In 2020, it will be critical for organizations to understand their third parties’ ability to protect against new threats. It used to be that regulations forced Financial Services sector to care the most about third party cybersecurity risks. Now, evolving threats such as Ransomware, Supply Chain Backdoors, and attacks against patching systems have begun to affect Manufacturing, Utilities and Healthcare companies more dramatically due to the high stakes that come with disruption to operations in those sectors. Leadership in these sectors have begun to take notice of the importance to Third Party Risk Management and with that attention follows an expectation of action.
Ransomware will continue to be a problem because it is effective and efficient. Phishing is still a huge problem and it is a relatively easy way for attackers to get Ransomware into organizations. Moving forward, ransomware will continue the trend of not just being about the ransom. Ransomware provides an excellent cover for stealing proprietary and/or private information while resources are focused on recovery of data. Unfortunately, ransomware is the gift that keeps on giving for malicious intruders. Even once the ransom is paid, criminals can extract value from selling data gathered during the attack, and can install additional malware such as bots, for future malicious activity. The recent Maze ransomware attacks made good on threats of publishing the data they stole, putting the victim organizations at odds with their customers and regulators.
Other threats in 2020 include those against supply chain cybersecurity of hardware and software sourced outside a nation’s borders. It is extremely difficult to determine whether every component of every system has legitimate purpose and does not host a backdoor or was created with someone else’s patents. The skills to be able to examine all parts of arbitrary systems are rare, so it will require help from the government to help vet systems. There are efforts such as the Software Bill of Materials initiative sponsored by the US Department of Commerce that help in this endeavor, but these efforts are new and have not yet covered as many systems as needed.
Additionally, a troubling new trend of attacking automatic software and firmware update systems, as highlighted in March 2019’s “Shadowhammer” attacks is another vector for malware that can be hard to protect. Many companies set their hardware and software to automatically patch systems once a new patch is available from a third party vendor. If an attacker were to gain access to the vendor’s patching system, they can send whatever they want, including malware to all the vendor’s customers. The risk of not patching fast enough has often outweighed the risk of an attack through patching systems, but recent threats such as these may require a revisit of that idea. Companies don’t have control over their vendor’s systems, so as part of their sourcing or due diligence process, they need to ensure their vendors have a process to secure their customer patching systems. This is a new threat, so best practices will need to be more firmly established, but there are some companies such as Eclypsium, that are creating security technologies to better address the problem.