The evolution of the Zero Trust cybersecurity model – or “verify, then trust” – has accelerated and become a prominent point of discussion across the security community. The COVID-19 pandemic led many businesses to move to a largely remote or hybrid work environment. This, combined with digital transformation and innovation initiatives, such as transitioning to a cloud environment, has changed the risk landscape and the approach companies need to take to manage cyber risk. In light of the ever-evolving cyber threats, the governance, culture, and technology functions within an organization need to pivot to address these new risks. When it comes to implementing a zero-trust framework, it is critical that the IT and security practitioners are aligned with the larger business and executive team. 

One of the key areas of cyber risk for companies and the opportunities to enhance zero-trust frameworks centers around third-party vendors, service providers, and the supply chain as companies continue to embrace digital transformation initiatives and the reliance on third-party service providers now more than ever. In June 2020, the U.S. Secret Service issued an alert about the increasing volume of cyberattacks involving Managed Service Providers (MSPs), as cybercriminals seek to scale their results by gaining access to multiple companies by compromising one MSP. 

During a recent webinar at the Virtual Cybersecurity Summit on Zero Trust, hosted by Tom Field, Sr. Editor of the Information Security Group Media Group (ISMG), Kostas Georgakopoulos, CISO of Procter & Gamble, Jeff Brown, CISO for the State of Connecticut, and Alvarez & Marsal Managing Director Rocco Grillo discussed the threat of cyber vulnerabilities with third-party vendors and the supply chain. Rocco expressed the need for mature third-party risk management programs, saying “It needs to be part of the fabric. It needs to be integrated the same way an end-user or customer is in your zero trust model.”

To help address these risks and implement zero-trust frameworks, companies can:

1. Re-evaluate and understand the organization’s most critical assets and ensure that they have been inventoried and documented, including from a prioritization standpoint. In a Zero Trust Environment, the perimeter has expanded, and it is critical that companies recognize what they are trying to protect and who is being provided access to their assets.
2. Take an inventory of the attack surface and controls in place to protect these assets and re-revaluate the potential threats and risk exposures that exist or that may be hidden in blind spots as the “perimeter” continues to expand; and in some instances – become a non-factor.
3. Inject third party risk management into the overall enterprise governance structure to protect their most critical assets and the overall organization. Third Party Risk Management initiatives need to be taken to the next level with a “verify, the trust” mindset.  Conducting assessments to meet regulatory and compliance obligations is just scratching the surface. After what we have witnessed the past year and moving forward, third party risk management needs the “Tone-At-The-Top” and needs to be a critical business decision when outsourcing to a third party or giving a third party access to your systems.

Click here to learn more about our Global Cyber Risk Services.