December 8th 2022 • Novotel Amsterdam City, Amsterdam, Netherlands
Plugging the third-party security gap
If core cybersecurity is hard enough to achieve with current resources, then is third-party security realistic? If not, then what?
From tools to solutions
According to a recent study of CIOs, CISOs and CPOs, more than 96% of organizations surveyed in the Benelux region experienced a cyberattack due to vulnerabilities in their supply chain. In the past 12 months, organizations reported being victims of a cyberattack almost four times per year on average due to supply chain vulnerabilities.
This may be because 91% said they do not check their external suppliers for cybersecurity risks. And that may be because even firms investing in supplier cyber risk management can find it impossible to use these budgets effectively.
Almost no third-party vendors are under direct supervision, and it is impossible to communicate with every vendor on a frequent basis about their security posture.
Simply identifying suppliers and their data access and requirements is beyond many companies, as many relationships don’t even come in through procurement. Even if identification is possible, then CISOs struggle with the technical challenge of providing third parties with enough access to perform their designated responsibilities and nothing more, especially when this changes depending on the underlying contracts.
The answer would seem to be some form of zero trust model, but according to a recent Ponemon Institute study, most organizations do not implement zero-trust policies because of the practical difficulties of visibility and understanding which vendors should have access to what. Even defining an organisation’s most sensitive data turns out to be complicated because it is often highly context dependent.
- So, how are CISOs coping with these challenges day-to-day?
- What practical steps can they take to get better supplier visibility and understanding?
- What solutions exist to allow companies to dynamically track and manage access to network resources and data in a way that actually maps to real business environments?
- And is AI-driven behavioural analysis a better way to approach the problem than ever more granular attempts to identify, authenticate and dictate access?