Supply Chain Security Adds a New Wrinkle
Sometimes an organization will be vulnerable to infiltration even when doing its best to protect itself, due to a security gap somewhere in its supply chain. For this reason, it’s important for any organization to always be aware of the cybersecurity policies implemented by partners and vendors.
Cappiello says it can open an organization up to attack when other companies in its ecosystem aren’t continuously assessing their own security. “It’s much easier to either move toward social engineering or move toward existing exploits, simply because customers are not diligent about hardening their systems,” he says. “Sometimes it’s new stuff, and sometimes it’s just really old stuff. And if it’s not kept buttoned up, then that’s where we see some of these exploits that are coming out of the woodwork that had possibly been around for a while. And believe it or not, we still do get customers that are not diligent in that regard.”
According to Daidone, “Third-party risk is something I’m seeing a lot of. I think that many of the organizations we talked to don’t have meaningful ways to evaluate these types of risks.”
“You may have the best defenses in the world, but if you have some bad people, or trust in people who have very bad privacy practices, you could become a target through some of those third-party vendors.”
Cappiello says larger organizations are just beginning to get a handle on dealing with third-party risk. “How can I figure out if someone I’m working with is taking security seriously?” he says. “Sure, there are forms and you can ask for this information, but what’s your confidence level there? Is there a way to evaluate that actively or passively, and from what you can see in front of the firewall, or if you can get a view?”
Working Within a Framework Can Better Protect Your Data
Both Daidone and Cappiello highlight the importance of using a framework for detection and response. “I can’t tell you how many customers have homegrown security programs that aren’t evaluated against a framework that are just blatantly missing huge areas,” Daidone said.
He recommends performing a gap analysis to help an organization determine the strengths and weaknesses of its security efforts. “I think a gap analysis is really good because it helps an organization figure out the latticework and, internally, identify the technology needed to help address that.”
“Latticework refers to the tools and rationalization assessments, or how to map your tools back to certain frameworks; for example, do I know that Tanium meets Control 1 and 2 of the CIS Top 18?” he explains. He notes that if organizations want to map their tools against a framework, they can rely on trusted partners such as Focal Point, a CDW company, to provide the necessary workforce training and development.