The Perfect Cyber Storm is Brewing. Are You Prepared?

Brian Thomas | June 1, 2019 | tag: Cybersecurity

Data breaches are never far from the news. Some recent headlines have even suggested that they’ve become the “new normal.” And while we haven’t seen a wide-scale attack since WannaCry was unleashed two years ago, a recent turn of events suggests that the perfect cyber storm may be brewing.

A few weeks ago, away from the attention-grabbing headlines about big breaches and data compromise, an unusually high number of technology giants experienced what some have called “a cyber week from hell.” Multiple severe and exploitable flaws were discovered in the hardware and software systems of Adobe, Cisco, Facebook, Microsoft, Intel, and WhatsApp.

The sheer scale of this cyber storm has massive cyber risk management ramifications for any organization. Today’s vulnerabilities and unpatched systems can be tomorrow’s – or even this afternoon’s – next malware target. And when the systems that underpin the world’s business networking and IT infrastructures are at risk, threat actors take notice.

By now, several of the flaws are being exploited. Furthermore, at the time of writing, fixes for many of the vulnerabilities that have been uncovered are still not available. When these patches do come, they’ll likely arrive in a deluge. It’s a CISO’s nightmare. Overwhelmed security teams must rush to apply these patches while maintaining system uptime and ensuring continuity of business operations.

What about the risk beyond your four walls?

But internal patching is not the only concern. CISOs are also responsible for ensuring that strong security policies, procedures, and postures extend beyond the four walls of their businesses and across their digital supply chains – and with good reason. A recent study showed that 70% of organizations rely heavily on third-party vendors and 59% of breaches originate with those third parties.

In light of recent events, it’s imperative that companies ensure that their vendors are aware of the potential risks and are taking steps to mitigate their exposure. Traditionally, this process would involve a third-party security risk audit often taking the form of a vendor check-in to assess what’s changed and identify areas of risk.

Unfortunately, instituting and managing a third-party audit can be a cumbersome and problematic process. To comply with an audit, each vendor must complete a lengthy questionnaire that gets into the nuts and bolts of their security policies, vulnerabilities, patching history, certifications, and more.

Then, there is the problem of timing. An audit won’t tell you what’s going on during the days when you aren’t performing an assessment – it simply shines a spotlight on a moment in time. Plus, how can you be sure that your vendor has completed the form accurately?

A turning point in cyber risk management

The cyber week from hell indicates that we’ve arrived at a turning point. The threat landscape is evolving at a rapid pace and there aren’t enough hours in the day to conduct lengthy audits across your supply chain, sift through binders of questionnaires, and try to glean insight into your vendor’s ecosystem. With so many flaws and vulnerabilities exposed, organizations need a more agile and automated way to bolster security, adapt to threats, and monitor the security performance of their vendors.

A comprehensive third-party risk management program can help you gain visibility into the quantitative risk posed by third-party vendors so you can make risk decisions much faster. This can help expose cyber risk within your supply chain, share insights and better focus your resources at vendors who have the highest risk levels so you can advise them on how to increase their security postures, and continuously assess and measure security ratings in real-time.

Communicate your commitment to security excellence 

This level of agility extends beyond third-party risk management. CISOs, chief risk officers, and the corporate board are all held accountable for the performance of their cybersecurity programs. Yet, most organizations don’t have a way to continuously assess and communicate the ongoing state of their own organization’s cybersecurity. When you implement a security performance management program, you can find out how secure your organization really is, compare your security posture to industry averages, allocate resources effectively, and start having data-driven conversations about cybersecurity with key stakeholders.

Are you ready for the “new normal”?

As cybersecurity enters a possible “new normal,” the onus is on the executive team to be prepared to weather the storm(s). The best way to do this is to shine a light on your vendor’s security blind spots while assessing your own vulnerabilities and measuring the performance of your own cybersecurity program to avoid your own week from hell.

third party risk management

Suggested Posts

BitSight Observations Into Hafnium Part Four: Who Is Still Vulnerable?

The unfolding Hafnium attack is the latest event in the trend of cyber events. CISO’s are starting to recognize that enterprise cyber security is being redefined to mean me and all my suppliers, or  the combination of first and third party...


Should Security Ratings Require Independent Verification?

As a recent Forrester report highlighted, there are many cybersecurity ratings available. Security ratings have a valuable place in your overall cyber risk mitigation strategy, for many reasons.

Not all security ratings are equal though.


BitSight Is A Partner for Cybersecurity In Law Enforcement

You can tell a lot about someone by the company they keep, and the same goes for your security ratings partner. All security ratings are not created equal.


Subscribe to get security news and updates in your inbox.