The term ‘herd immunity’ should be a familiar one to many, but did you know the same concept can be applied to cybersecurity third-party risk management?
To achieve cybersecurity herd immunity, third-party risk management is essential. When a breach occurs, the threat cannot spread if the surroundings are secure. This is the theory proposed in Mastercard’s recent ‘ecosystem approach to cyber resilience’ report.
What is third-party risk management?
Generally, third-party risk management is defined as identifying and addressing any type of risk, like fraud or cybercrime, that is associated with third-party entities including vendors, suppliers, and partners.
The SolarWinds hack is a famous example of a third-party breach that shows how threats can spread throughout an ecosystem. A significant number of government agencies and businesses were impacted. Microsoft acknowledged that some of its source code was accessed by attackers via third-party resellers of its licenses, though the tech giant said that modifications to the code would not be possible.
SolarWinds, a Texas-based software developer for network infrastructures, experienced a supply chain attack on its Orion software, which affected many organisations like NATO, the UK government, the European Parliament, and more. At the time of the attack, SolarWinds reportedly did not have a Chief Information Security Officer or Senior Director of Cybersecurity, and advised customers to disable antivirus tools before installing their software.
This is one of many third-party breaches. IBM noted that nearly one-fifth of breaches were caused by a supply chain compromise, which made breaches more expensive and resulted in longer containment times.
How can I create cybersecurity herd immunity?
In Mastercard’s report, the company suggests a new mentality by approaching third parties as part of a collective “us” rather than seeing them as separate threat entry points. In a 2022 survey, RiskRecon identified that only 53% of businesses trusted cybersecurity quiestionnaire responses from third-party vendors.
To build this trust, businesses seeking third-party suppliers can consider conducting independently validated self-evaluations, industry benchmarking, and breach simulations that determine the effectiveness of cybersecurity solutions. But these methods alone run the risk of ‘othering’ or patronising your third-party vendors.
Instead, much like some of the community spirit we saw during the pandemic, it is important to bring out the human element of cybersecurity in an effort towards a common goal while acknowledging individual responsibility.
Mastercard goes beyond payments to propose an ecosystem resilience process that can strengthen cybersecurity herd immunity. First, businesses must identify the stakeholders and risks within their ecosystem, then guidelines can be created to construct a shared goal and mutual responsibilities.
Once these guidelines are agreed, businesses and third-parties can work together to detect threats through simulations and human testing.
Following that, a business, in collaboration with partners, can further protect their endpoints through data-driven investments in cybersecurity solutions and insurance.
This should be treated as a cycle where businesses continually assess their relationships with third-parties and resiliency to risks in the evolving threat landscape.
To assist in this effort, businesses can consider using cyber risk quantification that creates a common language within the cybersecurity community and enables meaningful discussions.
For even more meaningful conversations, Cloud & Cyber Security Expo will welcome thousands of industry leaders at ExCeL London on 8-9 March.
Mastercard will be at the event to share important insights on the threat landscape, cybersecurity risk assessment and quatification, third-party and systemic risk monitoring, data strategy and analytics, and payment insights.
Steven Brown, the Vice President for Cybersecurity and Resilience at Mastercard, will discuss the importance of proactive cybersecurity and taking the right steps to drive operational resilience through the digital ecosystem.
A panel on the critical role of threat intelligence in building cyber resilience will also take place, featuring Jason Steer, the CISO of Recorded Future, as well as Mastercard’s Cihan Salihoglu and Yonatan Israel Garzon.