What do you think?
Rate this book
Cybersecurity and Third-Party Risk: Third Party Threat Hunting
Move beyond the checklist and fully protect yourself from third-party cybersecurity risk
Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.
The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.
Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.
Understand the basics of third-party risk management Conduct due diligence on third parties connected to your network Keep your data and sensitive information current and reliable Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax The time to talk cybersecurity with your data partners is now.
Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.
Over the last decade, there have been hundreds of big-name organizations in every sector that have experienced a public breach due to a vendor. While the media tends to focus on high-profile breaches like those that hit Target in 2013 and Equifax in 2017, 2020 has ushered in a huge wave of cybersecurity attacks, a near 800% increase in cyberattack activity as millions of workers shifted to working remotely in the wake of a global pandemic.
The 2020 SolarWinds supply-chain attack illustrates that lasting impact of this dramatic increase in cyberattacks. Using a technique known as Advanced Persistent Threat (APT), a sophisticated hacker leveraged APT to steal information from multiple organizations from Microsoft to the Department of Homeland Security not by attacking targets directly, but by attacking a trusted partner or vendor. In addition to exposing third-party risk vulnerabilities for other hackers to exploit, the damage from this one attack alone will continue for years, and there are no signs that cyber breaches are slowing.
Cybersecurity and Third-Party Risk delivers proven, active, and predictive risk reduction strategies and tactics designed to keep you and your organization safe. Cybersecurity and IT expert and author Gregory Rasner shows you how to transform third-party risk from an exercise in checklist completion to a proactive and effective process of risk mitigation.
Understand the basics of third-party risk management Conduct due diligence on third parties connected to your network Keep your data and sensitive information current and reliable Incorporate third-party data requirements for offshoring, fourth-party hosting, and data security arrangements into your vendor contracts Learn valuable lessons from devasting breaches suffered by other companies like Home Depot, GM, and Equifax The time to talk cybersecurity with your data partners is now.
Cybersecurity and Third-Party Risk is a must-read resource for business leaders and security professionals looking for a practical roadmap to avoiding the massive reputational and financial losses that come with third-party security breaches.
448 pages, Kindle Edition
Published June 11, 2021
15 people are currently reading
46 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 of 1 review
February 3, 2022
It is eight years since the infamous breach that affected Target stores. I think with a company name like that, being a data breach victim was inevitable. As Brian Krebs wrote about the breach, the initial intrusion into its systems was traced back to network credentials that were stolen from a third-party vendor. The vendor in question was a refrigeration, heating, and air conditioning (HVAC) subcontractor that had worked at several Target locations, where attackers used network credentials stolen from the HVAC vendor.
The story of the Target breach is that a corporate network is only as strong as its weakest link. When it comes to technology, you can outsource responsibility, but you can never outsource liability. And when a firm has a third-party vendor, they need to ensure that the vendor does not introduce levels of liability that can’t be tolerated.
In Cybersecurity and Third-Party Risk: Third-Party Threat Hunting (Wiley), author Gregory Rasner has written a helpful guide that provides the reader with an excellent overview of third-party risk issues and how to create a program to manage them. Having a third-party risk management (TPRM) to identify and reduce risks relating to the use of third parties (including vendors, suppliers, partners, contractors, service providers, and more) is a crucial part of a company's risk management program.
For those that need assistance, the book shows how to create a third-party risk management program to mitigate risk associated with third-party relationships and how to comply with their corporate policies. Such a program is critical as every firm relies on services from and engages in business relationships with third parties. But whenever one engages with an external third party, that third party can and will introduce risks to the organization.
An effective third-party risk management program will enable a firm to identify, monitor, manage, and report risks associated with these third-party relationships per corporate policies and laws.
The book shares a potentially frightening statistic in that the average company has nearly 600 vendors who have access to customer personally identifiable information (PII). And on average, nearly 100 vendors can access a company's network on a weekly basis. Since they have access to your network and its associated data, performing due diligence on third parties is crucial.
Two areas where the book shines bright are on the topics of offboarding and cloud computing. While it is crucial to have a program to onboard vendors, it is equally essential to ensure that when their term ends, vendors are offboarded. In too many organizations, once a vendor is approved, they can be in the directory and have network access to eternity. And that is an unacceptable risk.
Cloud computing also has its unique set of requirements. Far too many people think the cloud is inherently secure, which is a dangerous thought. The cloud and software supply chains are just as insecure on-prem as they are in the cloud.
For those looking to create a TPRM program, Cybersecurity and Third-Party Risk is a valuable read. For those that have an existing TPRM program, they may want to reappraise the efficacy of their program after reading the book, given it has some of the best practices for the current state of third-party risk.
The story of the Target breach is that a corporate network is only as strong as its weakest link. When it comes to technology, you can outsource responsibility, but you can never outsource liability. And when a firm has a third-party vendor, they need to ensure that the vendor does not introduce levels of liability that can’t be tolerated.
In Cybersecurity and Third-Party Risk: Third-Party Threat Hunting (Wiley), author Gregory Rasner has written a helpful guide that provides the reader with an excellent overview of third-party risk issues and how to create a program to manage them. Having a third-party risk management (TPRM) to identify and reduce risks relating to the use of third parties (including vendors, suppliers, partners, contractors, service providers, and more) is a crucial part of a company's risk management program.
For those that need assistance, the book shows how to create a third-party risk management program to mitigate risk associated with third-party relationships and how to comply with their corporate policies. Such a program is critical as every firm relies on services from and engages in business relationships with third parties. But whenever one engages with an external third party, that third party can and will introduce risks to the organization.
An effective third-party risk management program will enable a firm to identify, monitor, manage, and report risks associated with these third-party relationships per corporate policies and laws.
The book shares a potentially frightening statistic in that the average company has nearly 600 vendors who have access to customer personally identifiable information (PII). And on average, nearly 100 vendors can access a company's network on a weekly basis. Since they have access to your network and its associated data, performing due diligence on third parties is crucial.
Two areas where the book shines bright are on the topics of offboarding and cloud computing. While it is crucial to have a program to onboard vendors, it is equally essential to ensure that when their term ends, vendors are offboarded. In too many organizations, once a vendor is approved, they can be in the directory and have network access to eternity. And that is an unacceptable risk.
Cloud computing also has its unique set of requirements. Far too many people think the cloud is inherently secure, which is a dangerous thought. The cloud and software supply chains are just as insecure on-prem as they are in the cloud.
For those looking to create a TPRM program, Cybersecurity and Third-Party Risk is a valuable read. For those that have an existing TPRM program, they may want to reappraise the efficacy of their program after reading the book, given it has some of the best practices for the current state of third-party risk.
Displaying 1 of 1 review