2020 was a challenging year which stretched many organizations financially and operationally. This forced many to make snap decisions about how they would continue to operate during the pandemic. In some cases, this meant taking shortcuts on processes that introduce new risks. This was underlined by Mitch Teichman, Sr. Manager Client Engineering, VITAS at CONVERGE 2020. He said, “At the beginning, it was about survival. To be frank, security, which never takes a back seat, took a backseat out of necessity. While security is always important, for that moment of time, it became second to business continuity and keeping the lights on.”
Many companies had to take the same approach and it quickly had an effect.
“Very quickly we had to shift back from simply keeping the lights on to security being our main focus,” Teichman continued. “We quickly pivoted to how do we do we keep the business running more safely, what are the specific tools we need to do that. It’s honestly given us the opportunity to focus on security initiatives that we weren’t able to before, like securing the edge.”
Yet, the end of 2020 continued to deliver curve balls to security and operational professionals. The targeting of security industry stalwarts is a stark reminder that it is worth leveraging the momentum of your digital transformation efforts to assess your third-party risk.
Architecture risk and governance processes should not be a ‘one and done’ exercise that occurs at the point of onboarding a new 3rd party. Just like other security and risk assessments, it should be done on a continuous basis. If organizations focus on the following seven areas of due diligence, they will go a long way to mitigating potential supply chain risks:
1 - Ecosystem architecture
The issue of 3rd party risk has been exacerbated in recent times as organizations have moved to ecosystem architecture where they leverage a collection of products and services delivered outside the enterprise, for example cloud services. This shift comes with many benefits such as the ability to ramp services up and down and different cost structures are also available. However, there are additional risks to consider like expanded attack vectors and the inherent trust that needs to be placed in the software supply chain.
2 - Financial risk
The risk associated with 3rd parties getting into financial trouble goes beyond the concerns around potential disruption of your operations and the customer impact, it also means they could be cutting corners on their technology. This corner cutting could leave you exposed to security risks as budgets for technology innovation and getting on top of technical debt are cut.
The challenge in this area is that it’s not always straightforward to assess the financial health of a supplier or partner. Considering how tough this year has been on some sectors, many organizations will have burned through cash reserves and may be struggling financially. If they are a publicly traded company then you can find annual or quarterly reports from auditors, otherwise you may be reliant on analyst / news reports. Does a supplier's cash flow present risks to your ability to operate?
3 - Technology and cyber hygiene
Much like how neglecting personal hygiene can result in illness, neglecting technology and cyber security hygiene can result in digital infection. In a world where everyone’s personal endpoint (be that a corporate or personally owned laptop computer, tablet or phone) has become the front line of cyber security, ensuring that these are well managed is vital. After all, the “castle wall and moat” of the office firewall and physical security provided by the office isn’t particularly effective when endpoints aren’t in the office. This elevates the importance of the endpoint -- both securing and managing it.
Your suppliers must have an accurate inventory of their IT assets, they must know their patch status and what software versions are installed. They must also be able to patch, update quickly and close down any issues on those endpoint devices in order to keep on top of the ever changing digital risk landscape.
4 - Software / virtual supply chain
Something that has been bubbling under the surface until very recently is how vulnerable organizations are to digital supply chain risks. What does this mean? It means that digital processes such as the software development lifecycle of suppliers can directly impact your own organization. Complex automated DevOps setups, use of open source software code, insecure cloud computing configuration and unpatched basic vulnerabilities leave holes open that criminals can exploit with massive consequences. Ensuring that your ecosystem has adequate risk mitigation plus compliance with standards and controls in place is vital if you want to avoid reputation damage linked to your own organization’s use of these potentially compromised tech platforms.
No longer is it enough to be concerned about your own internal security, you need to be confident in your end-to-end ecosystem architecture security. To achieve this you need to carry out end to end risk assessments of (but not limited to): source code repositories, cloud services, the DevOps tool chain, deployment and testing processes. Digital business means moving at pace, but this can’t be done at the expense of security. Testing through the lifecycle and embracing DevSecOps are key.
5 - Ethics and sustainability
2020 has reconnected many people with the natural world and politicians are talking about ‘building back better’ once the pandemic has relented. Make sure that your suppliers haven’t cut corners in their operations this year to stay afloat. Customers will not look favorably on brands that don’t look after customers, staff and the environment.
6 - Physical risks
Is social distancing being followed at places of work? For those that need access to PPE - is it available in sufficient quantities?
What parts of your suppliers operations have been mothballed or now have limited personnel on site? Potentially leaving those locations exposed to social engineering, physical network intrusion and risks to your component parts or finished stock in these locations.
7 - Readiness for post-Covid-19
It’s also important to consider the risks and parts of the business continuity plan that need to be assessed as your operations adapt and adopt more digital ways of working post pandemic. What is the impact if one of your core third-party technologies goes down? Keeping your employees productive and customers served during the unpredictable future that will unfold requires forward planning and mitigation of the risks of physical or digital supply chain disruption. Keeping the balance of supply and demand for the shift between digital and physical services that you offer will be key throughout 2021.
The vaccination programs that are now starting to roll out should in the next few months reopen parts of the economy including travel and hospitality. But many of these suppliers haven’t been used to the same level of business over the last year - can they ramp back up when required or will this be difficult due to reduced staff and shut locations that you previously relied on?
2021 will need to be a year of further adaptation; with even more focus on longer term technology management and risk mitigation measures. Making sure the organization thinks about your new ecosystem architecture and considers the topics discussed above is crucial. It also means asking your suppliers and ecosystem some tough questions including - where have you made changes in your use of technology and what impacts to security does this have?
Above all else it reinforces the need for good IT governance and security hygiene across the ecosystem which starts with having a reliable inventory of your assets. Endpoints have become far more critical and knowing the status of these across the extended enterprise is critical to effective risk management in 2021 and beyond.
Oliver Cronk, Chief IT Architect for EMEA, Tanium