SolarWinds: A Retrospective for Third-Party Risk Professionals
As has been widely reported, the SolarWinds cyberattack has (and will continue to have) broad implications for the business community. According to SolarWinds itself, the cyberattack “could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software.” In other words, customers using Orion products (and the data on related servers) may be at risk.
According to SolarWinds, the attack originated all the way back in September of 2019. The software versions affected include the following:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which SolarWinds does not believe is affected)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQ)
SolarWinds impact on third-party risk calls to mind a variety of questions: Are the vendors you work with secure? Do your vendors have appropriate safeguards already in place? Have they taken the proper steps to address any new risks?
With that said, there are actions that organizations can take to get ahead of the next major cyberattack and limit impact as much as possible.
- Evaluate Your Existing Third-Party Risk Program: Many organizations use thousands of vendors. It’s difficult to identify which vendors matter most and which vendors present the most risks. With the prioritization of supply chain security, now is the time to conduct a thorough audit of your third-party risk program. You can’t mitigate risks that you can’t measure.
- Review Procedures for Risk Assessments: Risk assessments are an essential practice for any third-party risk program. However, many organizations have ad hoc processes and conduct assessments in spreadsheets over email. With increased risk, it’s important to maintain audit trails and take a systematic approach to your assessments. See how a Third-Party Risk Exchange can help.
- Review Your Vendor Contracts: Perhaps one of the most powerful methods of helping reduce risk is in negotiating strong contracts. What’s more, holding vendors accountable to their contracts remains a significant hurdle. Extract key contract terms from within your vendor contracts to enable simplified reporting. If updates are necessary, take a prioritized approach by focusing on the vendors that present the most risks.
- Understand Nth Parties: The SolarWinds cyberattack is a good reminder that the vendors with which we work have vendors themselves. These 4th and 5th parties present similar risks. When evaluating vendors or reviewing your third-party risk program, don’t forget that downstream vendors can put your organization at risk.
- Pay Attention to Concentration Risks & Potential Impact: Not all vendors are created equal. Concentration risk is when a single vendor is relied on for too many mission-critical tasks. Mitigate potential negative impact by diversifying your vendor portfolio and making sure that no single vendor can disrupt your entire organization should it go offline or out-of-business.
Want to assess your vendors response to the recent SolarWinds cyberattack? Request access to our questionnaire template.
Further OneTrust Vendorpedia Reading:
- OneTrust news: OneTrust Launches Vendorpedia Questionnaire Response Automation to Help Organizations Answer Security and Privacy Questionnaires
- Vendorpedia blog: What is a Vendor Risk Assessment?
- Vendorpedia blog: 7 Tips for Successful Third-Party Risk Assessments
Next steps on OneTrust Vendorpedia:
- Watch the webinar: The Ultimate Vendor Risk Assessment Checklist
- Watch the webinar: Anatomy of a Successful Vendor Risk Assessment: What We See In Practice
- Request a demo: See the Vendorpedia Platform in Action
eBook | How the Exchange Assessment Works: Explaining Control Mapping and the Emergence of the SIG Lite