly 24 months since the global pandemic started—ransomware continues to be one of the most significant threats to organizations worldwide.
Not only has the frequency of ransomware attacks nearly doubled (93 percent) during 2021 compared to the year prior, according to a cybersecurity report published by Check Point, but the dollar amount that cybercriminals are extorting is also on the rise.
Daily headlines confirm the massive disruptions caused by cyberattacks have affected government agencies, companies big and small, and even supply chains for essential goods such as gasoline, meat and medical supplies.
There are several reasons for this trend, suggests Bitsight’s CTO and co-founder Stephen Boyer, resulting in a “perfect storm” of cyber attacks.
Why ransomware is bigger than ever
“First, let’s acknowledge that ransomware has been a threat for a long time. Five years ago we published an article titled The Rising Face of Cybercrime: Ransomware to draw attention to the problem, and we continue to see this type of threat increase,” starts Boyer.
“But the accelerant is the ability to monetize ransomware through cryptocurrencies such as Bitcoin, which has made the task much easier for cyber criminals as ransom payments are harder to track. This coupled with rushed digital adoption and transformation of organizations, results in a larger attack surface;” continues Boyer.
In addition, employees are becoming more distributed geographically, adds Boyer, with more remote home-based work setups, where security controls are not as strong as within the organization. This new mode of remote and hybrid work invites more targeted attacks.
Cyber insurance has become a “security plan” for businesses. If an organization has cyber insurance, then the organization is covered against losses stemming from cyber attacks. The ransom can be paid, order and assets/ information restored and all can continue – Right? “Oftentimes, cyber insurance makes matters worse because attackers now know that you have the means to payout the ransom and will target you because of that, this cycle then finances the next wave of ransomware.”
So, this begs the obvious question: What can be done to prevent ransomware attacks on an organization in the first place? This is an even more prudent discussion for enterprise companies that face risk through their third-party vendors and supply chain networks.
Acknowledging and managing third-party risk
“Third-party supply chain is where things get complicated,” continues Boyer. “Many of these organizations are pretty sophisticated and keep their digital systems up to date by investing in high level security, but what they just can’t control as much is the cyber hygiene of the third party ecosystem.”
“Bitsight data notifies you about areas of vulnerability, indications of a lack of security controls and continuous performance issues with these third parties, so you can get ahead of potential risks ,” says Boyer.
Focusing on third-party risk predictions, Bitsight’s security ratings platform quantifies its findings with an objective, data driven numerical rating, ranging from 250 to 900 (much like a consumer credit rating). The lower a company’s Bitsight security rating, the more insecure their digital assets are and the more likely they are to suffer a ransomware attack. Findings have shown organizations with a low rating (say, between 300 and 500) are almost 8 times as likely to experience ransomware activity as a company with a rating of 750 or above (link to article on website).
Driving risk reduction with Bitsight and integrator partners
Bitsight Assessment Accelerator (BAA) is a product that empowers organizations with a trusted third-party cyber risk assessment snapshot on demand, via API integration into tools such as ServiceNow, ProcessUnity, ThirdPartyTrust and Venminder. Bitsight Assessment Accelerator provides a company’s Bitsight Security Rating, Rating Categories, Risk Vectors, and performance against standard risk assessment questionnaires such as the NIST CSF or the SIG.
“With the growth of digital supply chains that all companies are building, ransomware attacks targeting third parties are becoming a bigger issue and causing massive business disruption across all industries,” says Anders Norremo, CEO of ThirdPartyTrust. “We’ve been proud to work with Bitsight on bringing the latest research on ransomware and third party risk to companies who can benefit from our findings.”
Integrated into an organization’s third-party risk management (TPRM) platform, the goal of Bitsight Assessment Accelerator is to provide a reliable cyber security risk picture during onboarding and reassessment. This data allows risk managers to enable their businesses by tiering third parties based on risk, optimizing the level of risk assessment required, improving validation of questionnaire-based responses (and flagging discrepancies and problem areas), and leveraging up-to-date data on their vendors to make informed decisions about risk.
Aaron Kirkpatrick, Chief Information Security Officer at Venminder, mirrors Norremo’s assessment: “Risks posed by ransomware attacks on your third parties are high [as] vendors are a more enticing target for cyber criminals. This is because vendors store information from multiple organizations and often are not assessed, audited or held to the same level of cyber hygiene as their clients, especially in regulated environments.”
Kirkpatrick says organizations need to ensure they’re doing their initial “due diligence” and continuous monitoring of vendors appropriate to the level of risk that the vendor poses; Venminder assesses what security controls the vendor says they have in place, while Bitsight assesses how they have implemented those controls on their externally-facing infrastructure.
“Even with effective third-party risk management activities, vendors may not inform their clients of an attack either due to not knowing themselves yet, or from fear of reputational damage and legal action against them,” advises Kirkpatrick. “This has caused some ransomware attackers to blackmail the individuals or organizations whose data they’ve collected from the vendor directly.”
“In many cases there are signs a third-party is vulnerable to an attack, and so it’s important to utilize automation as much as possible to generate issues and raise risks immediately for a timely and appropriate response,” says Vasant Balasubramanian, VP and GM of Risk at ServiceNow. “Bitsight alerts provide the early warning signs and trigger actions in ServiceNow Vendor Risk Management, helping organizations better manage risk.”
“And through our integration with Bitsight we are able to provide an objective assessment of cyber security risk to aid our customers in initial third-party tiering, risk analysis, and continuous monitoring,” adds Balasubramanian.
Grading an organization’s ‘patching cadence’
By studying thousands of varying ransomware incidents, Stephen Boyer says you begin to see a pattern emerge: organizations that don’t have their systems up-to-date–meaning they're not applying the latest patches in a reasonable timeframe–are 7 times more likely to have a ransomware incident than an organization who is keeping their systems up to date.
“This is where Bitsight comes in, as we are looking at and tracking this performance over time and across your entire third-party ecosystem., Although we don’t see everything, what we can do is give you indications of where there might be gaps in your security controls, which increase the likelihood of something negative happening that impacts you,” says Boyer.
In other words, Bitsight measures an organization’s “patching cadence,” by looking at the presence and duration of vulnerabilities observed on a company’s external-facing digital infrastructure. Not surprisingly, poor performance on patch management is highly correlated with ransomware risk.
Todd Boehler, Senior Vice President of Strategy at ProcessUnity, agrees ransomware attacks on your third parties can become attacks on you, “making it mission-critical that you gain visibility into third party risks.”
“You must understand your vendor’s cybersecurity practices, policies and controls, validate that these standards are upheld throughout the relationship, assign owners to establish cybersecurity accountability throughout the supply chain and raise issues as needed, ahead of security incidents,” says Boehler. “Periodic assessments and ongoing monitoring ensure potential risk is identified and mitigated throughout the relationship.”
While there are modules to gauge third-party risk, including onboarding questionnaires, Boyer says Bitsight provides an empirical view from a cybersecurity performance standpoint on risks worth flagging, and so all that data and cybersecurity analytics is embedded in and within integrated workflows, for customers.
“So, essentially, you are accelerating your ability to work with a new vendor in a risk free manner, so you can better make that decision to onboard a third-party with real data–as opposed to self-attestation through cyber risk assessment questionnaires, which tends to be be more aspirational than empirical,” adds Boyer.
Stay Ahead of Ransomware
In order to fight back against the growing threat of ransomware, Bitsight suggests incorporating leading indicators of ransomware into your vendor risk management workflows via integrators, take a prioritized view to help your team focus on the highest cyber risks, in order to mitigate them, and work with your vendors, to create mutual accountability, which can translate into a more holistic resilience against risks such as ransomware.