By commenting, you agree to the
Cyber risks or the potential for an organization to experience loss or damage due to cyber attacks, data breaches, or other cyber-related incidents, have increasingly captured the attention of business leaders, as they represent significant operational challenges with the potential to cause severe financial losses and irreparable harm to an organization’s reputation. Such threats are never nearer that today where according to Check Point Threat Intelligence Report, an organization in India is being attacked on average 3304 times per week in the last 6 months, compared to 1854 attacks per organization globally. Among cyber risks, third-party or supply chain risks become one of the most challenging areas as heavy and unavoidable reliance on using third parties such as Cloud and SaaS providers is a reality of today’s IT and security operations. Organizations’ sensitive and proprietary data is transmitted to, processed by, and stored in third parties’ computing environments. However, when third parties also engage other external parties (i.e., fourth parties) to support their operations and handle your organization’s data, then how well do these parties protect it?Since there may be many fourth parties involved in the supply chain, identifying who handles your organization’s sensitive information behind the scenes is the most important first step. The requirements of robust vendor due diligence from laws and guidelines for highly regulated sectors such as banking, insurance companies, health care service providers may have previously mandated risk managers to request fourth party information from third parties. The contractual stipulation of the required disclosure makes it easier to collect the information. But when there is no such clause in the already-signed contracts, and unwilling vendors push back or ignore efforts at providing the requested information, what else can organizations do? External attack surface management (EASM) is the practice of identifying potential vulnerabilities and security gaps in an organization’s public-facing digital attack surfaces, including the SaaS providers that the organization is “linked” to as third parties and fourth parties. EASM, which is often a SaaS solution itself for dashboarding after scans, may not need to connect to the organization and performs scans only using minimal domain information of the organization.
