How the NIST Cybersecurity Framework Helps You Respond to a Vendor Breach
As if we didn’t have enough to think about when it comes to our own organization’s security posture, we also have to consider the cybersecurity of companies we do business with—our third parties (and their third parties). Even when you’ve done everything you can to reduce the inherent risks of working with other companies, by bringing them into alignment with your own security policies, compliance regulations and risk appetite, there will always be some risk of supply chain attacks.
So what can you do when the worst happens and your supplier suffers a breach that then affects your organization? While international standards such as ISO 27001 offer a framework to help companies manage and optimize their information security management systems, the NIST Cybersecurity Framework also offers us a guideline on how to respond and recover from security events (as well as how to identify, protect, and detect incidents).
This blog post focuses on response and recovery and outlines each of the key steps needed to get your organization back on its feet after a third-party security incident. Let’s take a closer look.
How to Respond to a Breach
You’ve detected a breach in your third party; now what? The most critical thing at this point is to limit the damage of the impact on your organization by activating your response playbook, which should include:
- Limiting that third-party’s access to your systems, network, and applications and determining whether the third-party breach has affected your organization. If it has, your next step is to conduct forensic analysis to understand the extent of the incident and its impact.
- Mitigating the damage through additional security tasks and tools to minimize any further incursion into your network, applications and systems. Sometimes that means unplugging systems, cutting off access, updating security policies (including access) and implementing new tools and protocols. One key consideration in this step is preserving evidence in the case of a later investigation by law enforcement.
- Communicating to stakeholders what has happened, the impact and your plan for recovery. A key part of this step is to have already thought through who needs to know about the event. This includes key internal contacts beyond the initial response team, such as members of the executive team, board of directors and employees as well as external audiences such as law enforcement, outside counsel, etc.
- It’s important to note that if the incident involves the theft of personally identifiable data, there are state and federal requirements for issuing breach notifications. Know your legal obligations ahead of time.
- Documenting the organization’s response as a template for the next event—what worked, what didn’t, what improvements are needed and the plan for implementing them next time.
Recovering from a Breach
Once the incident is contained, it is time to think through how to return to normal business operations as quickly as possible. This could include not just restoring systems, but also the services associated with them, as well as planning how to better bullet-proof them against future incidents (cyber resilience).
While there will never be a 100% guarantee against future breaches, taking what you learned from the breach and bolstering your defenses is never a bad idea. At this stage, you’ll also want to update your recovery plan to include the lessons learned during breach response and continuing communications with internal and external audiences about ongoing recovery efforts and progress.
If you are concerned about how to plan your data breach response and recovery, here is an excellent guide (PDF) from law firm DLA Piper that outlines every critical step, expanding on the bullets from the NIST Cybersecurity Framework noted above.
Do You Have Visibility into and Control of Third-Party Security?
Given that the majority of data breaches start with third parties—because they are easier to infiltrate than larger organizations—it’s important to understand exactly who you are doing business with, what their security posture is and whether it is acceptable to your company. Unknown, incomplete or inaccurate view of supplier risk leaves your organization vulnerable. In other words, you must have visibility into and control of third-party security. Panorays can help.
To give our customers comprehensive, in-depth visibility and control of third-party security risk, Panorays combines automated, dynamic security questionnaires with external attack surface assessments and business context to provide organizations with a rapid, accurate view of supplier and fourth-party cyber risk. As well, Panorays continuously monitors and evaluates your supplier security, and you receive live alerts about any security changes or breaches to your third parties.
Would you like to learn more about how Panorays can bolster your third-party security? Request a demo today.