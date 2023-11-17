Director, Global Field CTO, sophos,

We live in a world where we measure everything. We rely on metrics like IQ scores to measure cognitive abilities and IQ to understand interpersonal intelligence, and GDP and EPI to evaluate the economic and environmental performance of nations. These assessments help us gain insight into many different aspects of our lives, enabling us to make better decisions and approach challenges with greater understanding.

But when it comes to the digital realm, how can we apply this same rigor to evaluating the security of our software vendors and managed service providers?

The interconnected IT landscape increases opportunities for bad actors.

The interconnected nature of today’s IT and cybersecurity landscape means organizations rely on third-party vendors more than ever. Although these partnerships help organizations access specific expertise and resources, the increased reliance on third-party providers contributes to the increasing number of software supply chain attacks.

Attacks on the software supply chain occur when a bad actor infiltrates a software provider’s digital infrastructure and injects malicious code into their software or software updates. This efficient method of attack enables cybercriminals to gain access to a wide network of organizations that rely on the vendor’s software. Often, this results in bad actors stealing data or launching attacks on the provider’s customers.

For example, consider the hack involving SolarWinds and other companies that was disclosed in December 2020. A suspected state-sponsored hacking group infiltrated the network and, according to the Government Accountability Office, the attackers compromised the software product with trojanized (hidden) code. , The file that contained the trojanized code was included in a software update, allowing the compromised update to be released to a wide range of customers, including corporations and government entities. As a result, the threat actor can remotely access infected computers.

Such attacks put customers at risk, even if the organization follows best cybersecurity practices and has strong security mechanisms in place – underscoring the importance of vigilant vendor cybersecurity.

So, just as we have used metrics to assess many other aspects of our lives, there is a need to determine how to evaluate the effectiveness of providers’ cybersecurity.

Ask these three questions to assess vendors’ security practices.

Software vendors and managed service providers remain prime targets for cyberattacks, making your ability to assess their security essential. Although there is no single quantitative way to measure the strength of an organization’s cybersecurity, you can start by asking these questions:

1. Are they certified by a reputable security organization?

One of the first things you should look for in a provider is whether they actively hold at least one (but ideally both) of the following certifications: International Organization for Standardization (ISO) 27001 and Systems and Organization Control (SOC) 2:

• ISO 27001 requires organizations to establish and maintain strong information security management practices, including access controls, incident response, and asset management.

• SOC 2, on the other hand, ensures that organizations handling client data have complete data security measures in place.

These certifications demonstrate the provider’s commitment to maintaining high standards for information security and customer data management.

2. Are they transparent about their security policies and procedures?

Look for providers that not only have well-defined security policies and procedures but are also transparent about these practices. This means that the vendor provides public access to their security policies and procedures, and their policies address all aspects of cybersecurity, including incident response, data protection, and vulnerability management.

Additionally, consider talking to current customers of the vendor or reading their reviews to get a first-hand perspective on their experiences with the provider. By talking to customers, you get unbiased information about the vendor’s security strengths and weaknesses, as well as the customer’s overall satisfaction with the provider.

3. How effective is their incident response?

If a provider has ISO 27001 certification, you can probably assume that they have effective incident response capabilities. But given the importance of the third-party vendor’s ability to respond effectively to incidents, it doesn’t hurt to investigate further.

Ask potential vendors about their incident response plan and how they have responded to past incidents, if applicable. The organization should have a communications plan, a business continuity plan, and specific incident response procedures for different types of attacks. These practices help mitigate the impact of breaches and demonstrate the provider’s commitment to transparency and accountability in handling security incidents – key elements for maintaining trust in the partnership.

Ensure vendor cyber security vigilance with a bulletproof assessment strategy.

Unlike GDP and EPI, there is no universal scorecard to evaluate the security postures of software vendors and managed service providers. But, as the need to vet partners in your software supply chain increases, you can develop internal processes and evaluation criteria to ensure a comprehensive assessment of potential vendors and their security practices.

Consider metrics such as response time to fix vulnerabilities and frequency of security incidents when comparing vendors. The result is that you can make more informed decisions about these partnerships and protect your organization against emerging software supply chain threats.

