What Ransomware Trends Mean for Your Vendor Risk Program

The last two years have introduced new challenges to organizations across the globe -- from managing business operations through an ongoing pandemic; to a rapid-fire pivot to a digital mode of work; to an increase in cyber attacks targeting businesses directly, and through their supply chains. 

When teams have been able to adapt and act quickly, we’ve seen them survive or even thrive — and not just from a cyber risk standpoint; when teams have struggled to keep pace with change… well, success has been a bit harder to come by.

Some challenges may seem independent from one another but they’re actually reinforcing other trends. Here’s what we mean: the pandemic forced rapid digital transformation, this rapid digital transformation created new attack vectors for bad actors to take advantage of across the digital supply chain, and because those ransomware attacks have been profitable, they continue to be the weapon of choice.

Security and vendor risk professionals are fighting now more than ever to find data solutions that properly identify potential ransomware threats. At Bitsight, the top questions we keep hearing are:

1) What can we actually do to prevent ransomware attacks on my organization?

2) What can I do as a third party risk or vendor risk leader to make sure we don’t fall victim to disruption or data loss via a third party attack? 

Let’s start with the first question.

What can we do to prevent ransomware attacks on my organization? 

Bitsight Research reveals data correlations that prove you can reduce the likelihood of experiencing a ransomware attack with:

• Strong, consistent security performance
• A strong practice around patch and vulnerability management in given risk vectors

This guidance is highly logical, but it’s also borne out in the data. Comparing security performance and security practices with actual, publicly disclosed ransomware events, we see the lower a company’s security rating, the more likely they are to suffer a ransomware attack. In fact, companies with a rating between 300 and 500 (falling on the low end of the scale) are almost 8 times as likely to experience ransomware activity as a company with a rating of 750 or above. 

We see a similar trend for Patch management -- Bitsight measures an organization’s “patching cadence” by looking at the presence and duration of vulnerabilities observed on a company’s infrastructure. Poor performance on the patch management front is highly correlated with ransomware risk. 

Organizations with a Patching Cadence grade of D or F were more than 7 times more likely to experience a ransomware event compared to those with an A grade. Again, these are logical findings that make sense intuitively, but they also reinforce the fact that improving there’s work to be done by companies and third party risk teams to help avoid exposure to ransomware attacks. 

How do I apply this to my third party or vendor risk program?

There’s no denying that third party and vendor risk teams face a challenge of scale. It’s hard to scale with the pace of the business, the number of vendors, the rate of cyber risk change across the third party ecosystem. And it’s often difficult to take the good advice you have for one organization (where you have some amount of control) and apply it to tens or hundreds or even thousands of vendors where you are operating at an arm’s length. 

So what can we do to have an impact? What can we do to mitigate the risk of ransomware across third parties? Here are a few places we can start: 

• Integrate cyber risk insight into your process: In other words, incorporate leading indicators of ransomware into your vendor risk management workflows. By embedding the leading indicators of ransomware into your vendor risk management process, you can streamline and scale visibility in a way that helps you quickly identify risk of ransomware across new and existing vendors, helping your security teams make decisions quickly and confidently. 
• Prioritize efforts where the risk is the greatest: Alongside a framework for prioritizing your third parties based on the inherent risk to your business, you can leverage security ratings data to understand where the gaps are the greatest. Which of your Tier 1 critical vendors have poor security performance? Which ones have a history of less-than-stellar patch and vulnerability management? A prioritized view that matches business risk with cyber security performance can help your team focus on the highest leverage activities to mitigate third party risk to your business.
• Work with your vendors: Collaborating with your third parties to create mutual accountability can translate into mutually assured resilience against risks like ransomware. Setting clear expectations for your vendors’ security performance can position you to manage to those expectations over time, and working with your vendors to reach strong outcomes together (through objective, evidence based collaboration) can ensure your relationship is productive instead of adversarial.

In Conclusion

The pace of change in third party cyber risk over the last two years has been dizzying, and the stakes are perhaps higher than they’ve ever been. While the problem space here is complicated, the signs are fairly clear: a strong, consistent security program and an effective patch management discipline are critical to mitigating risk against ransomware attacks -- and applying that guidance to your third parties at scale requires cyber threat intelligence embedded in your program, an effective framework for prioritizing effort against risk, and a collaborative approach that drives mutual resilience.