Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 23

The evidence of the risk exists: At the end of 2020, in one month there were three nation‐state APT attacks that exploited weaknesses in supply chain cybersecurity. Two of them were aimed at two countries: Mongolia and Vietnam. The damage and scope of the SolarWinds Orion exploit is not yet known as more victims are being uncovered, but it does include big names in technology and major government systems globally. The advanced persistent actors (i.e., hackers) are clearly targeting and weaponizing the supply chain. They have discovered that third‐party cybersecurity is the weakest link to their actual targets.

The investment that CISOs and cybersecurity professionals have made in the last 20 years has been proven effective in many ways. Most companies and governments that know they will be a target (due to size, money, power) have beefed up their own cybersecurity. But behind these medium and large organizations are thousands or millions of smaller companies that are focused on selling, not securing, their data. Cybersecurity can lean into this area more forcefully, trying and implementing new capabilities learned from other cyber domains and leadership. The need is to take Cybersecurity Third‐Party Risk from a compliance‐driven effort to an active always learning, always searching for risk approach in order to lower risk from vendors.