The Perfect Cyber Storm is Brewing. Are You Prepared?

Brian Thomas | June 1, 2019

Data breaches are never far from the news. Some recent headlines have even suggested that they’ve become the “new normal.” And while we haven’t seen a wide-scale attack since WannaCry was unleashed two years ago, a recent turn of events suggests that the perfect cyber storm may be brewing.

A few weeks ago, away from the attention-grabbing headlines about big breaches and data compromise, an unusually high number of technology giants experienced what some have called “a cyber week from hell.” Multiple severe and exploitable flaws were discovered in the hardware and software systems of Adobe, Cisco, Facebook, Microsoft, Intel, and WhatsApp.

The sheer scale of this cyber storm has massive cyber risk management ramifications for any organization. Today’s vulnerabilities and unpatched systems can be tomorrow’s – or even this afternoon’s – next malware target. And when the systems that underpin the world’s business networking and IT infrastructures are at risk, threat actors take notice.

By now, several of the flaws are being exploited. Furthermore, at the time of writing, fixes for many of the vulnerabilities that have been uncovered are still not available. When these patches do come, they’ll likely arrive in a deluge. It’s a CISO’s nightmare. Overwhelmed security teams must rush to apply these patches while maintaining system uptime and ensuring continuity of business operations.

What about the risk beyond your four walls?

But internal patching is not the only concern. CISOs are also responsible for ensuring that strong security policies, procedures, and postures extend beyond the four walls of their businesses and across their supply chains – and with good reason. A recent study showed that 70% of organizations rely heavily on third-party vendors and 59% of breaches originate with those third parties.

In light of recent events, it’s imperative that companies ensure that their vendors are aware of the potential risks and are taking steps to mitigate their exposure. Traditionally, this process would involve a third-party security risk audit often taking the form of a vendor check-in to assess what’s changed and identify areas of risk.

Unfortunately, instituting and managing a third-party audit can be a cumbersome and problematic process. To comply with an audit, each vendor must complete a lengthy questionnaire that gets into the nuts and bolts of their security policies, vulnerabilities, patching history, certifications, and more.

Then, there is the problem of timing. An audit won’t tell you what’s going on during the days when you aren’t performing an assessment – it simply shines a spotlight on a moment in time. Plus, how can you be sure that your vendor has completed the form accurately?

A turning point in cyber risk management

The cyber week from hell indicates that we’ve arrived at a turning point. The threat landscape is evolving at a rapid pace and there aren’t enough hours in the day to conduct lengthy audits across your supply chain, sift through binders of questionnaires, and try to glean insight into your vendor’s ecosystem. With so many flaws and vulnerabilities exposed, organizations need a more agile and automated way to bolster security, adapt to threats, and monitor the security performance of their vendors.

A comprehensive third-party risk management program can help you gain visibility into the quantitative risk posed by third-party vendors so you can make risk decisions much faster. This can help expose cyber risk within your supply chain, share insights and better focus your resources at vendors who have the highest risk levels so you can advise them on how to increase their security postures, and continuously assess and measure security ratings in real-time.

Communicate your commitment to security excellence 

This level of agility extends beyond third-party risk management. CISOs, chief risk officers, and the corporate board are all held accountable for the performance of their cybersecurity programs. Yet, most organizations don’t have a way to continuously assess and communicate the ongoing state of their own organization’s cybersecurity. When you implement a security performance management program, you can find out how secure your organization really is, compare your security posture to industry averages, allocate resources effectively, and start having data-driven conversations about cybersecurity with key stakeholders.

Are you ready for the “new normal”?

As cybersecurity enters a possible “new normal,” the onus is on the executive team to be prepared to weather the storm(s). The best way to do this is to shine a light on your vendor’s security blind spots while assessing your own vulnerabilities and measuring the performance of your own cybersecurity program to avoid your own week from hell.

third party risk management

Suggested Posts

4 Ways to Mitigate Cyber Risk as Hackers Target COVID Researchers

As the U.S. biomedical community rushes to combat COVID-19, the FBI announced last week that, in a bid to win the race for a vaccine or cure, state-sponsored Chinese hackers are targeting U.S. researchers in an attempt to “obtain valuable...


The Shifting Role of the Security Professional: Doing More With Less

The COVID-19 outbreak has seen the roles of many cybersecurity professionals change — and many worry what it will mean for protecting their organizations from attacks.


BitSight Research Reveals Vulnerabilities in Point of Sales Systems

When people talk about cybersecurity risks, the first area that normally comes to mind is malware. Some might even consider that it’s the worst event that can happen, as it normally indicates that a malicious actor has already bypassed the...


Subscribe to get security news and updates in your inbox.