The Silent Killer Impacting the Mission Readiness of the Health & Life Science Sector
Companies dealing with the betterment of health have a noble mission supporting the most important aspects of their customers’ lives – from manufacturing of life-saving drugs, to delivering necessary patient care. Risks that affect network availability, protection of sensitive health data, or manipulation of critical processes create life impacting exposure.
As geo-political tensions increase, and global economic conditions continue to put pressure on the bottom line for most organizations, we should expect to see more organizations exposed to threats such as ransomware, insider threat, and other malicious cyber activity. Organizations in this space have regulatory obligations to ensure they are managing these risks. One of the fastest concerns in the sector is the growing attack surface associated with third-parties – the silent threat most security professionals worry about and know something bad will eventually happen.
What is a Third-Party?
As more companies look to simplify their business with increased reliance on vendors and suppliers for non-core capabilities, or outsource critical business functions, they find themselves operating with a large eco-system of third parties that affect their overall security and compliance posture. The 2017 NotPetya cyberattack that affected pharmaceutical giant, Merck, or the many hospitals systems that are impacted by ransomware on a weekly basis, showed the world how much risk exists when a trusted third-party is the entry point of a targeted attack. The concern is how will organizations that operate with a large eco-system of vendors and suppliers monitor the security and compliance of their large eco-system of suppliers, vendors, and partners? If we look at the current approach to this problem, we will quickly see how inadequate it is, and why this has become the fastest growing security and compliance issue.
What’s wrong with the current approach to Third-Party Risk
Third-Party Risk is currently being approached by service providers as a compliance box check that organizations need, vs a real security risk that organizations want to understand. In most cases, Third-Party Risk teams are taking their inventory of third parties (this assumes an accurate inventory exists), risk ranking them based on a financial impact criteria (such as annual spend with a vendor), and then sending questionnaires to assess risk, followed by direct audits on higher risk third parties. This approach is flawed right from design for many reasons:
- Coverage: Most organizations have more third parties than they could possibly assess in a year. They must take a sampling approach or sorting it by some criteria like financial impact. The challenge is attackers are not focusing on your most financially material third party. In most cases, they would target the smallest or weakest organization in that eco-system.
- Quality of Data: The questionnaires are often too long and error prone. If you can even get them completed, there is a lot of judgement applied that creates variation in risk assessment quality. For example, a question like, “Do you perform penetration testing on your network” can be answered, “YES”, but the depth and coverage of that penetration test can greatly vary.
- Frequency: The biggest issue with this approach is that it’s a point in time assessment. Most organizations have critical systems in constant evolution (AGILE software development) which means the point in time assessment has very low value.
What do we need to do?
Continuous monitoring. We have grown to appreciate cybersecurity is constantly changing and it requires 24/7 monitoring. But in today’s software defined environment, compliance status could be changing every time the code is modified. The expectation is not compliance once a year. The expectation is a constant state of compliance, even in a constantly changing environment. We need to develop continuous visibility to the security health of our Third Parties, so we see issues quickly, and reduce the business impact.
Address the whole attack surface. When you consider how an attacker looks at an organization, they don’t just look at breaking in through the “front door”. They are opportunistic. They will use any weakness as an entry point. One area most organizations have little to no visibility in a continuous manner is their third-party eco-system. The rapid increase in supply chain and third-party attacks indicate this is an easy target for attackers.
Work together. Nearly half of the Third Parties in an organization’s eco-system are small to mid-sized business. We have to build an community mindset for this problem where we can do more than just do assessments and identify issues – we have to be able to help the smaller partners to be more secure.
Call to Action:
Every security compliance framework has Third-Party or Supply Chain Security as a requirement. It is one of the weakest parts of any organizations’ attack surface. Abacode is partnering with like-minded organizations that want to collaborate on a solution to this issue. If we consider what’s at risk, we can’t allow sit back and accept failure.