The landscape keeps shifting and we have to be looking ahead to new risks developing. If your organization ends up in the headlines, Senior Leadership will be asking… So here’s how to train your foresight.
This is a new chapter in our “007 Life Lessons through the Verizon Breach Report” series, which combines lessons from the gadget wielding international crime-fighter, James Bond with data from the Verizon Data Breach Investigation Report to secure our enterprises. Today is the turn of lesson 5: Foresight & thinking ahead.
These lessons come from a presentation by our CEO Anders Norremo and Jason Torres from Rush University Medical Centerlast year at the 7th Annual Hacking Conference by ISACA and The Institute of Internal Auditors.
Automation: The Key to stay one-step ahead of your threats
Merriam Webster defines foresight as the act or power of foreseeing, which is in turn defined as:
to see (something, such as a development) beforehand
As businesses scale and become global, both IT staff and decision-makers are struggling to catch up on an increasing backlog of work. Budget and workload are often the major roadblock impeding foresight, as there’s no time to look at the bigger picture.
Third-party risk management (TPRM) is a field where pre-assessing risk and analyzing potential outcomes is especially important. Every third-party relationship (including vendors, suppliers and providers) needs to be secured and properly evaluated before fully entering the data ecosystem of your organization. They will likely have access to sensitive data about technology, finances, inventory, shipping, licensing, media & advertising, recruiting, payroll, sales partners & distributors, among many other things.
Failure to mitigate third-party risks may expose your organization to vendor data breaches, financial and reputational damage that could cost millions of dollars (and too much time) to amend. The problem is many organizations find third-party risk assessments and due diligence too time consuming.
The biggest pain point is usually the email back & forth asking hundreds of questions to vendors, using spreadsheets with no control over changes and updates. On the other hand, vendors are inundated with security requests from their customers, and find themselves answering the same questionnaires over and over again.
Automation may be a solution as a means to reduce time-consuming tasks that are not high priority. This will give your team more time to spend analyzing data trends and looking ahead to what is coming, instead of collecting vendor responses.
The proliferation of SaaS
2020 saw a common pattern: instead of installing an application in their own datacenter that might have limited access due to COVID, companies are opting for SaaS solutions. In fact, Gartner is predicting and tracking a 20% increase in SaaS spend.
This shift to remote work and web services expands the attack surface and potential risks for the network. Therefore, we need to think of SaaS applications as extensions of our own network.
Again, automation plays an important role. Many of the cloud migration tasks can be automated, such as manual configuration. This reduces migration time from days to minutes and gives time back to focus on protecting the network.
It also allows organizations to predict cyber threats and implement responses more quickly. For example, continuous monitoring of cybersecurity ratings can make a huge difference for a faster detection and response time.
What the numbers are saying
Tying this back to the Verizon Data Breach Investigation report, the number one breach vector is due to cyber attacks, and the number one vector inside cyber attacks is a web application.
Knowing this trend, how can your company adapt?
The first step is to understand that third-party risk management is more important than ever. The proliferation of web applications makes the attack surface grow and increases the probability of a data breach – either at your systems, or at those of your vendors and partners.
Here’s our best piece of advice: Make sure you are thoroughly assessing and vetting these SaaS applications. It’s your data that’s leaving your immediate network and now entering your “extended” network.
How? By scaling your third-party risk assessment and mitigation process, which enables to evaluate and manage hundreds of vendors with the same amount of resources.
That way you can always be one step ahead of your formidable foes, like James Bond.
To learn more about how ThirdPartyTrust can help you manage third-party risk across your organization, request your free trial now: