Some of the most significant cybersecurity breaches this year have been supply chain related. SolarWinds, Accellion, Hafnium, and most recently – the Kaseya attack.
Why now? Supply chain risk = third-party risk.
The COVID-19 pandemic forced companies to transition to a remote workforce, where security and IT teams could not do their ‘usual’ due diligence – particularly around onboarding third-parties. As a result, nefarious actors (aka – hackers) took full advantage. In the U.S., the FBI reported a 500% increase in cyber-attacks in the first months of the lockdown in 2020.
New Zealand is ripe for cyber-attacks.
Some of the recently reported cyber breaches are the largest in New Zealand’s history – and almost all of them are related to third-party breaches.
The combination of these events is forcing security and IT teams in New Zealand through a “maturity curve” – particularly around third-party risk and cybersecurity
The “It won’t happen here; I’ve got bigger business priorities” attitude must change.
A shift in focus.
If you look back two or three years, companies typically had just a few dozen third-parties in their ecosystem. But today, according to the Ponemon Institute, enterprises are averaging thousands, often up to 6000 third-party vendors – that’s a lot of third-party risk to manage.
Assessing whether every third-party is fit for purpose is an enormous amount of work, especially for small IT teams.
That’s where CyberGRX comes in.
CyberGRX has the world’s largest cyber risk Exchange with over 100,000 participants. It has automated and standardized the previously heavily time-intensive manual process of assessing third-parties.
We were introduced to CyberGRX through venture capital firm, Telstra Ventures, who has made some significant investments in the cyber security space.
CyberGRX has taken on the mission of reaching every CISO in the New Zealand market. Their goal is to help them reduce their cyber-risk, and part of that is choosing to work with local partners, like Advantage, whose goal is to understand the local market better than anyone:
“We are very deliberate about the partners we choose to work with. They need to bring a level of governance, risk, and compliance skill to the conversation. Telstra Ventures introduced us to Advantage, and they certainly have the reputation and credibility in market to help us achieve our mission to reduce supply chain risk in the market,” said Anthony Panuccio, Director at CyberGRX.
The human factor on security posture.
Everyone on your team can affect your company’s security posture— not just the IT team, especially if they’re informed.
We work with Cofense who provide phishing detection and response solutions, that help organization’s stop phishing attacks faster, and importantly – educate on how to detect phishing attempts.
All it takes is one phish to wreak havoc on your network and bottom line.
According to Marcus Bartram, General Partner at Telstra Ventures, another pressure for security teams is mobile.
“For most of us, using your mobile for work and connectivity is instinctual. But is it secure? Or, more realistically – is mobile even part of your company’s cyber defense strategy?
Zimperium, a Telstra Ventures’ portfolio company and arguably the world’s leader in mobile threat detection and security, has created the world’s first machine learning-based security engine for mobile. It allows remote workers to access sensitive data and mission-critical systems safely and securely.
According to the firm, the number of reported cyber-attacks targeting mobile devices has more than doubled every six months for the last three years. And with remote work and bring your own device (BYOD) practices becoming a permanent fixture, the attack surface for an enterprise is on pace to grow exponentially,” said Marcus.
CyberGRX is not alone in its New Zealand focus.
Marcus also observed that the VC firm has seen an uptick in the number of Telstra Ventures’ portfolio companies headquartered out of the U.S., look to the Asia Pacific region to address the growing cybersecurity market.
“AttackIQ, another portfolio company that just announced $44 Million in Series C funding, is also expanding their reach in a bid to reduce the pressure on security professionals and help them prepare for cyber-attacks.
AttackIQ helps organizations continuously validate the effectiveness of their security controls at scale. Importantly, CISOs in New Zealand, or anywhere, can verify that their cyber defenses work as expected and validate against the latest threats,” said Marcus.
According to CyberGRX, these three critical actions can reduce your supply chain risk today.
1- Know who’s part of your third-party ecosystem.
You need to know the extent of which third-parties are in your ecosystem. You’d be surprised at how many enterprises wouldn’t be able to answer this question today because it hasn’t been a focus.
2 – Understand your exposure through third-parties.
Now you know your third-party ecosystem, if they have experienced a cyber event today, what would be the impact on your business? We’ve seen a lot of attacks recently where a third-party has impacted an organization, but it’s the client of that third-party that cops the bad press.
3 – Manage your risk!
Cybersecurity is no longer simply a compliance exercise. The pivot from compliance to risk management is key. If you recognize that your third-parties are posing a risk to you, work with them quickly to close those control gaps, and build your cyber defense to reduce your risk.