TPRM wake-up call: Are you one cybersecurity incident away from chaos?

Written by: Jeffrey Wheatman

The Reality of Digital Dependence

The recent CrowdStrike incident serves as a stark reminder of our vulnerability in the digital age. While this may turn out to be one of the biggest IT related incidents of all time, it wasn’t a hacker, cyber terrorism, or ransomware this time but it does raise critical questions about our preparedness and resilience in the face of our increasing reliance on complex technology  dependencies that stretch far beyond our own organizations. Our reliance on digital infrastructure puts us just one mistake, one hack, or one misconfiguration away from chaos.

Imagine our digital infrastructure as a vast network of wires. Each wire is interconnected, and a single cut or malfunction can disrupt the entire system. As our digital infrastructure becomes larger and more complex, the potential for such incidents grows. While the CrowdStrike event was significant, cybersecurity incidents occur daily with less far-reaching consequences. This wasn’t a one-off; it was a wake-up call. We must acknowledge that such incidents will happen again and be ready to respond swiftly.

The Importance of Preparedness and Supply Chain Insight

Predicting the next cyber event or identifying the next company to push out a faulty update is impossible. However, we can be proactive in monitoring and managing risks in our supply chain to reduce our likelihood of a breach or attack. How do you do this? By having insight into your entire cyber ecosystem with intelligence that shows you where those risks are. This insight also helps you to be prepared in the event of an unforeseen incident, because rapid response plans start with understanding which parts of your supply chain are affected. This isn’t just an IT or cyber issue; it’s a business resilience issue.

Building Resilience

Resilience involves several key elements:

1. Identify Critical Partners: Understand which partners could bring your operations to a halt in a worst-case scenario. Let’s look at two approaches:
   • The simple way: Assess how bad it would be if a partner couldn’t deliver what we pay them for (product or service), and/or how bad would it be if data we ‘gave them’ to gather, process or store were accessed.  
   • A more rigorous way: Work with business stakeholders to develop a BIA (business impact analysis) to identify critical elements in your business and technology ecosystems, including dependencies, failovers, fall backs, and alternative sources for said product or services. The good news is if you have a business continuity program (BCP) you probably already have a BIA.
2. Involve Stakeholders: Business stakeholders must be involved to understand and define risk appetite. I order to present a united business front, you need to decide how much risk is too much risk and set the thresholds to monitor for risk exposure. The good news is all organizations have risk appetites and they drive business decisions. The bad news is the process is often ad hoc and not based on data. As part of an overall program of risk management, organizations need to build out processes to define risk appetite and assess risk exposure against that risk appetite (of course that’s the hard part). Once that is done, you can easily apply risk appetite to third parties and supply chain.
3. Have Fallback Plans: Ensure you have alternatives if critical partners fail. For all of your critical partners, ask are there other alternatives (either short or long term) that can provide the product or service? If not, does it make sense to purchase a cache of product to get you through some short-term break? Of course this option doesn’t work for services with no alternatives. In this case, the only option is to assess whether there is a manual fallback. For providers where there are alternatives, organizations should assess whether “cold, warm, or hot” fail-over is appropriate, understanding the relative cost versus impact balance. It’s also worthwhile to scenario plan for short-term, less than ’X’ days, for example, versus longer term issues.
4. Improve Fallback Options: It’s not enough to have fallbacks in place. Continuously assess and enhance your fallback options, so in the event you need to call on them, you’re assured of their risk exposures.
5. Communicating Risks: Clearly communicate risk exposures to both vendors and business stakeholders. Make sure to communicate to each audience in terms they understand.
   • For vendors, clearly state what the risk is, how it can be mitigated, and the data behind your conclusion, along with specific actions required to lower the risk to an acceptable level for your business. This will help ensure that the risk is clearly understood and action is taken.
   • For business stakeholders, lean into the “why” by explaining how this risk impacts business priorities, and quantify the risk in financial terms so they understand the ramifications.

Actions for TPRM Professionals

For third-party risk management (TPRM) professionals, this incident underscores the need for diligent oversight on an ongoing basis:

1. Software Testing and Update Management: Gather information on your software vendors’ testing, updating, and release management practices.
2. Assessing Concentration Risks: Evaluate potential concentration risks in your ecosystem. For example, if a significant percentage of your partners rely on the same ERP platform, this could be a vulnerability.
3. Demanding SBOMs: Request Software Bill of Materials (SBOMs) from your vendors to understand what’s inside their software.

Are You Prepared to Mitigate Impact?

Businesses must accept the alarming truth that systematic risks are an ongoing reality. While we may not know where the next incident will strike, awareness and preparedness can mitigate the impact. The CrowdStrike outage is a reminder that resilience isn’t optional; it’s essential. By focusing on proactive risk management and fostering a culture of resilience, businesses can navigate the digital landscape with greater confidence and security.

Be sure to follow Black Kite to learn about new threats as they emerge and see how Black Kite can help you maintain a resilient vendor ecosystem with a free demo.