The Accellion third-party data breach, which has already claimed law firms, retailers, telecoms, banks and governments worldwide as victims, has now impacted one of the largest companies in the world: Royal Dutch Shell.
To re-cap, Accellion’s 20-year-old file transfer software, FTA, was compromised in December 2020. While it has since been patched, this near end-of-life tool still counts more than 3,000 customers, meaning that there were potentially thousands of companies – and their customers – that could have been at risk.
Like the SolarWinds supply chain breach before it, this increasingly damaging third-party data breach continues to provide an example of how a single compromise can negatively impact customer systems, and why a more proactive approach to third-party risk management is needed.
Third-party risk management (TPRM) (sometimes called vendor risk management or VRM) is part of an overall risk management strategy meant to identify, assess and mitigate risks presented throughout the lifecycle of relationships with third parties – including vendors, partners, suppliers or other Nth parties.
TPRM plays an essential role in managing vendors. If you’re concerned about an Accellion-style breach impacting your organization, consider these 4 TPRM strategies for understanding your vendor risk and what to do about it.
In order to properly understand the risk that vendors pose to an organization, risk management teams must be able to calculate inherent risk, or the current risk level given what is understood to be the existing set of (or lack of) controls for that vendor. Calculating inherent risk is important when onboarding new vendors, and informing profiling, tiering and categorization decisions.
When considering how to tier a vendor, it’s important to fully understand the impact a supplier could have on your business if it were to fail. Accordingly, you should leverage a scoring system that determines the supplier’s tier group. This could include the following criteria:
In the context of this data breach, Accellion could have been placed in a high tier because they handled the personal data of customers. Being in a higher tier would have automatically increased the level of scrutiny over their processes, which in turn may have revealed a vulnerability before it was exploited.
Conducting cybersecurity assessments of your suppliers and vendors provides a baseline against which to measure compliance or adherence to security protocols. However, don’t force-fit every vendor in every tier into a single rigid questionnaire. While using a similar set of questions to evaluate all vendors is important, be sure to have the flexibility to assess them against unique requirements, too.
Regardless of the questionnaire, vendors should be invited into a central portal to provide answers and submit supporting evidence. Their answers would be flagged as risks automatically if they fail to meet certain thresholds, and then automated actions can be taken to resolve the issue.
Using Accellion as an example, their customers could have been assessing the company on their adherence to the software development lifecycle (SDLC) – specifically maintenance processes, patching and updates. If Accellion was not able to demonstrate that it had the patching and update processes in place to prevent vulnerabilities from being exploited, a risk would be raised.
Navigating the Vendor Risk Lifecycle: Keys to Success
This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.
Performing risk assessments against vendors should also include an element of continuous monitoring. After all, most assessments happen on an annual basis, but risks are never static. Using the Accellion breach as an example, its customers could first monitor dark web criminal forums, hacker chatter or other related sites for mentions of Accellion, then triangulate that intelligence against published vulnerabilities to anticipate potential attacks. The problem with this approach though is that it involves at least a half-dozen disparate tools that don’t share data, making this type of analysis complex and time-consuming. Fortunately, there are tools available that normalize cybersecurity monitoring data from hundreds of sources and correlate it against risk assessment findings to escalate potential risks and identify recommended remediations.
Knowing who your vendors are, how much risk they pose to your business, and having a solid remediation plan in place isn’t enough. Now you have to look beyond your vendors and suppliers to *their* vendors and suppliers. A data breach or other supply chain failure up stream can impact your third party’s ability to deliver, and therefore your ability to deliver. That’s why it’s essential to be able to organize relationships between your organization, your third parties and their third parties to discover dependencies and visualize information paths. Imagine learning about the Accellion breach and being able to know which of your vendors utilized the FTA tool and whether that vendor had access to your critical systems. That’s the type of visibility you need.
No third-party data breach is completely avoidable, but it is possible to mitigate its impact if the right steps are taken in advance. Consider multiple inputs to your vendor tiering process. Assess vendors on different criteria depending on their tier and criticality. Monitor for activity regularly. And, mind the 4th and Nth parties in your ecosystem. With this, you will have a sound response plan in place.
Need to stay ahead of breaches like that affecting Accellion’s customers? A great place to start is by checking out our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage.
Prevalent also offers solutions and services that can activate each of the strategies covered in this post. Request a demo of our third-party risk management solutions to discuss how we can help you tackle your specific TPRM challenges.