Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Accellion Data Breach: Four Strategies for Third-Party Risk Response

Global energy giant Shell is the latest victim of the Accellion breach. As the number of impacted organizations grows, how should third-party risk management teams respond?
Brenda Ferraro
Vice President of Third-Party Risk
March 22, 2021
Blog accellion risk management 0321

The Accellion third-party data breach, which has already claimed law firms, retailers, telecoms, banks and governments worldwide as victims, has now impacted one of the largest companies in the world: Royal Dutch Shell.

To re-cap, Accellion’s 20-year-old file transfer software, FTA, was compromised in December 2020. While it has since been patched, this near end-of-life tool still counts more than 3,000 customers, meaning that there were potentially thousands of companies – and their customers – that could have been at risk.

Like the SolarWinds supply chain breach before it, this increasingly damaging third-party data breach continues to provide an example of how a single compromise can negatively impact customer systems, and why a more proactive approach to third-party risk management is needed.

4 Risk Management Strategies to Help with the Accellion Breach

Third-party risk management (TPRM) (sometimes called vendor risk management or VRM) is part of an overall risk management strategy meant to identify, assess and mitigate risks presented throughout the lifecycle of relationships with third parties – including vendors, partners, suppliers or other Nth parties.

TPRM plays an essential role in managing vendors. If you’re concerned about an Accellion-style breach impacting your organization, consider these 4 TPRM strategies for understanding your vendor risk and what to do about it.

1. Use Inherent Risk to Accurately Tier and Profile Your Vendors

In order to properly understand the risk that vendors pose to an organization, risk management teams must be able to calculate inherent risk, or the current risk level given what is understood to be the existing set of (or lack of) controls for that vendor. Calculating inherent risk is important when onboarding new vendors, and informing profiling, tiering and categorization decisions.

When considering how to tier a vendor, it’s important to fully understand the impact a supplier could have on your business if it were to fail. Accordingly, you should leverage a scoring system that determines the supplier’s tier group. This could include the following criteria:

  • Operational or client-facing processes
  • Interaction with personal data
  • Financial status and implications
  • Legal and regulatory obligations
  • Reputation

In the context of this data breach, Accellion could have been placed in a high tier because they handled the personal data of customers. Being in a higher tier would have automatically increased the level of scrutiny over their processes, which in turn may have revealed a vulnerability before it was exploited.

2. Assess Your Third Parties Flexibly According to Business Needs

Conducting cybersecurity assessments of your suppliers and vendors provides a baseline against which to measure compliance or adherence to security protocols. However, don’t force-fit every vendor in every tier into a single rigid questionnaire. While using a similar set of questions to evaluate all vendors is important, be sure to have the flexibility to assess them against unique requirements, too.

Regardless of the questionnaire, vendors should be invited into a central portal to provide answers and submit supporting evidence. Their answers would be flagged as risks automatically if they fail to meet certain thresholds, and then automated actions can be taken to resolve the issue.

Using Accellion as an example, their customers could have been assessing the company on their adherence to the software development lifecycle (SDLC) – specifically maintenance processes, patching and updates. If Accellion was not able to demonstrate that it had the patching and update processes in place to prevent vulnerabilities from being exploited, a risk would be raised.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.

Download the Guide
Feature navigating vendor risk lifecycle

3. Monitor Vendor Activity to Catch the Hidden Threats

Performing risk assessments against vendors should also include an element of continuous monitoring. After all, most assessments happen on an annual basis, but risks are never static. Using the Accellion breach as an example, its customers could first monitor dark web criminal forums, hacker chatter or other related sites for mentions of Accellion, then triangulate that intelligence against published vulnerabilities to anticipate potential attacks. The problem with this approach though is that it involves at least a half-dozen disparate tools that don’t share data, making this type of analysis complex and time-consuming. Fortunately, there are tools available that normalize cybersecurity monitoring data from hundreds of sources and correlate it against risk assessment findings to escalate potential risks and identify recommended remediations.

4. Know Your 4th and Nth Parties

Knowing who your vendors are, how much risk they pose to your business, and having a solid remediation plan in place isn’t enough. Now you have to look beyond your vendors and suppliers to *their* vendors and suppliers. A data breach or other supply chain failure up stream can impact your third party’s ability to deliver, and therefore your ability to deliver. That’s why it’s essential to be able to organize relationships between your organization, your third parties and their third parties to discover dependencies and visualize information paths. Imagine learning about the Accellion breach and being able to know which of your vendors utilized the FTA tool and whether that vendor had access to your critical systems. That’s the type of visibility you need.

No third-party data breach is completely avoidable, but it is possible to mitigate its impact if the right steps are taken in advance. Consider multiple inputs to your vendor tiering process. Assess vendors on different criteria depending on their tier and criticality. Monitor for activity regularly. And, mind the 4th and Nth parties in your ecosystem. With this, you will have a sound response plan in place.

Next Steps

Need to stay ahead of breaches like that affecting Accellion’s customers? A great place to start is by checking out our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage.

Prevalent also offers solutions and services that can activate each of the strategies covered in this post. Request a demo of our third-party risk management solutions to discuss how we can help you tackle your specific TPRM challenges.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo