(EXPLAINING WHY MONETA INVESTED IN PANORAYS)
“Something as small as the flutter of a butterfly’s wings can ultimately cause a typhoon halfway around the world.” – Chaos Theory
Chaos theory, according to which a small event can have a significant and unexpected impact, has never been more relevant to modern-day businesses. In today’s hyper-connected digital economy, where data is transferred continuously amongst stakeholders, even small vulnerability issues in third-party systems can result in unforeseen and catastrophic consequences.
If someone told you that an air conditioning subcontractor could trigger a catastrophic cyber attack on a huge retail chain, would you believe it? Probably not…
But that’s exactly what happened in the case of Target’s infamous data breach, in which hackers stole 40 million credit and debit card details and 70 million customer records. The breach was disastrous, resulting in a drop of 40% in quarterly profits, a loss of $290 million, and the resignation of Target’s CEO. The massive breach was eventually traced to a surprising source – Target’s network credentials were phished through its third-party HVAC (heating, ventilation, and air conditioning) subcontractor.
The Target incident is just one of many cautionary tales that exemplify the potential dangers and risks posed by third-party (and even fourth-party) vendors, contractors, or business partners.
In this blog we discuss the importance of third-party security risk management in the digital era and present the rationale behind our recent investment in Panorays, a leading technology company that automates third-party security lifecycle management.
What is Third-Party Risk Management?
Almost all businesses in the modern world rely heavily on third-party services. According to a recent Gartner report, the average company partners with about 5,000 subcontractors, amounting to a staggering number of third-party entities to keep track of. To further complicate matters, 72% of compliance leaders expect that number to increase by 2022.
Companies rely on a broad range of third-party services, including web hosting services, law firms, call center providers, cloud services, data processors and suppliers through API integrations, and shipping logistics. In many cases, third parties may have access to an organization’s sensitive systems and data. In the case of the HVAC company mentioned above, the subcontractor only had very limited access to a web application in Target’s systems, which is used for electronic billing, making the Target breach that much more unexpected.
Access and connectivity between business partners is essential for enterprises to remain efficient and serve their customers well. In fact, this level of connectivity is the key driver of today’s API economy. But while this hyper-connectivity drives business, it also poses huge risks to organizations’ data and internal systems.
Third parties will never be subject to the same level of control as the organization’s own assets, nor are they typically fully transparent. So basically, each third-party system is another potential entry point for a would-be hacker, making the organization’s attack surface broader. For this reason, organizations are in dire need of new systems that can monitor, control and manage the exposure to cybers threats through third parties.
Organizations need to ensure that their vendors maintain an acceptable cybersecurity standard before they grant them access to sensitive data and systems. Managing third-party risk doesn’t end with a one-time assessment of subcontractors, but rather, is an ongoing task that every organization must perform continuously for all its business relationships.
As things stand today, third-party risk assessment is largely manual – audits in the form of questionnaires are filled out by third-party companies before onboarding. Often, however, these audits are conducted with multiple spreadsheets, making the whole process arduous and impractical. These labor-intensive processes consume a lot of time and money, and in most cases, are only relevant to the time of the audit, and do not reflect the ongoing business relationship.
Panorays, an Israel-based cybersecurity company, provides an automated third-party security risk management platform. Panorays enables companies to easily view, manage and remediate issues on the security posture of their third-party vendors, suppliers and business partners. The platform continuously evaluates third-party companies’ cyber posture through the hacker’s perspective, combined with an assessment of internal policies. Companies using Panorays dramatically shorten their third-party security evaluation process and gain continuous visibility, all the while ensuring compliance to regulations such as GDPR and CCPA.
Panorays’ risk management lifecycle starts with collection and discovery of data on the third party’s cyber posture from inside-out and outside-in perspectives. The inside-out approach is covered by smart and modifiable questionnaires that are tracked and processed, while enforcing internal and regulatory policies. At the same time, the outside-in data assessment uncovers the third party’s attack surface, by mimicking thousands of attacks, just as the would-be hacker collects information on its victim. Then, an analysis of the data collected is performed, and insights are presented, including a security rating and comparison with other companies in the industry. With this, third-party security gaps can be analyzed based on context (i.e. the level of risk that it poses to the organization), and used to generate actionable insights for threat mitigation.
Just as the butterfly’s simple flutter may impact the greater picture, the promise of Panorays’ automated third-party risk management platform is not limited to its customers, but extends to the future of digital environments as a whole. Better third-party risk management lifecycles are reshaping entire ecosystems of business partners, allowing them to be built on trust, while safely unlocking the immense value that lies in collaboration and connectivity.