Just a few days ago the world felt the rippling effects of a third-party push to networks across the globe. What would have normally been a routine undertaking instead caused mass disruption of information systems and brought businesses of all sizes to a standstill. Almost everyone was impacted by this incident in one way or another. At the time of this writing, some companies continue to struggle to resume normal business activities.
As with any incident, we must take a look at our processes to see what lessons we can learn and how we can improve – an after-action report, if you will.
Third-Party Risks
Our society is more interconnected than ever before, and third-party vendors increasingly are active on customer production business networks. The advantages businesses receive from these interactions are often worth the risks. However, as with all business decisions, we must understand the risks that we are accepting and take steps to mitigate them to the greatest practical extent.
One of the key takeaways from this incident is that we need to incorporate third-party risks into our business continuity (BC) plans, incident response (IR) plans, and tabletop exercises. Businesses cannot control every aspect of a third-party integration, but they can control how that risk is incorporated into the environment and put safeguards in place for maintaining continuity when an action fails to go as planned.
Businesses should not only take this into account with their BC/IR planning but should actively incorporate this into their tabletop simulation drills. At Raxis, we conduct tabletop offerings as a simulated attack intended to model real-world threats. They facilitate cohesion and seek to highlight process gaps and less obvious exposures. A plan is only as good as its execution, and tabletop exercises are an excellent way to identify improvement opportunities in plans and processes.
A Few Things to Think About
- Do you have redundant systems in place that would be resilient to a third-party incident?
- Do you have tested backups (emphasis on tested) that allow you to quickly restore your system?
- Do you maintain adequate logging, and are these logs stored for a long enough time period to allow your team to review them and determine affected systems?
- Do you have a current BC/IR plan, and does this plan include incidents that could be caused by third-party vendors?
- Do you actively review your vendors and their operational processes that could affect your business stability?
Vince Lombardi once said, It’s not whether you get knocked down, it’s whether you get up. This rings true after every security incident. What do we learn, and how do we improve?
Need help testing or developing your incident plans? Raxis can help. Reach out to one of our advisors to learn more.