Third-party or supply chain cyber risk is becoming thematic for organizations of all sizes. In 2021 the SolarWinds and Kaseya breaches affect organizations of all sizes--from Microsoft to small businesses. A Ponemon report in 2021 showed that over half of organizations that suffered a data breach did so because of a third party. Critical Infrastructure operators may have robust security systems in place, but what if a third party does not? How are organizations that operate critical infrastructure assets managing risks that are exposed by third parties?
Questions to Ask:
- Is there enough validation performed on your third parties and their security practices?
- Do third parties have adequate controls in place?
- What does it mean to your brand and customer if a cyber incident impacts your third party?
All these questions need to be taken into consideration as part of a functional cyber security risk program.
Critical Infrastructure Protection is the delivery of essential services to society at large. This is juxtaposed against the ongoing and accelerating transformation of traditional industries that have relied on Operational Technology and Industrial Control Systems. We are now seeing critical infrastructure providers Cloud technologies, Industrial Internet of Things (IIoT) and even Internet of Things (IoT) solutions where the security of such platforms is crucial and reliance on 3rd parties paramount.