We recently concluded our flagship event, GRC Summit, held on October 19-20 in a hybrid format comprising of virtual and in-person engagements.
Now in its ninth year, the summit is the largest gathering of risk professionals, C-suite executives, thought leaders, industry experts, and practitioners, who come together and share their experiences and best practices to navigate today’s complex and rapidly evolving risk and threat landscape.
This year, Anil Kumar, Sr. Director, Product Manager – IT and Cyber Security, MetricStream, and I got an opportunity to give a walkthrough on the latest innovations that are being done and planned in our IT & Cyber Risk products. Here are some of the key points that we discussed:
The key challenges faced by organizations in the area of IT & cyber today include growing supply chain attacks and data breaches, the proliferation of controls and associated costs, lack of visibility into IT & cyber risk, regulatory compliance, the need to quantify and communicate cyber risk in financial terms, and more. We recommend organizations to implement an integrated and platform-based approach across all programs for facilitating consistency and harmonization among different processes and functions.
We have been pioneering efforts on cyber risk quantification for a long time. Cyber risk quantification, as the name suggests, is quantifying or expressing cyber risks in financial or monetary terms. This quantitative risk assessment method essentially transforms uncertainty associated with technical aspects of threat, vulnerability, and controls into financial language that business leaders and stakeholders can interpret and act upon. Speaking of the benefits, cyber risk quantification enables
The session further delves deeper into techniques of quantifying risk – discrete and probabilistic factor values, Risk Quantification Models – factors-based hierarchical models, actuarial/insurance models, AI/ML-based models, and more.
Our products are infused with what we call MetricStream Intelligence – a combination of our AI/ML engine and calculation engine. It sits on top of our federated data model.
If you break down cyber risk management, it is basically about managing your assets, threats, vulnerabilities, issues, and control database. This forms the very first layer of our federated data model. We’ve built a platform on top of this layer that enables simplified ways of capturing the data as well as direct exchange via APIs in real time. Then we have a whole gamut of reporting and workflow around it.
On top of these layers, we have built our machine learning model, which allows you to create simulation techniques and empowers you to do statistical analysis along with machine learning techniques.
In short, the way we approach this is by enabling organizations to not just manage the workflow of risk assessment, but also to do the computation of the risk and take action driven by facts and data.
Our customers have often highlighted a major challenge they face – classifying and creating relevant content for an issue. Our Issue Management System is now capable of assisting the users to tag related issues and create relevant content for an issue. This capability of our AI/ML Model is further enhanced to provide recommendations about the relevant actions that must be implemented in order to mitigate an issue.
Going forward, we plan to bring more AI/ML-based use cases to our customers, including in the area of response recommendation, control rationalization, and more. Stay tuned!
If you missed our product innovation session “Power What's Next in IT & Cyber Risk” at the GRC Summit 2021, you can now watch it at your convenience here. To request a personalized demo, click here.
Prior to moving to MetricStream to manage their GRC content, our customers would have been either leveraging competitor applications or managing all their data manually via spreadsheets. This huge volume of data would be in different forms and shapes which now needs to flow into our MetricStream system. So, it becomes important for our customers to have a smooth transition from their legacy applications to the MetricStream solution.
MetricStream provided the “Data Import & Export” spreadsheet-based import framework to push data to our systems seamlessly. This framework allowed:
However, although the existing framework enabled extensive usage, it still presented a few challenges. Our customers were operating with certain limitations around configurability and upgrade safety. And especially while importing high volumes of data, import wait time was high. Hence, rather than adding new features to the existing framework and tuning it, it was identified that developing a brand-new framework from scratch would reap more benefits strategically in the long run, which led to the birth of the “Simplified Data Import & Export” framework.
The new simplified data import & export framework is an effort to overcome the challenges which were faced in the existing framework.
Note: Adoption of Business Rules & Business APIs is a pre-requisite to enable Forms with the new framework.
The new framework will co-exist with the existing data import & export framework, i.e., specific Forms can adopt the new framework. Users intending to move to the new framework for a specific Form will require the adoption of Business Rules and Business API’s for that corresponding Form.
The new framework enables:
The early adopters of the brand-new framework from Products include select Forms from GRCF, CMP and LSM.
In short, if your Forms are ready with the adoption of Business Rules and Business APIs, and you plan to leverage the Data Import & Export capability in your application, then, the Simplified Data Import & Export framework should be your choice.
Stay tuned for more information on our product enhancements coming soon.
Request a demo to learn more about how MetricStream can help your organization enable risk-informed decisions that accelerate business performance.
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.
Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.
In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on “Cybersecurity Framework Profile for Ransomware Risk Management” that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.
The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.
NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.
Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:
Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:
Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:
Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:
Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:
MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.
The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.
Information Security includes protecting classified information in all forms that must be protected including, but not limited to: paper documents, photos, media, spoken information, and electronic data. Cybersecurity is a component of Information Security pertaining to the protection of critical systems such as the network and computer systems in order to ultimately protect electronic data from attacks. In creating a robust Information/Cybersecurity program, the standards treat Information/Cybersecurity as a cohesive topic.
Some organizations have put more of their resources into Information/Cybersecurity and hardening the technology because of the increase in ransomware and breaches. They are forgetting about the importance of also managing the data itself through governance and risk assessments, unless required by a regulation or standard that they must be compliant with.
Information/Cybersecurity threats are a key concern and mitigating risks is critical. At the same time, protecting data from internal sources that wish to affect the confidentiality, integrity, and/or availability of data is of prime importance.
In order to manage the risks, policies should be created and approved by top management as part of Governance. An Information Security risk assessment should be conducted in order to assess the potential consequences if vulnerabilities were to be exploited. As part of the process, Information Security risk owners should be identified.
Information Security risk treatment should consider the findings of the risk assessment.
Awareness training is essential in order to mitigate against employees unintentionally affecting the Information Security of the organization.
There are many guidelines and different industries have their own requirements, but ISO (International Standard Organization) Standards and NIST (National Institute of Standards and Technology span across most industries as additional if not the primary guidelines they wish to implement. The best framework is to include a combination of the different standards into your existing framework as opposed to just choosing one standard to follow.
International Standards Organization 27000 family pertains to protecting all Information Security assets. These standards include guidance for Cyber Security as well.
According to ISO.org, ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
According to ISO.org, ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s).
According to ISO.org, ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.
According to ISO.org, ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information.
In addition to these three ISO standards, the ISO 27000 family of standards includes many additional standards including:
The Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity risk. The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks.
Security and Privacy Controls for Information Systems and Organizations Per NIST, this publication provides security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
It’s critical to have Information/Cybersecurity as part of your culture so that all employees are consistently aware and can help protect the organization’s Information / Security assets. Organizations can implement both ISO and NIST controls in perfecting your program, as well as those found in industry regulations, standards, and guidelines.
The demands and requirements of businesses to thrive in the new normal have changed drastically. Buzz words like agility, digitization, and resilience are no longer just business aspirations but have become necessary and fundamental for the readiness of organizations to address any risk event, including high-impact, low-frequency events such as COVID-19. With the latest Brazos release, we are delivering a myriad of innovations to support organizations in their journey to achieve their business goals and power through the current unsettled operational environment.
Brazos builds upon the previous Arno release and includes key innovations in areas including regulatory compliance, cyber risk quantification, and vendor risk management. The objective is to make the processes simpler, smarter, and more streamlined.
Given the complex web of regulations, along with the escalating number of regulatory change alerts that organizations are bombarded with every day, it has become imperative to simplify the compliance function to make it more efficient and systematic. On these lines, the Brazos release brings new capabilities to our regulatory compliance products, including:
Cyber risk quantification, or quantifying cyber risks in monetary terms, is critical for cybersecurity professionals today to effectively communicate the cyber risk exposure to the top management and board. By understanding the potential impact of cyber risks in dollar values, decision-makers are better positioned to prioritize IT cyber risk spending, resource allocation, and establishment of optimal controls.
Brazos brings advanced cyber risk quantification capabilities to IT and Cyber Risk Management, enabling cybersecurity teams to leverage the industry standard FAIR methodology to quantify their cyber risks in monetary value. In addition, advanced Monte Carlo simulation capabilities help upgrade the assessment teams’ guesstimates into accurate predictive values of the cyber risk exposure.
Managing risks associated with the extended enterprise quickly and efficiently is crucial for ensuring continued business operations. Supplier networks of organizations today are comprised of hundreds and thousands of third, fourth, and subsequent parties. A manual approach to review third- and fourth-party documentation, including reports, certificates, and evidence, to spot any discrepancies is time-taking and prone to error.
We are addressing this challenge by bringing the benefits of artificial intelligence (AI) and automation to Third-Party Management with the latest release. MetricStream’s AI engine automatically scans through the documents submitted by the third parties, validates the content, highlights any anomalies, and automatically recommends risks scores based on the number and type of anomalies found. This real-time intelligence equips risk teams to accelerate analysis and mitigation of third-party risks.
With Brazos, we are setting a new standard by implementing AI into multiple GRC products, empowering risk, compliance, security, and audit professionals to better perform their roles and responsibilities. The release also provides a simplified user experience and enhances agility for faster time to value with:
We are constantly striving to make your GRC journey exciting, enriching, and fun. The latest software release is guided by our key tenet of helping organizations accelerate sustainable growth with risk-aware decisions. The new features and functionalities extend the capabilities of MetricStream Platform and products and will enable you to meet the evolving business needs in this digitized world.
To know more about Brazos Release features, click here.
Cyber risk has undoubtedly moved up the priority list and taken the center stage in boardroom discussions with the rapid pace of digital transformation of organizations and amplified data-dependency and interconnectedness. The COVID-19 pandemic and the resulting remote working environment have only aggravated the challenges for security teams as the entire workforce moved home—beyond the reach of the office firewall. In these unprecedented times, ensuring robust cyber defense infrastructure to protect critical assets is of paramount importance.
We recently conducted a survey to take a pulse of the current state of IT and cyber risk management programs at organizations. Here are the key takeaways from the survey:
It is encouraging to see that switching to digitized and centralized GRC solutions is among the top priorities of organizations this year. These solutions can help improve risk visibility and foresight, facilitate continuous monitoring of IT and cyber controls, and streamline overall cyber risk and compliance management. Innovative features, such as support for mobility, real-time reporting, advanced risk analytics, regulatory notifications, and more, further assist executive management and board in quick and efficient decision-making.
“The ultimate goal isn’t to avoid cyber risk but rather transforming it into strategic advantage—because things can and will inevitably go wrong at some point. But if organizations build their cyber resilience—the ability to not just prevent cyberattacks but also minimizing the impact of security incidents and ensuring continued business operations in the aftermath of attacks—that’s when they can truly thrive and create business value,” an excerpt from the report reads.
Our flagship event, GRC Summit, was held recently and brought together the best in the industry to share risk management strategies and best practices, and how to build better governed, more risk-aware, compliant, and resilient enterprises that thrive on risk.
Unsurprisingly, cyber risk has emerged as one of the top risks faced by organizations today, and risk leaders believe that it will continue to dominate the risk strategies going forward. To that end, security experts discussed some of the key considerations for ensuring a robust cybersecurity program:
The best-prepared organizations in the world today are those that use risk as their competitive advantage. Quantifying cyber risks in a manner that makes sense to the executive board and helps them make sound cybersecurity investment decisions is critical for organizations to thrive in today’s digital world. The Cyber Risk Quantification capability of MetricStream IT and Cyber Risk Management can make it considerably easier for organizations to quantify cyber risks in monetary terms, which can then be easily communicated to the top management and board.
To download the report, click here. To watch the summit, click here.
Organizations today need to optimize their risk rather than focusing on avoiding the risk – to know which risk should be accepted to enable business success and create value.
When it comes to cyber risks, one of the biggest challenges security professionals face is communicating the associated financial impact to the decision-makers. Assigning a dollar value to cyber risks will better equip the executive management and board to prioritize the risks, drive a stronger alignment between business priorities and cyber investments, and ultimately, make risk-aware decisions.
At MetricStream GRC Summit June 2021 Edition, Gavin Grounds from Verizon joined us for an exciting discussion on how organizations can thrive on risk to get a competitive edge.
In this blog, we have highlighted the interesting points from the discussion on how quantification can help in making the right security investment decisions.
Regardless of whether it is a large organization or a small, one of the common challenges across all organizations in the area of cybersecurity is prioritization, Gavin said.
Organizations today face thousands of risks and a key challenge is to ascertain which of those is the biggest priority. Likewise, they might have hundreds of controls and they need to define the importance of these controls and determine how much to spend on each control. Every dollar they spend on these controls should be justified with the benefits/advantages realized. Because they have a finite budget, they need to use it in the most optimal manner.
The primary objective for the CISO is to drive overall risk down and drive better-informed business decisions. And, cyber risk quantification can greatly simplify the process by quantifying risks in monetary value. As an example, suppose you got a business opportunity of $100M with $1M cyber risk, you can easily see the overall value of $99M and make your decision to go ahead or not. But if you represent your cyber risk in a way like 3 are critical, 5 are high, and 3 are mid risks, in that case, it's difficult to calculate the overall business value of that business opportunity and you might miss the first-mover opportunity on that business.
Prasad Sabbineni, EVP, Product at MetricStream, added that CRQ is the natural extension of the quantitative assessment (high, mid, and low-risk heatmaps) that organizations have been doing as all these factors serve as input to the model to calculate the dollar value of the associated risk. When asked about how organizations can start with CRQ, Prasad suggested that organizations can start small – select key risk areas and apply this quantitative technique to see the results. Once they understand the results and their value, they can gradually expand to other risk areas.
With MetricStream Cyber Risk Quantification (CRQ), a U.S. telco giant was able to make their cybersecurity decisions 50% faster by quantifying the dollar Impact of cyber risks.
MetricStream helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and is grounded in a business context.
This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.
Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.
CRQ is important for every organization irrespective of the size and industry. With the interconnected fast-paced digital economy, organizations are exposed to many new risks. Prioritization and communication of risk will help in better decision-making and provide a competitive advantage in the market.
Resilience is the ability to adapt to change and respond quickly and effectively. Cyber resilience is more than just preparing—it is ensuring that your business will still thrive in an attack. Too many organizations only concern themselves with ensuring that they have a SIEM (Security information and event management) and or SOC (Security operations center) in place. This is of course very important, but it will not ensure reliance in the event of an attack.
[Read More: Resilience Management as The New Paradigm for Cybersecurity]
Resiliency requires so much more. Risk assessments should include how vulnerable the business itself is there is a breach or ransomware attack. What confidential information could impact the business if it were to be breached? Some examples include blueprints for a new product design that is going to be launched or plans to purchase another organization.
In addition to a SIEM and SOC, the business units should also be trained on recognizing irregularities that could signal that the integrity of data has been affected. They also need to know how to report it so that the event can be investigated.
Each business unit needs a cyber response plan to allow for resiliency. There have been many organizations that were not able to respond effectively to a ransomware incident. A business unit cyber response plan is different than the business continuity response plan. It includes action steps of each business unit will follow when they are affected by a cyberattack.
The organization also needs a great cybersecurity incident response program, which includes policy and program documentation as well as playbooks for insider threat activities, regulator audits, lapses on data governance, and cyberattacks that are applicable to their domain.
[Read More: Four Key Areas to Achieve Cyber Resilience]
ISO 22316 Security and Resiliency Management and ISO/IEC 27035 Incident Response are two of the recommended standards to consider implementing as part of an organization’s cyber resiliency preparation. ISO/ IEC IT Corporate Governance is a good guideline for senior management and the board to implement in order to avoid hefty fines for poor governance. MetricStream enables organizations to align with established standards, empowering with pre-packaged content for necessary frameworks, making the solution up and running on Day 1.
Business continuity management and information/cybersecurity have to be more aligned in identifying risks. The business units understand what information they have in a database that is more likely to be sought in a cyberattack. Business continuity departments should include questions in their risk assessment surveys and interviews pertaining to what information does each business unit has that is PII or PHI or organizational confidential and work with disaster recovery teams to document which databases it resides.
While a business continuity plan may list an application as tier 1, in an incident where a database has been attacked, the cybersecurity teams may not release it in recovery when the business units need it. Cyber teams may need to do forensics or if they deem that there is malware the backups may need to be checked before they can be used. For instance, in the case of an attack was made months ago, even if just identified, all of the backups from the time of the attack may also be affected.
In summary, a good cyber governance program is needed coupled with a good cyber resilience program.
[Read More: CYBER RESILIENCE BEST PRACTICES: Connecting the Dots beyond Cybersecurity]
Yet another cybersecurity incident has highlighted the vulnerabilities of the extended enterprise. Just ahead of the Fourth of July weekend, up to 1,500 businesses worldwide fell victim to a ransomware attack centered on U.S. information technology firm Kaseya.
What happened:
Kaseya is a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses (SMBs). In a statement dated July 05, the company said that its VSA product was compromised in a sophisticated cyberattack, allowing the hackers to cripple the end customers with a massive ransomware attack.
Who is responsible:
As per reports, hackers from a cyber adversary group, REvil—the threat actors who were purportedly also behind the ransomware attack on JBS last month, were able to compromise one of Kaseya’s tools. They have reportedly demanded $70 million to restore the data.
The impact:
In a press release, Kaseya said, “While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure...Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”
In a statement, the U.S. Cybersecurity and Infrastructure Agency (CISA) said that it was taking action to “understand and address the recent supply-chain ransomware attack against Kaseya VSA”, adding that it “encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.”
The UK's National Cyber Security Centre also issued a statement saying that they are “working to fully understand this incident and mitigate potential risks to the UK.”
Security breaches via third parties are growing at an alarming rate both in terms of volume and sophistication. The major underlying reasons are the growing reliance on third parties for mission-critical goods and services and the amplified digital interconnectedness of organizations, further spurred by the COVID-19 pandemic.
The SolarWinds hack, the security breaches at Microsoft and Accellion, and now Kaseya, underscore the increasingly precarious digital environment businesses operate in today and how a security incident at one organization can quickly travel and paralyze several other connected businesses. According to the 2021 Ponemon Institute report, more than half of the survey respondents said that their organization has experienced a data breach caused by third parties.
Organizations today need to be proactive regarding the management of their third-party relationships and extended enterprise. Here are few key considerations for an effective TPRM program:
A technology-based TPRM solution, embedded with these capabilities, can considerably simplify, structure, and streamline managing the entire third-party lifecycle—from their onboarding to contract termination. This approach will help organizations enhance their visibility into the risks posed by the third and subsequent parties and accelerate responses to risk events.
MetricStream helps organizations effectively manage third-party risks with its Third-Party Risk Management product. Its key capabilities, including Continuous Third-Party Monitoring, Periodic Third-Party Due Diligence, Intuitive Dashboards, and Reports, empowers organizations to protect their business from existing and potential threats from third parties, as well as strengthen resilience, contain costs, and optimize business performance. To request a demo, click here.
Read More: Boosting Third-Party Risk Management in a Time of Uncertainty (eBook)