Posted on May 21, 2020
Almost every business is in the process of a digital transformation. Whether as a capital purchase or operational cost reduction, your organization is likely purchasing more cloud services. However, your cloud applications and services often rely on vendors to enable their businesses. In many ways, cyber health risks are similar to physical health risks. One of your systems connects to an exponential number of vendors whose activities are outside your control. Similarly, just as you can take certain preventative steps to protect your physical health, you can monitor these 3 areas as part of your digital supply chain risk management strategy.
Patching cadence refers to the time it takes an organization to apply security updates to their systems, networks, and software. According to a ServiceNow report, 60% of data breaches in 2019 occurred because an organization did not update their systems, networks, and software to respond to a known vulnerability. In fact, the report continued to explain that 52% of respondents believed that the manual processes that managed their patching cadence left them at a disadvantage.
Generally speaking, organizations should apply security patches within 30 days of the software’s release. However, many organizations fail to apply the patches within that period because they fear business interruption or cannot adequately prioritize the influx of patches.
Think about the last time you updated your browser. Most people have multiple browser tabs open at any given time, applying a browser-recommended security update means that the person has to download the software, close the browser, and restart the browser. Often, busy employees decide to wait to update the browser because they fear that they will lose all the open tabs upon the restart.
Now, apply that to the enterprise software, systems, and networks. If an organization’s systems need to be restarted, everyone connected to those systems has to wait. Most large organizations have global operations which means that even an “overnight” update in one location impacts a different time zone. Ultimately, IT staff finds it difficult to balance security needs since the downtime leads to lost income should the networks be unavailable.
Meanwhile, the sheer number of software updates can become overwhelming. Not all software updates are equally important. Some add features that make the user experience better. Others fix small glitches that make connections between programs better. Still others fix the known vulnerabilities. However, managing and prioritizing these decisions across a complex enterprise infrastructure can be difficult and time consuming.
In short, while organizations know they need to update their systems, they often lack the ability or staffing to meet best practices. As part of your digital supply chain risk management, you need insight into how your extended supply chain partners manage their security patch update processes to ensure your own security.
Network security can either be hardware or software that prevents unauthorized users from accessing an organization’s systems. For example, firewalls and antimalware fall into this group of security measures. Cyber criminals focus heavily on exploiting vulnerabilities in organizations’ network security because once inside the network, they can move to different applications and devices.
As part of your due diligence monitoring, you should ensure that your supply chain partners maintain the appropriate protections.
Computer viruses are programs that run in the background of a user’s computer, often without the individual realizing it. For example, SecurityScorecard researchers explained in a recent report the way an organization’s servers could be compromised by a malware. The malware installed itself on devices without the users knowing it was there. Once installed, the malware continued to collect and send information to the cyber criminal.
Most organizations use a firewall as a threat mitigation strategy. A firewall is a software or devices that acts as a filter allowing certain information to travel into or out of your network. Many organizations use a “whitelist” strategy that allows data from certain websites and web domains into its systems. For example, an organization would likely whitelist “google.com” because employees may need to search the internet as part of their jobs. Organizations can also choose to “blacklist” information coming from a domain to prevent users from connecting to a website that is known to be a security risk. For example, many organizations blacklist social media domains such as facebook.com or twitter.com because cyber criminals often send malware to users in private messages.
Across the digital supply chain, network security tends to dovetail with patching cadence. Almost all of the protections require updates as cyber criminals evolve their threat methodologies. Managing network security risk across the digital supply chain becomes onerous. Even if you know all your supply chain partners, you may not be able to appropriately review all the documentation needed to continuously monitor them.
Web application security focuses on protecting services like websites and user portals from cyber criminal attacks. Most organizations today use a complex variety of applications that rely on the internet. An example of a web application is a human resources application that allows employees to update their personal information. However, cyber criminals know the vulnerabilities inherent in these applications and exploit them.
A SQL attack is when a malicious actor inserts malicious code into a login page to collect the user’s ID and password. Once cyber criminals obtain this information, they can then use it to access the web application and steal the information stored there.
Often shortened to “XSS,” cross-site scripting attacks target users’ browsers rather than the applications. A type of web application vulnerability that also incorporates malware, an XSS attack installs a malware on the user’s browser, then leaves the malware on the application and the device. Although this attack is a hybrid, it’s goal is to steal web application login information for the same reason that a malicious actor would engage in a SQL attack, ultimately making it a web application security issue.
Web application security may be the most difficult threat to manage across the digital supply chain. In many ways, it’s the culmination of all risk types across an organization. Many web application attacks use several methodologies - such as malware and known vulnerabilities - to steal data. Moreover, as more organizations incorporate mobile applications, IT staff loses control over the protections that can mitigate these risks.
SecurityScorecard’s security ratings platform reviews risk across ten groups of factors, including patching cadence, network security, web application security, IP reputation, DNS health, leaked credentials, and social engineering. Our platform’s easy-to-read ratings use an A-F scoring system, with A being most secure, so that organizations have a common language for discussing cybersecurity risk.
For organizations looking to mature their digital supply chain risk management programs, SecurityScorecard gives them a way to continuously monitor all organizations across their complex ecosystem. In an era where “trust but verify” has become “verify always, even if you trust,” SecurityScorecard’s platform reduces the manual tasks inherent in monitoring and promotes stronger security.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.