As a CIO, I often wish for a world where the threat landscape was less expansive and more complex than it is today. Unfortunately, the reality is very different. This month, I find myself focusing more on the idea that our digital business will stagnate without the technology ecosystem that supports it. However, this very ecosystem presents great risks.
This month, I’m thinking a little bit about the issues surrounding the complex web of potential risks facing our digital ecosystem. The digital ecosystem brings several benefits, such as shifting the heavy lifting of back-end infrastructure to a SaaS vendor, getting a high-quality solution that you can develop yourself, and helping us focus on our most critical domains. .
The same digital ecosystem also presents an imminent decline. The threats posed by your third party suppliers are compounded by the risks posed by their suppliers (your third parties). This creates a complex, ever-growing web of vulnerabilities. Each new technology brings additional layers of partners and additional risks. Additionally, the rise of cybercrime and ongoing threats such as ransomware are a constant concern.
New technologies: Uncovering hidden vulnerabilities and blind spots
As we navigate the complexities of our digital ecosystem, it’s becoming increasingly clear that the innovations we embrace may introduce new risks. These are not just imaginary risks; they’re tangible issues we’ve touched on before, manifesting as third-party risks, cyber debt, and the ever-present threat of ransomware.
In the spirit of addressing these challenges head-on, let’s continue to explore some areas that need our vigilant attention:
1. The dangers of a chain reaction in your digital system
If you’re already losing sleep over cybersecurity, you can be sure that you’ll lose even more because of the risks to your colleagues. Deep relationships with technology partners power our digital businesses, but every new provider you add to your ecosystem greatly increases your risk.
I’m sure every third party provider you ride with has been vetted for vulnerabilities. But do you apply the same scrutiny to your third party companies (your third party suppliers)? How many third-party and fourth-party providers does your organization actively work with? Let me share some details.
CyberArk’s 2024 Identity Security Threat Landscape report shows that 84% of organizations expect to hire three or more cloud service providers (CSPs), up from 85% last year. In addition, respondents expect an 89% increase in the number of software-as-a-service (SaaS) providers in the next 12 months, up from 67% in the 2023 report. Consider the footprint of your digital ecosystem. Your extended family of third-party providers includes service providers, integrators, hardware and infrastructure providers, business partners, distributors, resellers, and communications providers. Outside of your organization, these organizations are essential to powering your digital business.
Are you aware of all your third-party providers’ security practices? What about your fourth party suppliers? Does your organization actively measure and mitigate the risks posed by your third-party and fourth-party suppliers? It’s mentioned in these questions, but I’ll say it anyway: You should be doing all of these things.
2. Cyber debt is real
You’ve probably heard of technical debt, which is the result of prioritizing speed to market in a fast-moving technology environment. In today’s scenario, the technology debt is increased by the cyber debt. Consider the cumulative risks and vulnerabilities within your IT infrastructure due to neglected updates, lack of tools, or too many disparate tools, coupled with a shortage of skilled cyber security personnel. It’s a recipe for disaster, and hackers thrive on it.
The proof is in our survey findings. Breaches due to phishing and vishing attacks have impacted nine out of ten organizations. Almost the same number of organizations were targeted by ransomware in 2024 (90%) as in 2023 (89%), with an increasing number reporting irreversible data loss. As bad actors use generative artificial intelligence (GenAI) to develop sophisticated attacks, we should expect that every organization will be breached in the coming years. This is a fact that all CISOs should embrace.
3. Ransomware is still a thing
Ransomware remains a major threat, despite its popularity among thieves. Despite our hopes for a ransomware-free world, the reality is that old threats persist, and people are the weakest link. Ransomware will continue to grow in volume and sophistication, especially with AI-powered deepfakes. No amount of cybersecurity awareness training can completely prevent a user from clicking on a malicious link or sharing a one-time password (OTP), which puts their identity and organizational data at risk.
The damage caused by ransomware is dire. Our findings reveal that 75% of organizations affected by ransomware paid the ransom but never got their data back. However, protecting against ransomware doesn’t have to be as challenging as climbing Mount Everest. The Cybersecurity and Infrastructure Security Agency (CISA) of the US offers several valuable resources to help you protect your organization against ransomware. I highly recommend using these resources
Building strong digital defenses against emerging threats
While a day in the life of a CISO may seem grim, it’s not all doom and gloom. My peers in the industry will agree that we successfully defend against threats on a regular basis, but a single breach can leave a lasting mark. I advise everyone to carefully review their IT environments, assess gaps and prioritize repairs. This process needs to be continuous and follow up, done from time to time.
While we must anticipate and mitigate the risks of new technologies such as GenAI, we cannot ignore the ongoing threats of conventional vulnerabilities. Simply put, I recommend three actions:
- Explore and explore all the assets and new technologies in your universe. You should conduct an annual vendor audit, which evaluates and prioritizes the key vendors that may pose the greatest risk to your business. You can use certain security scoring tools and put certain liability clauses in contracts. You should also ensure that access to your systems includes secure authentication and that only the data exposed is required.
- Weigh the risks of these different tools versus the time and effort required to maintain them. I recommend a dedicated cadence for discussing online risk management and results reviews, including a third-party risk mitigation toolkit.
- Create a plan to integrate your technology stack based on the right balance for your organization. Continue slowly but surely. As a CIO, I can confidently say that the platformization movement is real. It is not only a way to reduce overall costs but also a way to reduce third party risk. If you have a trusted vendor that you are constantly monitoring from a network risk perspective, it will ultimately lead you to a more secure state. Don’t put all your eggs in one basket.
I already do these techniques. Are you?
Omer Grossman is the global chief information officer at CyberArk. You can check out more content on Omer at CyberArk’s Security News | CIO Connections page.
Source link