Third Party Risk Assessment Gains Importance Following Log4j
Thanks to the log4j vulnerabilities, businesses across the world got a not-so-friendly reminder earlier this month, that it’s vital to ensure that all third-party software within the organization is assessed frequently.
Following the news and the subsequent patches, organizations can take the wake-up call to complete a full third-party risk assessment, according to a report from Security Scorecard in their latest release, “Log4j Vulnerability Technical Report.”
After you’ve assessed your organization and the internal impact, there are several important steps to take, including assessing your vendors and seeing if they have an older version of log4j (earlier than 2.17.0, as of this publication), according to the report. “We have published a new informational signal in SecurityScorecard called Vulnerable Log4j Version Detected. This informational signal does not impact scores and appears on Scorecards where a vulnerable Log4j instance was detected as of December 14th. If you see this signal on a vendor’s scorecard, reach out to them right away,” the report read.
Another way to assess your third-party damage is to download the Log4Shell Questionnaire, provided by Security Scorecard, and send it to all your software vendors, and then share your findings with your business partners.
Third-party risk management is not just something an organization should do after a breach; for security experts, it should be top-of-mind according to “Best Practices for Trusted Third Party Risk Management,” also issued by Security Scorecard.
“Third parties are a necessary part of your enterprise. They are your vendors, your suppliers, your contractors, and your partners. Without them, you can’t do business,” according to the report. “Unfortunately, third parties are also a major source of cyber risk. Cybercriminals often target third-party providers to target their clients’ data and networks, such as the notorious SolarWinds breach at the end of 2020.”
Learn more about the important steps for Automated Risk Management at the CyberConnect Web Briefing on January 20, 2022. Register today.