Skip to main content

DDoS Threats: Are Your Third Parties Protecting You?

September 25, 2017

In the next thirty seconds, jot down the top online service providers your organization uses. 

Now, jot down service providers that may not be online but could be impacted by a distributed denial of service (DDoS) attack. 

Take a minute to prioritize those vendors by criticality. How critical are these providers? How do they impact your day-to-day operations? 

Next step…what is your next step? 

DDOS Featured

There’s evidence that ransomware may be evolving beyond holding data hostage. In recent news, DDoS attacks were used as a threat against organizations, shutting down their internet connections and holding the organization for ransom. DDoS attacks aren’t new. And while this new use of DDoS may be alarming, we need to pause and look at how business works in our interconnected world. 

I asked you to take the steps above to highlight that many of us aren’t prepared for a coordinated vulnerability or a threat response plan, in which we proactively ask our service providers about threats that could impact them, and in turn, impact us. And when we do have a plan, normally, it is painful and entails shooting out emails and combing through previous assessments and data and looking for controls that could mitigate a specific threat. 

Keep in mind, a risk management and information security program which has a strong third-party risk management team—combined with a program that has a strong threat management team—will be in a great position to complete this analysis. Unfortunately, and quite often, this is not the case, leaving us and our partners in a critical position.

As I thought about how I would traditionally approach these threats, I have to admit my strategy is still the same, however, the details are a bit different. Let’s look again at the approach of Predict, Prevent, Detect, Respond and Recover. 

  • Predict — Determine when the likelihood of a third-party breach is rising. For this step of the strategy, you must watch for attacks that could impact your industry as well as the industry of your service providers. 
  • Prevent — Minimize the probability and/or impact of a third-party security breach. Establish how to prevent a third-party breach, and consider why repetitive security reviews and due diligence are necessary. For this step, you want to know your third parties and also look at business resiliency where key third parties are located. You also might take a look at specific controls from third-party attestations and certifications based on the threats you have identified. 
  • Detect – Learn how to detect a third-party breach, and why repetitive security reviews and due-diligence are necessary. Educate your business partners on reporting third-party outages to your team. Also, make sure contractual language exists in which third parties notify you of services impacting cyber attacks. 
  • Respond – Have a game plan for your team and the business when an attack or notice of an attack occurs. Ask yourself how you would understand the impact, source of the threat and how your organization would continue with business operations.
  • Recover – Quickly recover or assist in the aftermath of a third-party breach. When you are recovering from a third-party cyber incident involving disruption of services, there could be impact to your clients, customers and stakeholders. Determine if you are ready to respond publicly as an organization in the case that one of your third parties has an incident. Remember, you might not be able to share details immediately, at least not publicly. Have a solid post-incident PR plan in place for these situations. 

As we develop more and more interconnected and service-based business processes, we certainly will be faced with challenges from third-party breaches and cyber incidents. While this might not be your top concern as a security organization, evaluation of the problem and threat from a business perspective warrants having serious discussions. You can put an effective cyber-security roadmap into place today to mitigate issues in the future.


    James Robinson

By: James Robinson

Vice President, Third-Party Risk Management

See More

Related Blogs

April 25, 2018

Five Application Security Best Practices for Serverless Applications

Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a ...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

March 16, 2017

OCC Updated Guidance on Third-Party Risk

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk progra...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.