Whether you’re answering a steady stream of cybersecurity questions or asking your own suppliers to answer them, these documents have probably become a significant part of your job in the last year. The recent flood of cyber attacks has motivated most organizations to elevate third-party risk management to a top priority in 2021.
But even if the concept just appeared on many radar screens, it’s not a new issue. Every business of the past had to decide whether critical partners (from those supplying raw materials to those delivering finished goods) could reliably fulfill their contracts and protect what was entrusted to them. But the challenge has grown massively more complex with increasing integration and sharing of critical data. Government regulations raise the bar even more with breach notification laws and other rules that can make a vendor’s security problem a legal liability for everyone in the chain.
So proactive companies are quickly spinning up ways to get proof that every partner handles data securely. At this year’s Secure Iowa Conference, Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association reviewed the latest best practices in this quickly developing area. This post highlights top takeaways from her talk.
Julie Gaiaschi, CEO & Co-Founder, Third Party Risk AssociationJulie Gaiaschi, CISA, CISM, is the CEO & Co-Founder of the Third Party Risk Association (TPRA). She has over 14 years of technology and information security risk experience, with the last 10 years specializing in third party risk. In her role as CEO, she provides strategic direction for the non-profit, whose mission it is to further the third party risk profession through knowledge sharing and networking. She also has a passion for helping others enhance their own third party risk management programs.
Julie highlighted several areas demanding fresh thinking about managing risk:
To effectively keep up with these changes, Julie recommends a third-party risk management program built on these five elements:
As she walked through each of these core areas, Julie provided the following tips:
You can download a copy of Julie’s full presentation here. You’ll get details such as 13 essential inherent risk questions to ask your vendors.
If you need help reviewing your third-party risk or handling questions from your customers, contact Pratum for a free consultation.
You could wait for a ransomware attack to teach you some hard truths about combatting these breaches. Or you could step up your game right now with hard-won lessons from organizations that have already been there. At the 2021 Secure Iowa Conference, two CEOs took the stage with a commitment to helping others learn from their ransomware experiences. In this post, you’ll step inside two organizations’ war rooms as they manage a ransomware attack—and share best practices we all can follow to stop these attacks, or at least limit the damage.
In June 2021, Des Moines Area Community College suffered a ransomware attack that made national news. The school, Iowa’s largest community college, has six campuses, 1,880 employees and more than 72,000 total students. The ransomware attack forced the closure of in-person classes for one week and online classes for two weeks. DMACC CEO Rob Denson joined the conference panel to discuss the school’s experience.
Rob Denson, President, DMACCRob Denson was appointed the fourth President of Des Moines Area Community College on November 1, 2003.
In the summer of 2020, hackers launched a ransomware attack against EFCO, a Des Moines-based manufacturer that serves customers worldwide with its concrete forming and shoring products. EFCO President, CEO and Director Scott Walter joined the panel to tell his team’s story.
Scott Walter, President, Chief Executive Officer & Director, EFCOScott Walter has been with EFCO since 2008 and in his current position since 2020. He is responsible for the strategic direction of the Company and oversees the management of manufacturing, sales, distribution, and finance. While with EFCO he has held positions in manufacturing and information technology.
I was driving on vacation when I got a call that a student received a phishing message in a computer lab and gave up their credentials, which let the bad guys go in with Ryuk ransomware. I kept driving and got hourly updates from initial interactions with our insurance company.
Coming from IT, I was used to getting calls at night. And now being CEO (for only two months at that time), I was used to hearing about crises coming up at any time. This call came at 9pm. In hindsight, I think our initial reaction was an underreaction.
We waited 24 hours for the insurance company to get everything place. We hadn’t done any practice runs, which I recommend you do. I hadn’t paid enough attention as CEO to all the crazy acronyms and company names. It was an unbelievable learning experience.
We worked through the night to shut down the network and stop the spread. Then we started working on identifying the extent of the attack and what recovery would look like. We met in that war room every day for a couple of weeks.
We found a ransom note on a computer in one of our satellite campuses. This group went searching for anything labeled “confidential” and found one of our VP’s files that had nothing in it but very old personnel data. In the end, we paid no ransom.
We found out that 50% of our servers were encrypted and wasted about a day trying to find the right vendor to help us out. Within 5 days (counting a weekend) I set up a sandbox with our dev team with our ERP system to run the business. We had 10 people taking calls from around the world to enter things into the ERP within that sandbox.
We kept a close eye on everyone’s energy level and ability to make decisions. You’re making critical decisions around the clock and looking for critical path to get back up and running.
We had great service, but our premium went from $30,000 last year to $100,000 this year. (This blog explains why cyber insurance rates are climbing for everyone this year.) To not lose time in our next situation, we put the consultants we used on a retainer to stand by so that we don’t have to wait for insurance.
The business interruption consultants tagged our business loss at about $950K for the fall term due to students giving up on registration. It will be a great help if we can recover that money through our business interruption insurance.
When you have the whole company shut down, the damages are impossible to estimate and impossible to validate. We got minimal help there, I would say.
They got our active directory, which I’d never even heard of. We didn’t have MFA, which would’ve sounded like an obscenity to me before this. We had thousands of e-mail addresses to put on MFA. That took a heck of a lot of effort.
We had to decide which systems were a priority to restore. The first thing we did was get payroll back up and get financial aid flowing back to our students, many of whom are low income. Then we went to registration systems.
In prioritizing systems and locations, we focused on the customer. We’re always shipping and returning equipment from customers every day. We had offline processes to handle that for a short period. Eventually, we’ll miss a billing cycle. Eventually, we’ll miss a payroll run. So that’s how we prioritized. We know which district offices do the most business and prioritized those first, knowing we’ll have to scan and clear every computer before it rejoins our network.
We contacted the FBI and had to notify the U.S. Department of Education and the Iowa Department of Education and our board. But most important was communicating to our own faculty, staff and students. We kept sending out e-mails and put up a daily note on our site, mainly reassuring people that very few names had been disclosed. The media was beating down the door, and the lawyers told us to just refer them to statements on our website.
We have a low profile in our city, and much of our operations are elsewhere, so it didn’t make the news. A blogger did pick up on our attack. They didn’t name us, but they gave us some new information because it was a new piece of malware we were facing, and they’d seen it on the dark web.
Law enforcement was first on my mind, but I was surprised to learn that our consultants said not to call the FBI. We notified customers, shareholders, employees—anyone who had information that may have been compromised. We didn’t know what servers the hackers had been on yet.
We’re on to dealing with the Delta variant. We did go to MFA. We’re doing more frequent passwords changes. Computers lock after 15 minutes of inactivity. But overall, we’re on to the next emergency.
It’s a significant event in our recent history, so it sticks in people’s minds. I had been part of starting an info security committee in the company a couple of years earlier, but we were weren’t disciplined about holding meetings and reporting to the board. The committee was reluctant to put in place security things that would make people’s jobs slightly harder and cause pushback. But now, nobody wants to go through this again.
We never knew exactly who attacked us or how they got in. That makes it hard to tell that to the team in a way they can understand it and in a way that’s applicable to their work and how they can do their part to protect it.
You need to immediately get your IT people and your insurance on the horn. Identify your most likely consultants and reach out to them in advance. They can help test your system to confirm steps you’ve taken to become a harder target.
Our experience validated that backups are gold. We had the option to not pay the ransom, and we lost very little data in the process. But I wish I would have known how important forensics would be. We needed a clean network to be reconnected and to scan for malware on all the machines. And forensics are also critical to knowing what was lost.
We also needed more focus on the prevention side of things. Minimally, we needed to be able to recover. But now we need to focus on prevention. We found out during our investigation that Microsoft Defender had detected this and was not configured to notify our IT department.
If this discussion gets you thinking about your own readiness for a ransomware attack, contact Pratum today for a free consultation.
At first glance, managed XDR will probably seem like a cost increase from your current security solution. But after a closer look, most of our clients find that managed XDR produces cost advantages and workload reductions that easily offset any additional investment you’ll make. In this blog, we highlight key ways that managed XDR makes good business sense, not only by improving your security posture, but by actually saving you money. Use this list to help convince executives that your managed XDR plan makes sense for the budget.
Managed XDR provides a next-gen response to the cybersecurity headlines of the last couple of years. Traditional tools are getting passed up by ransomware innovations, software supply chain attacks and fileless malware. Managed XDR can intercept threats so new that antivirus programs and whitelists don’t even know about them.
A managed XDR solution uses AI, machine learning and global threat reports to block attacks no one has seen before. Whether this is your first event monitoring solution or an upgrade to your traditional SIEM, you’ll run a lot of numbers in deciding what direction to take.
You’ll see that managed XDR goes far beyond keeping hackers out of your system. With Pratum tuning the system, managed XDR delivers cost advantages by freeing up staff time, optimizing tools you’re already paying for and more.
If your cybersecurity program stops only known threats, innovative hackers may feast on your system. This year, for example, has brought a boom in attack vectors such as supply chain attacks and fileless malware that leverage sources you trust (such as software partners and your own operating systems) to compromise your system. XDR provides the protection required in a world hackers are running attacks that have no files to watch for, rendering antivirus solutions defenseless in many cases.
The business advantage: Defenses that constantly adapt to the latest threats.
Most security stacks evolve over time into a mixed bag of platforms from multiple vendors. That creates gaps that attackers can slip through. A managed XDR solution, on the other hand, offers one SOC managing one platform from one vendor. (Pratum uses Microsoft’s Azure Sentinel and Defender for Endpoint.) With a unified managed XDR platform, you get native integration of SIEM, endpoint protection, vulnerability scanning, antivirus and more. That eliminates cracks that weaken most multivendor systems.
The business advantage: Elimination of gaps that could render your security stack ineffective.
Our incident alerts provide critical detail and context that let you drill down on specific improvements for your security program. The chart shown here illustrates how Pratum uses Azure Sentinel to dramatically reduce the number of alerts a client’s IT team would normally have to manage.
Most of the tickets that make it to the IT team require only a simple response to a question such as, “Was the addition of user ‘larrybird’ to AdminGroup a legitimate request?” Other alerts recommend a specific action such as blocking a specific IP address that is attempting multiple suspicious logins.
The business advantage: More IT efficiency through highly targeted alerts.
Despite marketing promises from some XDR vendors, XDR is not a plug-and-play tool. So if you’re considering implementing an XDR platform through your current IT team, make a careful review of what that will require. These advanced systems require regular fine-tuning for your environment to reach the full value you’re paying for. By managing your XDR system, Pratum’s SOC frees up your IT team to complete other business-critical projects. By minimizing false positives, we limit alerts to the critical events you specifically want to monitor.
The business advantage: Free up your IT team to complete the business-critical projects they were hired to do.
Most breaches take days or weeks to discover. So the minute that you realize your system has been breached, you’re already behind. That makes timely digital forensics work a top priority. With 24/7 monitoring of your entire system and advanced threat hunting offered by managed XDR, you can typically reduce forensics analysis of attacks from days to minutes. That means you catch and eradicate intruders faster.
The business advantage: Business interruptions reduced to hours rather than days.
When Pratum’s SOC analysts implement a new managed XDR relationship, they lead provisioning, rule creation and more. We work every day with multiple industries and dozens of clients—and apply the lessons to your XDR setup. Every lesson learned by Microsoft and Pratum improves your system.
The business advantage: Best practices gleaned from dozens of other XDR installations.
Managed XDR monitors the effectiveness of security layers throughout your system. For example, if you have an e-mail filtering solution that isn’t stopping spam sufficiently, XDR lets you know. Sometimes, we’ll determine that XDR can actually replace tools, reducing your IT expense.
The business advantage: Full value from the tools you’re already paying for.
If you’re ready for a free consultation on how managed XDR can boost your bottom line, contact Pratum today.
Get our blog articles delivered
to your inbox: