One of the biggest takeaways from the recent SolarWinds breach is that no company or organization is immune to infiltration by bad actors. But that doesn’t mean that you shouldn’t be taking every necessary precaution to mitigate a possible breach.
Information Security isn’t one dimensional. It’s complex and multilayered, and it’s not going to get any simpler. That is why the Defense in Depth approach has been adopted as a best practice by many organizations. While there is no silver bullet or panacea that can stop every attack, the layers of security and redundancies built into your overall security strategy can help mitigate against many of the attack vectors you may face.
Implement security controls
One of the first layers of defense your organization can take to protect your customer data is implementing an internal security control program and evaluating its operational effectiveness periodically. While this can be inherently challenging, given competing priorities and limited resources, you have full control because it’s internal, which makes effecting change a little easier.
Interestingly enough, your critical third parties are simply an extension of your internal business operations and should be subject to that same internal security control program. However, because you will have less control in addressing gaps or risks in the program, your approach will look different than it does internally.
Start with a questionnaire
Ensuring third parties are securely delivering services is one of the key objectives of third party risk management. A vendor security questionnaire is just one aspect of an effective third-party risk management program. However, it is still one of the best tools to understand where your risks lie and help you prioritize those risks.
According to experts, the two most obvious contributing factors to the SolarWinds Orion breach were:
- A weak password (solarwinds123) was used for the SolarWinds update server.
- A known vulnerability that allowed hackers to compromise the server upon which the products ran went undetected.
Simply put, unauthorized users gained access easily and were able to put malicious code into the application. Password requirements and SDLC or Software Development Life Cycle controls, which address the two contributing factors above, are common in most Questionnaire Standards and when properly validated can highlight potential risks for further consideration.
Asking third parties to respond to security questionnaires is just the first step. The subsequent risk management activities are even more important, including follow-up with your vendor and potential remediation of any known control gaps.
Evaluate your vendors with Whistic
Before you review your program and consider any improvements, it makes sense to understand how the SolarWinds Orion breach has impacted your vendors. To help with this important exercise, we have created the SolarWinds Orion Vulnerability Response Survey. Whistic is making this assessment available at no cost. Just click the link below to access it.