- January 7, 2021
- Tags: Federal, SLED
Every CISO at government agencies, on the local, state, and national level, should start taking third-party supply chain risks as a priority. While engaging third-party vendors, it is also imperative to implement robust solutions that are capable of detecting, preventing, and/or mitigating emerging threats from advanced persistent threat actors.
Government agencies are the bedrock of modern society, as they facilitate millions of critical processes to ensure a smoothly running nation. To achieve the success of such processes, technology is deployed with varying supply chain frameworks. However, according to IBM’s report on the cost of a data breach (2020), 16% of all malicious breaches involved a third-party software, which was used as the initial vector for carrying out a cyberattack.
Due to the intense implications of data breaches, whenever the victim is a government agency then financial loss is not the only concern – national security concern is the number one challenge of compromises to government infrastructures.
If 2020 taught us anything, it would be the dangerous nature of ransomware attacks and supply chain attacks. Therefore, as 2021 emerges, as organizations reevaluate their security postures, CISOs across State, Local, and Education (SLED) Government agencies should be asking their third-party technology vendors these top five questions:
1. What type of DMARC protections do you have against supply chain attacks?
The first question could be a make or break decision, especially for Chief Information Security Officers (CISOs) in SLED government agencies across the United States. Most of these agencies may not have robust authentication mechanisms in-place while dealing with vendors and contractors. A lot of government organizations depend on third-party vendors who do not implement the strictest DMARC protection to prevent malicious actors from spoofing their identity. Only around 51% of the brands in Global 2000 have a published DMARC record. Third-party vendors with published DMARC records entails that they pay attention to security hygiene.
2. Are your employees trained in cybersecurity hygiene and handling threats like BEC and EAC?
Adopted sophisticated phishing methods like Business Email Compromise (BEC) and Email Account Compromise (EAC) by malicious actors to target business entities’ vulnerable employees is the current scenario. These social engineering threats impersonate influential users like CEOs and trick employees into sharing confidential information, including financial details to unsuspecting threat actors. Therefore, CISOs should ensure that their third-party vendors’ employees are trained to handle such social engineering threats.
3. What types of emerging technologies do you assure data privacy and security countermeasures?
Threat actors nowadays leverage emerging technologies, such as artificial intelligence (AI) and machine learning (ML), to deliver precise and scalable cyberattacks. As such, CISOs must ensure that third-party vendors are equipped to handle those kinds of advanced attack methodologies.
As phishing emails leave a trail, it becomes easy for AI/ML algorithms to collect and analyze data to help calculate the level of risks within an organization. Therefore, CISOs should confirm from third-party vendors about the extent of AI/ML usage in their risk management procedures.
4. What independent auditing and testing processes do your company undergo? And, what industry compliances have you earned?
The primary purpose of a cybersecurity audit is to ensure that organizations are accountable for the cybersecurity risks they take on. Third-party vendors can also do self-auditing by completing standardized questionnaires like SIGLite or CSA CAIQ, however it is best that if said vendors have external audits performed on their infrastructures and processes. For example, industrial sectors have various certifications like PCI-DSS for payment processors; HITRUST for healthcare; and FedRAMP for U.S. Federal government contracting.
Therefore, CISOs should endeavor to understand the types of independent auditing and testing methodologies used by their third-party vendors. These certifications show a commitment to maintaining a formal and validated information security program.
5. What approach do you take towards patching systems?
Organizations are generally more at risk from known vulnerabilities rather than the unknown. Unknown vulnerabilities could be dramatic and garner more attention, but third-party vendors should have robust security measures to fix the known threats. The ideal way is to apply security patches for updating any flaws and remove the underlying vulnerable script as soon as the vulnerability is discovered.
Data security cannot be an afterthought as it is an integral part of the products and services of organizations. Considering the massive volume of third-party based cyberattacks globally, more serious attention has to be paid to cybersecurity. Organizations must consider it more than just a matter of business, it must also be considered as customer confidence, reputation, and money at risk. A trustable cybersecurity expert like GoldSky Security can help to provide cybersecurity subject matter expert advisory services to ensure that your mission-critical assets are secure from the evolving third-party threat landscape.