We see a similar trend for Patch management -- BitSight measures an organization’s “patching cadence” by looking at the presence and duration of vulnerabilities observed on a company’s infrastructure. Poor performance on the patch management front is highly correlated with ransomware risk.
Organizations with a Patching Cadence grade of D or F were more than 7 times more likely to experience a ransomware event compared to those with an A grade. Again, these are logical findings that make sense intuitively, but they also reinforce the fact that improving there’s work to be done by companies and third party risk teams to help avoid exposure to ransomware attacks.
How do I apply this to my third party or vendor risk program?
There’s no denying that third party and vendor risk teams face a challenge of scale. It’s hard to scale with the pace of the business, the number of vendors, the rate of cyber risk change across the third party ecosystem. And it’s often difficult to take the good advice you have for one organization (where you have some amount of control) and apply it to tens or hundreds or even thousands of vendors where you are operating at an arm’s length.
So what can we do to have an impact? What can we do to mitigate the risk of ransomware across third parties? Here are a few places we can start:
- Integrate cyber risk insight into your process: In other words, incorporate leading indicators of ransomware into your vendor risk management workflows. By embedding the leading indicators of ransomware into your vendor risk management process, you can streamline and scale visibility in a way that helps you quickly identify risk of ransomware across new and existing vendors, helping your security teams make decisions quickly and confidently.
- Prioritize efforts where the risk is the greatest: Alongside a framework for prioritizing your third parties based on the inherent risk to your business, you can leverage security ratings data to understand where the gaps are the greatest. Which of your Tier 1 critical vendors have poor security performance? Which ones have a history of less-than-stellar patch and vulnerability management? A prioritized view that matches business risk with cyber security performance can help your team focus on the highest leverage activities to mitigate third party risk to your business.
- Work with your vendors: Collaborating with your third parties to create mutual accountability can translate into mutually assured resilience against risks like ransomware. Setting clear expectations for your vendors’ security performance can position you to manage to those expectations over time, and working with your vendors to reach strong outcomes together (through objective, evidence based collaboration) can ensure your relationship is productive instead of adversarial.
The pace of change in third party cyber risk over the last two years has been dizzying, and the stakes are perhaps higher than they’ve ever been. While the problem space here is complicated, the signs are fairly clear: a strong, consistent security program and an effective patch management discipline are critical to mitigating risk against ransomware attacks -- and applying that guidance to your third parties at scale requires cyber risk intelligence embedded in your program, an effective framework for prioritizing effort against risk, and a collaborative approach that drives mutual resilience.