< Back to Blog
Securing Your Suppliers: Addressing 2020’s Most Common Third-Party Cyber Gaps
Security Best Practices & Advice

Securing Your Suppliers: Addressing 2020’s Most Common Third-Party Cyber Gaps

By Giora Omer Oct 28, 20204 min read

You want to work with vendors, but doing so can involve risk. Which vendor cyber gaps are the most common, and how can they be remediated?

To answer these questions, Panorays used data from our cyber posture evaluations of tens of thousands of vendors from numerous industries over long periods of time. We extracted the findings that appeared in a large percentage of the companies and omitted obvious low-risk findings that recur in all companies, such as missing recommended HTTP response headers. We focused on cyber gaps that may have a real effect on the resilience of the vendors, and thus the organizations themselves.

In honor of National Cybersecurity Awareness Month, here are the cyber gaps that we found, the number of companies affected by them and how your vendors can fix them:

1. Significant web assets not protected by WAF

Companies affected: 48%

Websites and apps are targeted by a wide range of attacks—from scraping and DDoS to injections and cross-site scripting. Web Application Firewalls (WAF) have become a must-have for basic protection.

Tip: The emphasis here is on significant. Not every asset requires the same amount of security measures. However, critical web assets (e.g. handling payment data) require protections such as Web Application Firewalls.

2. Unpatched web server with severe vulnerabilities 

Companies affected: 40%

Patch management is a very common and painful subject in the security world, because it involves a great deal of effort and can impact business continuity. Moreover, employees who work from home are often reluctant to patch, because they are concerned about the possibility of being left without a work station. For these reasons, we see that the majority of companies are struggling to patch against known critical vulnerabilities.

Tip: In many cases, attacks against unpatched technologies are opportunistic, rather than targeted. For this reason, it may be advisable to start with other less costly mitigations like obscuring tech versions, virtual patching and WAF. 

3. Vulnerable default CMS configuration 

Companies affected: 34%

Content Management Systems like WordPress are widespread, and so are their security vulnerabilities. Many users don’t change default configurations like passwords, user exposure and login pages, which leaves them vulnerable to cyberattacks. 

Tip: Each CMS solution has a security guide that should be followed to make sure security best practices are used.

4. Insufficient security team personnel 

Companies affected: 31%

Dealing with the abundance of security responsibilities in today’s organizations requires resources. Dedicated teams focusing on, for example, the CISO office and SOC, should be put in place and properly staffed to handle the increase in incidents and cyber-related tasks.

This category did not appear as one of the top five cyber gaps in 2019, which begs the question: Why has this become more common? It’s possible that this is the result of the significant employee cutbacks that we’ve seen because of COVID-19.

Tip: Educate yourself on best practices for your industry and company size for building a strong security team.

5. Supporting deprecated SSL protocols 

Companies affected: 25%

A surprisingly high percentage of companies still support deprecated and vulnerable protocols like SSL v2. This could be a single asset in a company with thousands of assets. These protocols have been deprecated for years and practically disable the advantages of encryption and authentication.

Tip: Companies should be able to easily remediate this gap. This shouldn’t be an issue of supporting legacy clients, as TLS, which replaces SSL v2, has been available since 1999. 

While the above are the most common cyber gaps we found, there are many more. Because technology keeps on evolving, new vulnerabilities are constantly being introduced, leading to new cyber gaps that can be exploited by criminals. For this reason, it’s important for organizations to assess and continuously monitor vendors to uncover all cyber gaps and close them. 

Want to learn more about uncovering and remediating your vendors’ cyber gaps? Contact Panorays today. 

This is the fourth in a series in honor of National Cybersecurity Awareness Month (NCSAM) and is dedicated to helping organizations guide suppliers with their cybersecurity. 

humbnail
Giora Omer

Chief Architect and winner of the annual office basketball competition at Panorays. He has over 20 years experience in software, platform and security engineering (with a short hiatus for a degree in film).

You may also like...
How Improved Vendor Collaboration and Communication Can Actually Reduce Cyber Risk
Nov 24, 2020 How Improved Vendor Collaboration and Communication Can Actually Reduce Cyber… Aviva Spotts
4 Reasons You Should Perform a Third-Party Cyber Risk Assessment
Nov 12, 2020 4 Reasons You Should Perform a Third-Party Cyber Risk Assessment Aviva Spotts
Securing Your Suppliers: Building the Right Password Policy
Oct 14, 2020 Securing Your Suppliers: Building the Right Password Policy Demi Ben-Ari
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.