It’s the phone call no information security executive wants to get. A few months into his tenure as a chief information security officer for the Town of Gilbert, Ariz., Tony Bryson learned that one of his municipality’s most significant vendors had experienced a cybersecurity incident. Bryson’s first concern was whether the Town of Gilbert’s government data had been compromised. But he was also worried about the long-term implications of a partnership that provided critical services to the town.
Unfortunately, phone calls like the one Bryson received are becoming almost inevitable. It’s no longer a question of will you get hacked, but when. And increasingly, hackers are targeting third-party vendors to gain access to other organizations, including governments like the Town of Gilbert. Look no further than the headline-grabbing breach of IT management software supplier Kaseya, which set off one of the most significant supply chain attacks in history.
Nearly 60% of data breaches can be traced to third-party vendors. And as further evidenced by the Kaseya attack, compromised partnerships with a long-term vendor can lead to a substantial loss of money, time and productivity.
The good news is that there are ways to minimize, or at the very least mitigate, the risks associated with supply chain attacks. In a recent report on the state of third-party security, 44% of organizations surveyed said they had experienced a third-party data breach within the last 12 months. Of those organizations, 74% attributed the breach to giving too much-privileged access to third parties. Luckily, that’s one piece of the third-party cybersecurity pipeline that can be solved.
For his part, Bryson scaled the Town of Gilbert’s cybersecurity defenses by adopting a preventative solution through third-party security company SecureLink.
Streamlining security at scale
When the Town of Gilbert first started working with SecureLink six years ago, the critical catalyst was compliance. Like many local governments, the Town of Gilbert needed a solution that enabled them to securely and seamlessly provide application services to hundreds of thousands of residents in a manner that met state and federal data protection and privacy laws. But they found that their previous vendor management program was too complex, unwieldy and expensive.
While the Town of Gilbert’s government had used Virtual Private Network (VPN) services in the past, it found them cumbersome and lacking flexibility. Not only do VPNs take longer to install, but they also don’t provide an airtight security environment for third-party vendors — even more so in the remote work environment many of us now find ourselves in. Indeed, according to a new report, there has been a spike in malicious actors targeting unpatched VPNs after the pandemic’s onset in March 2020.
Unlike a VPN, the technology relies on a clientless, web-based application. As a result, Bryson said, vendors can spend more time focusing on their support activities and less time figuring out how to get into the system.
“When a vendor does have to respond to a support call for us, they tend to connect quickly, get the job done and then, boom, they’re gone,” he said. “And it goes back to the simplicity of the system and the elegance of the interface.”
The platform’s ease of use also streamlines the process of training employees. Even those without technical backgrounds can immediately start using the application, which saves time and money.
Guarding against third-party cyberattacks
The real payoff of the Town of Gilbert’s investment in a preventative cybersecurity technology, however, came after one of its vendors was breached. The technology allows organizations to place vendors within a particular support envelope that prevents damage to their own systems. It also creates an audit log that functions a lot like CCTV footage after a crime.
What this means is that the Town of Gilbert knew exactly when and how their third-party breach happened. On top of that, the town quickly resolved the issue — all without cutting off access to the vendor and losing the critical services it provides to the Town of Gilbert’s 260,000 residents.
Having this kind of preventative technology “gave us a level of transparency that we needed,” said Bryson. “Without it, we may not have had that ability to move forward with that vendor.”
Too often, this is not the case. It took experts weeks to untangle the nuances of REvil’s ransomware attack against Kaseya’s VSA server, and the total number of customers impacted still remains unknown. This level of opacity around supply chain attacks is hardly surprising since the Ponemon report reveals that 59% of organizations don’t use automated tools to monitor the activities of third parties.
Prioritizing preventative solutions
Bryson is well aware that the need for third-party security isn’t going away any time soon. “The world is shifting more and more to an online environment where service providers reach out and virtually touch your systems. So to keep up, we need cybersecurity services to help keep our system secure and our vendors on their toes. The fact that we have this product to lean on is just a massive advantage for us,” he said. “And because of where we’re headed with the post-COVID-19 world, this is a service that we’re going to need more of, not less.”
When the Town of Gilbert first partnered with SecureLink, they selected the platform because it offered the full “trifecta” of advantages: security, usability and cost-effectiveness. As the town’s needs have evolved, Bryson and his colleagues said their security solution has evolved in lockstep, keeping the municipality on the edge of innovation — and protected at all times.
The Town of Gilbert’s proactive approach to third-party security is one other governments would do well to model for their own peace of mind as well as that of their constituents. Describing the Town of Gilbert’s partnership with SecureLink, Byson says, “It’s freeing. It allows the chief security officer the chance to sleep at night.”
When we think about recent attacks like Kaseya, JBS, Colonial Pipeline and SolarWinds, the takeaway is clear: organizations must do everything they can to protect their critical infrastructure, environments, and networks. Above all else, that means investing in preventative cybersecurity solutions — preferably before the next Kaseya-level attack.