How does third-party risk complicate your operations?

Third Party Risk Management (TPRM)Security Operations Center (SOC)
823 viewscircle icon3 Upvotescircle icon2 Comments
Sort by:
vCISO and COO in Software3 years ago

When I was in biotech, we had these million dollar robots in a locked lab, with all this physical security around it. One day the technician for those robots walked in, stuck a USB stick in there and the whole machine got infected. We had to come up with something to prevent that from happening again, so we decided there would be no more USB sticks allowed. If a technician had to come update the firmware, they’d have to send us that firmware so we could put it on a secure drive. Then that could be plugged in. That's the only way we did it going forward.

VP, Director of Cyber Incident Response in Finance (non-banking)3 years ago

In a past role, there was malware that appeared on our network and we weren't sure how it got there at first. It was wormable and it had propagated itself to a number of systems. After investigating, we found our patient zero: a network sniffer that was portable. The sniffer was maintained by the network engineering team who had a contract with a third party.

The third party would have these portable sniffers sitting on a shelf and they would ship them out to wherever they were needed. And they had a fourth party that was responsible for maintaining the image on those devices. They would get re-imaged each time they got sent back. But the fourth party had a malware compromise in their environment, so when they rebuilt the appliance on their network, it had the malware propagate to it. So that was a fun conversation to have with both the third and fourth party because we had to tell them, "You need to clean up your stuff."

Content you might like

What are the best practices for securing the MFA registration phase when moving from SMS to phishing-resistant methods like passkeys (FIDO2) or TOTP-based authenticator apps? Specifically, how can we mitigate risks in device enrollment and key provisioning without phone numbers? What innovations are your organizations implementing or have implemented to bolster this process? - I don't see this as a competitive advantage but all of us good guys against the bad.

What topics would you like to learn more about / be most likely to attend a webinar on?

Ransomware / Malware / Phishing35%

Privacy27%

Cloud Security58%

Network Security33%

Zero Trust vs. VPN32%

Remote Workforce Security27%

Seamless User Experience16%

Legal and Regulatory Compliance7%

View Results

It's “National Clean Out Your Computer Day”  (Feb 13) — when was the last time you organized/backedup your laptop?

Today!11%

Last week37%

Last month22%

Last quarter12%

Last year7%

Never4%

I can't remember4%

View Results

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?