This post was guest-written in partnership with Avertium by Bob Maley, CSO at Black Kite.
Foreword: Bob Maley on The Left / Right of Bang Approach
As Chief Security Officer at Black Kite, there’s a military concept that I regularly apply to cybersecurity and 3rd party risk. It’s called Left of Bang. In any military conflict, there is a timeline of events:
A big part of the “Left of Bang” ideology is centered on situational awareness - understanding the threat environment and the indicators of risk leading up to the big “bang.”
Time and time again, we see that most organizations orient their ransomware strategies around the response - a Right of Bang approach. When security teams are focusing their efforts on what to do AFTER an attack happens - remediation and containment - they’re addressing only a fraction of the equation.
3rd Party Risk in Cybersecurity - And the shortcomings in addressing it
Recently, Black Kite gathered a research team to analyze the top-5 lessons learned from the largest 3rd party breaches and concluded their root causes:
Source: Black Kite
During the research, the team also addressed the top five areas third-party cybercrime could potentially begin:
Source: Black Kite
Beyond that, a recent study by Opus and Ponemon, involving more than a thousand CISOs across the US and UK, found that 59% of companies said they have experienced a data breach caused by one of their vendors.
As companies embrace new digital platforms and processes that involve data sharing, it’s good to keep in mind that third parties can introduce new threats to your security systems, accounting for high potential risk. And yet, despite our best efforts, cybersecurity teams fall short of this mandate seemingly all the time. It’s led to this fatalistic (and frankly concerning) mindset amongst cybersecurity professionals:
“There’s nothing we can do about it right now...getting ransomware IS inevitable. So, we might as well spend ALL of your time, money, and effort on preparing our response to the ransomware attack that WILL happen at some point.”
The current intellectual thought-leadership of 3rd party risk management consists of archaic assessments and outdated frameworks. The problem is that the techniques and tactics that bad actors employ today don’t always follow the traditional “rulebook” that these assessments are built upon.
The result? Security teams get bogged down in mandated, time-consuming assessments that largely focus on the current state of the business compliance, rather than addressing the risks that could lead to potential problems in the future.
At Black Kite and Avertium, we believe that there are more vulnerable systems out there than there are hackers. Therefore, when organizations get breached, it’s because they have poor cybersecurity hygiene - not because there are too many attackers out there.
Instead of making the decision of whether to pay the ransom or not, it’s better not to get to that point at all. Organizations need to get to the Left of Bang - at the beginning of the timeline BEFORE an attack happens.
Related Reading: Threat Focus: What Is Ransomware-as-a-Service?
A recent 3rd party vendor breach case involved a Taiwan computer company called Quanta Computers (QT). QT displayed a high third-party risk index of 0.623 on Black Kite’s Ransomware Susceptibility Index (on a scale of 0 to 1, where anything greater than 0.6 indicates a high degree of risk).
Source: Black Kite's Scale (adjusted graphic)
During this attack, certain Apple hardware blueprints were attained by a ransomware group. Now the hit wasn’t directly within Apple’s headquarters, but they were still ransomed for their intellectual property due to poor third-party risk security framework.
Related Reading: Taiwan Probes Alleged Cyberattack on Top Apple Supplier
Getting to the Left of Bang requires a degree of situational awareness. It means being proactive. So, how can your organization best manage third-party vendor risk?
How are you protecting my information? Understanding your third parties’ method to protect your information - whether it’s an encryption process or two-factor authentication - is important to have a holistic view of where your data is being stored and notice if there are any vulnerabilities with their procedures.
What are you doing with my information? Learning how your information is being used will help you determine if it’s necessary to share with your vendors. On top of that, knowing what it’s being used for will lead to other questions such as, are your vendors’ servers and firewalls updated and protected?
“Billions and billions of stars,” as Carl Sagan has once said. And just like stars, Black Kite has completed a ton of research, capturing “billions” of data points. By leveraging Black Kite’s platform, Ransomware Susceptibility Index™, it will enable your organization to deploy a *three-pronged approach to proactive ransomware protections.
And the reality is, when it comes to cybersecurity, the best offense is a good defense… or, as Avertium says, “Showing No Weakness.” With a risk-based approach, you dedicate your security team to strengthening your wall, making it harder for bad actors to infiltrate. So at the end of the day, that’s what Left of Bang is really all about.
*Black Kite’s three-pronged approach to proactive ransomware protection
The patent-pending RSI™ uses mathematical processes and machine learning to calculate your 3rd party risk. The platform understands that there are pieces of information from all the data collected to help us be predictive of who might be susceptible to ransomware.
Inspecting, transforming, and modeling data collected from various open-source intelligence sources (OSINT), the RSI™ leverages mathematical processes and machine learning across 219 data points to pinpoint vendor risk against 26 control points.
For regulations regarding third parties:
For detailed cybersecurity processes: