Our Q3 2024 Top Control is Third Party Risk Management: Lessons from the CrowdStrike Outage

Last month’s CrowdStrike update outage shut down operations at banks, airlines, and numerous other organizations around the world. It was a stark reminder of the potential fallout from third party providers, regardless of whether an outage stems from a malicious attack or an accidental vendor failure. In today’s interconnected digital landscape, the reliance on connected third-party vendors has become a cornerstone of business operations. But you’re not just at risk from your vendors. You’re also at risk from your vendor’s vendors and partners. Today, fourth- and fifth-party breaches happen regularly and are caused by everything from a zero-day exploit of a software code library to a third-party breach that compromises your data. With the rapid escalation of vendor-caused outages, third party risk management (TPRM) is now a necessity. That’s why we’ve chosen it as our top control for Q3 2024, so if you don’t have a TPRM program yet we strongly recommend implementing one to stay ahead of today’s top cybersecurity threats. You can also review our full list of 2024 Cybersecurity Top Controls here. Now, let’s dive into the challenges and solutions for TPRM.

Why Organizations Need Third Party Risk Management Solutions

Whether you call it supply chain security, vendor risk management ,or third party risk management, all of these terms are focused on assessing the cybersecurity risks your vendors and partners (and their vendors and partners) pose to your organization. A recent study found that 61% of organizations experienced a third-party data breach or security incident in 2023. This is an almost 50% increase over the previous year and reflects the rapid increase in organizational reliance on third-party vendors for critical business functions, from cloud services to SaaS, web apps, and more. In addition, vendors may store your data or integrate with your digital infrastructure which causes significant risks of data breaches and regulatory violations. Without a robust third party risk management program, you have a major gap in your organization’s security posture and are vulnerable to the potential financial losses, legal penalties, and reputation damages that accompany a data breach.

Fortunately, today’s third party risk management platforms can take hours of vendor vetting work and streamline it into minutes. But it takes more than just a third party risk management platform. You need an integrated plan that includes TPRM policies to properly identify, assess, and mitigate these third party risks. Let’s explore the lessons learned from the recent CrowdStrike outage and then we’ll share our top five best practices for third party risk management.

Lessons Learned From the July 2024 CrowdStrike Outage

Last month’s CrowdStrike outage serves as a compelling case study on the importance of third party risk management. As a leading cybersecurity firm, CrowdStrike provides critical security services to many of the largest organizations worldwide. However, their one faulty update froze operations for thousands of organizations globally.

The root cause of the outage was a faulty sensor configuration update that was pushed out to Windows systems. The update triggered a logic error that caused the blue-screen-of-death that bricked critical computer systems around the world. This incident was an eye-opener on how organizations need to have more stringent vendor vetting policies that also include evaluating software development security and quality assurance. Equally as important, organizations also need stronger business continuity and disaster recovery plans to prevent operational outages from all incidents, not just malicious attacks.

5 Best Practices for Third Party Risk Management

So how do you reduce your risk of a third party breach or outage? Our expert team recommends their top 5 best practices:

1. Implement a TPRM Platform. Before hiring new vendors, it’s crucial to vet them. Third party risk management platforms like Venminder can help organizations track and assess vendor risks, providing insights about the risks each vendor may pose to your security. This process involves assessing the vendor’s security practices, compliance with regulations, software development processes, financial stability, and overall reputation. These platforms can also facilitate continuous monitoring and reporting, ensuring that new potential risks are identified and addressed promptly before you sign or renew a contract. By thoroughly vetting potential vendors, organizations can identify any red flags that may indicate a higher risk profile. You also need to continuously vet your existing vendors, starting with your highest-risk suppliers. Consider which suppliers have privileged access to your IT resources and/or sensitive data and examine them continuously and carefully.

2. Create Strong Third Party Risk Management policies. Implementing a TPRM platform is great for streamlining vendor risk assessments, but you also need comprehensive vendor risk management policies. You should develop and implement robust TPRM policies and procedures that align with today’s best risk reduction strategies. Some examples include:

1. Add minimum required cybersecurity controls and breach notification policies to all of your vendor contracts.
2. Request third-party security testing results for all vendors.
3. Develop policies to limit vendor access to your IT resources and sensitive data.
4. Contractually require your vendors to vet their vendors and more.

If you need help creating TPRM policies and customizing them for your unique business requirements, contact our team and we can take that burden off your shoulders.

3. Conduct Continuous Monitoring and Assessments. Third party risk management doesn’t end once a vendor is onboarded. Continuous monitoring and assessments are essential to ensure that your vendors maintain compliance with your security standards and contractual requirements. The easiest way to accomplish this is by adopting a TPRM platform that offers these services, or you can manually conduct regular vendor security vetting for all of your high-priority suppliers and partners.

4. Establish Clear Communication Channels. Effective communication is key to managing third-party risks. Organizations should establish clear communication channels with their vendors to facilitate the timely exchange of information, particularly in the event of an incident. You should have one or two people that are responsible for this function, with a defined escalation process for reporting and addressing issues as they arise.

5. Develop an Incident Response Plan, Then Communicate and Practice It. Despite best efforts, incidents can and do occur. You need to have a well-defined incident response plan to minimize the impact of a third-party breach or outage. The plan should outline the steps to be taken in the event of an incident, including communication protocols, containment measures, and recovery procedures. We also recommend educating employees about the importance of third-party risk management. Ensure that they understand their role in the process and regularly practice your plan using tabletop exercises that also include any key vendors that are crucial for your daily operations. Read more about tabletop exercise breach simulation scenarios in our evergreen tabletop exercise scenarios blog and 2024 trending tabletop exercise scenarios blogs.

The 2024 CrowdStrike outage serves as a powerful reminder of the critical importance of third party risk management that includes both malicious attacks and vendor accidents. As organizations continue to rely on third-party vendors for essential services, if you don’t already have robust TPRM practices, it should be one of your top short-term cybersecurity priorities.

We hope you found this information useful! Contact us if you need help with technical testing, policy development and advisory services, cybersecurity solutions, or training.