Pratum Blog

Whether you’re answering a steady stream of cybersecurity questions or asking your own suppliers to answer them, these documents have probably become a significant part of your job in the last year. The recent flood of cyber attacks has motivated most organizations to elevate third-party risk management to a top priority in 2021.

But even if the concept just appeared on many radar screens, it’s not a new issue. Every business of the past had to decide whether critical partners (from those supplying raw materials to those delivering finished goods) could reliably fulfill their contracts and protect what was entrusted to them. But the challenge has grown massively more complex with increasing integration and sharing of critical data. Government regulations raise the bar even more with breach notification laws and other rules that can make a vendor’s security problem a legal liability for everyone in the chain.

So proactive companies are quickly spinning up ways to get proof that every partner handles data securely. At this year’s Secure Iowa Conference, Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association reviewed the latest best practices in this quickly developing area. This post highlights top takeaways from her talk.

Julie Gaiaschi, Third Party Risk Association

Julie Gaiaschi, CEO & Co-Founder, Third Party Risk Association

Julie Gaiaschi, CISA, CISM, is the CEO & Co-Founder of the Third Party Risk Association (TPRA). She has over 14 years of technology and information security risk experience, with the last 10 years specializing in third party risk. In her role as CEO, she provides strategic direction for the non-profit, whose mission it is to further the third party risk profession through knowledge sharing and networking. She also has a passion for helping others enhance their own third party risk management programs.

Prior to co-founding the TPRA, Julie consulted on third party risk for a large bank. She also developed and led a large health payer organization’s Third Party Security program. There, she established and executed the third party risk assessment process, which included integration into the Procurement process. Prior to her role as the leader over Third Party Security, Julie was a Senior IT Auditor.

Forces Driving Change in Third-Party Risk Management

Julie highlighted several areas demanding fresh thinking about managing risk:

  • Increasingly complex threats – Everyone knows breaches are up dramatically this year, and many of the attacks are coming through third parties via software supply chain attacks such as the Kaseya breach in July 2021. That means your vendors’ security policies are, to a large extent, becoming your problem to manage.
  • Expanded reliance on third parties – It’s tempting to think that sending your data to a cloud vendor ensures someone else will take care of security for you. But Julie notes that, “Your cloud partner may provide the controls, but it’s up to you to turn those controls on properly.” Many businesses are also seeing increased exposure from heavy use of e-commerce shopping carts and payment processing.
  • New momentum for digital transformation projects –New tools such as smart predictive analysis, AI, and business process reengineering all enhance operations, but they also present a fresh set of risks to manage.
  • Additional regulatory scrutiny – State and federal laws continue to ramp up requirements for managing security and reporting breaches.

Best Practices to Remember

To effectively keep up with these changes, Julie recommends a third-party risk management program built on these five elements:

Third Party Risk Management Program Elements

As she walked through each of these core areas, Julie provided the following tips:

  • Look for hidden contracts at your company – Compiling a list of your existing contracts can be a tall order, especially since there are probably many you won’t even think of. Julie says, “When you go through the contract review stage, you may realize you have people in your organization that are clicking buttons as they do their work, which means they are often entering into contracts and don’t even know it.”
  • Visit your vendors – When you’re reviewing the security posture of key suppliers, take time to go see them. On-site visits provide essential insight into how your vendors are actually implementing what they wrote on paper. Plus, personal visits build relationships that will make your partners more inclined to spend time providing detailed answers to your questions in the future.
  • Get a voice in the contract review process –“You need a seat at the table with the team that drafts and reviews contracts,” Julie says. “You need to know the kinds of controls that need to be put into contracts, and you can suggest the kinds of alternative controls you can use if they don’t agree to your terms.” Someone with an eye for risk management can also help write contracts that include triggers related to changes in a vendor’s situation. If a supplier makes a big change like adding an offshore location, changing owners, changing data handling systems, etc. your contract may need to specify adjustments.
  • Join the business continuity/disaster response team – Your organization’s plans for recovering from data disasters have to account for your third-party relationships. Make a point of building relationships with the BC/DR crowd so that you can have a say in what goes into the plans.
  • Check the exact scope of reports you receive – Reports from SOC 2 auditors and penetration testers provide valuable insight into a system’s policies and defenses. But the reports help you only if they cover the areas you’re interested in. Read the scoping information carefully before agreeing that these reports will be sufficient.
  • Don’t overlook disengagement – Unless you want to be held hostage in a contract, you should be planning how to minimize the impact if it makes business sense to part ways with a given partner. Your disengagement plan should address issues such as ensuring all your data is returned or destroyed—and that you can validate that vendors did what they claimed.
  • Show leadership why your work matters – While the value you’re adding each week may be obvious to you, it probably isn’t to leaders who haven’t given this area much thought in the past. “If you’re starting this effort from scratch, you need metrics and reporting that show the value you’re adding,” Julie says. “Make sure they’re appropriate to the audience you’re talking to, whether those are executives, board members or a steering committee.”

You can download a copy of Julie’s full presentation here. You’ll get details such as 13 essential inherent risk questions to ask your vendors.

If you need help reviewing your third-party risk or handling questions from your customers, contact Pratum for a free consultation.

Ransomware Attack CEO Panel Rob Denson, DMACC and Scott Walter, EFCO

You could wait for a ransomware attack to teach you some hard truths about combatting these breaches. Or you could step up your game right now with hard-won lessons from organizations that have already been there. At the 2021 Secure Iowa Conference, two CEOs took the stage with a commitment to helping others learn from their ransomware experiences. In this post, you’ll step inside two organizations’ war rooms as they manage a ransomware attack—and share best practices we all can follow to stop these attacks, or at least limit the damage.

The Attacks

In June 2021, Des Moines Area Community College suffered a ransomware attack that made national news. The school, Iowa’s largest community college, has six campuses, 1,880 employees and more than 72,000 total students. The ransomware attack forced the closure of in-person classes for one week and online classes for two weeks. DMACC CEO Rob Denson joined the conference panel to discuss the school’s experience.

Rob Denson, DMACC

Rob Denson, President, DMACC

Rob Denson was appointed the fourth President of Des Moines Area Community College on November 1, 2003.

In addition to his DMACC position, he serves on the National Board of Gateway to College, a drop-out recovery program; the Governor's STEM Advisory Council and Executive Committee; the National STEM connector Innovation Task Force, and the Food and Ag Council; and, the National Leadership Council of Opportunity Nation. He also chairs the National STEM connector Higher Education Council and serves on the boards of Iowa Student Loan Liquidity, the Iowa Ag. Literacy Foundation, the Technology Association of Iowa, the Iowa Quality Center, the Agri-Business Association of Iowa, the Iowa Direct Caregivers Association, the Iowa Rural Development Council, the Greater Des Moines Partnership, the Iowa Innovation Council, and the Iowa Economic Development Authority.

In the summer of 2020, hackers launched a ransomware attack against EFCO, a Des Moines-based manufacturer that serves customers worldwide with its concrete forming and shoring products. EFCO President, CEO and Director Scott Walter joined the panel to tell his team’s story.

Scott Walter, EFCO

Scott Walter, President, Chief Executive Officer & Director, EFCO

Scott Walter has been with EFCO since 2008 and in his current position since 2020. He is responsible for the strategic direction of the Company and oversees the management of manufacturing, sales, distribution, and finance. While with EFCO he has held positions in manufacturing and information technology.

Q:

How were you first notified about the attack?

Rob:

I was driving on vacation when I got a call that a student received a phishing message in a computer lab and gave up their credentials, which let the bad guys go in with Ryuk ransomware. I kept driving and got hourly updates from initial interactions with our insurance company.

Scott:

Coming from IT, I was used to getting calls at night. And now being CEO (for only two months at that time), I was used to hearing about crises coming up at any time. This call came at 9pm. In hindsight, I think our initial reaction was an underreaction.


Q:

What was your team’s first step?

Rob:

We waited 24 hours for the insurance company to get everything place. We hadn’t done any practice runs, which I recommend you do. I hadn’t paid enough attention as CEO to all the crazy acronyms and company names. It was an unbelievable learning experience.

Scott:

We worked through the night to shut down the network and stop the spread. Then we started working on identifying the extent of the attack and what recovery would look like. We met in that war room every day for a couple of weeks.


Q:

What were your initial discoveries?

Rob:

We found a ransom note on a computer in one of our satellite campuses. This group went searching for anything labeled “confidential” and found one of our VP’s files that had nothing in it but very old personnel data. In the end, we paid no ransom.

Scott:

We found out that 50% of our servers were encrypted and wasted about a day trying to find the right vendor to help us out. Within 5 days (counting a weekend) I set up a sandbox with our dev team with our ERP system to run the business. We had 10 people taking calls from around the world to enter things into the ERP within that sandbox.

We kept a close eye on everyone’s energy level and ability to make decisions. You’re making critical decisions around the clock and looking for critical path to get back up and running.


Q:

How was your cyber insurance experience?

Rob:

We had great service, but our premium went from $30,000 last year to $100,000 this year. (This blog explains why cyber insurance rates are climbing for everyone this year.) To not lose time in our next situation, we put the consultants we used on a retainer to stand by so that we don’t have to wait for insurance.

The business interruption consultants tagged our business loss at about $950K for the fall term due to students giving up on registration. It will be a great help if we can recover that money through our business interruption insurance.

Scott:

When you have the whole company shut down, the damages are impossible to estimate and impossible to validate. We got minimal help there, I would say. 


Q:

What were other business impacts?

Rob:

They got our active directory, which I’d never even heard of. We didn’t have MFA, which would’ve sounded like an obscenity to me before this. We had thousands of e-mail addresses to put on MFA. That took a heck of a lot of effort.

We had to decide which systems were a priority to restore. The first thing we did was get payroll back up and get financial aid flowing back to our students, many of whom are low income. Then we went to registration systems.

Scott:

In prioritizing systems and locations, we focused on the customer. We’re always shipping and returning equipment from customers every day. We had offline processes to handle that for a short period. Eventually, we’ll miss a billing cycle. Eventually, we’ll miss a payroll run. So that’s how we prioritized. We know which district offices do the most business and prioritized those first, knowing we’ll have to scan and clear every computer before it rejoins our network.


Q:

What kind of media and notification situation did you face?

Rob:

We contacted the FBI and had to notify the U.S. Department of Education and the Iowa Department of Education and our board. But most important was communicating to our own faculty, staff and students. We kept sending out e-mails and put up a daily note on our site, mainly reassuring people that very few names had been disclosed. The media was beating down the door, and the lawyers told us to just refer them to statements on our website.

Scott:

We have a low profile in our city, and much of our operations are elsewhere, so it didn’t make the news. A blogger did pick up on our attack. They didn’t name us, but they gave us some new information because it was a new piece of malware we were facing, and they’d seen it on the dark web.

Law enforcement was first on my mind, but I was surprised to learn that our consultants said not to call the FBI. We notified customers, shareholders, employees—anyone who had information that may have been compromised. We didn’t know what servers the hackers had been on yet.


Q:

What is your team saying about the breach now?

Rob:

We’re on to dealing with the Delta variant. We did go to MFA. We’re doing more frequent passwords changes. Computers lock after 15 minutes of inactivity. But overall, we’re on to the next emergency.

Scott:

It’s a significant event in our recent history, so it sticks in people’s minds. I had been part of starting an info security committee in the company a couple of years earlier, but we were weren’t disciplined about holding meetings and reporting to the board. The committee was reluctant to put in place security things that would make people’s jobs slightly harder and cause pushback. But now, nobody wants to go through this again.

We never knew exactly who attacked us or how they got in. That makes it hard to tell that to the team in a way they can understand it and in a way that’s applicable to their work and how they can do their part to protect it.


Q:

What do you know now that you wish you’d known then?

Rob:

You need to immediately get your IT people and your insurance on the horn. Identify your most likely consultants and reach out to them in advance. They can help test your system to confirm steps you’ve taken to become a harder target. 

Scott:

Our experience validated that backups are gold. We had the option to not pay the ransom, and we lost very little data in the process. But I wish I would have known how important forensics would be. We needed a clean network to be reconnected and to scan for malware on all the machines. And forensics are also critical to knowing what was lost.

We also needed more focus on the prevention side of things. Minimally, we needed to be able to recover. But now we need to focus on prevention. We found out during our investigation that Microsoft Defender had detected this and was not configured to notify our IT department.

If this discussion gets you thinking about your own readiness for a ransomware attack, contact Pratum today for a free consultation.

Managed XDR

The cybersecurity headlines have convinced you that it’s time to get serious about security. You’ve heard enough about how traditional tools are getting passed up by ransomware innovations, software supply chain attacks and fileless malware. You know it’s time for a cybersecurity system liked managed XDR that’s smart enough to intercept threats so new that antivirus programs and whitelists don’t even know about them.

In short, you’re in the market for a managed XDR solution that uses AI, machine learning and global threat reports to block attacks no one has seen before. Whether this is your first event monitoring solution or an upgrade to your traditional SIEM, you’ll run a lot of numbers in deciding what direction to take.

At first glance, XDR will probably seem like a cost increase from what you’ve been using. But after a closer look, most of our clients find that managed XDR produces cost savings and workload reductions that easily offset any additional investment you’ll make. In this blog, we highlight key ways that managed XDR makes good business sense, not only by improving your security posture, but by actually saving you money. Use this list to help guide your buying decision—and convince executives that your managed XDR plan makes sense for the budget.

You’ll see that managed XDR goes far beyond keeping hackers out of your system. With Pratum tuning the system, managed XDR frees up staff time, optimizes tools you’re already paying for and more.

Defense Against Zero-Day Attacks

If your cybersecurity program stops only known threats, innovative hackers may feast on your system. This year, for example, has brought a boom in attack vectors such as supply chain attacks and fileless malware that leverage sources you trust (such as software partners and your own operating systems) to compromise your system. XDR provides the protection required in a world hackers are running attacks that have no files to watch for, rendering antivirus solutions defenseless in many cases.

The business advantage: Defenses that constantly adapt to the latest threats.

No More Security Gaps

Most security stacks evolve over time into a mixed bag of platforms from multiple vendors. That creates gaps that attackers can slip through. A managed XDR solution, on the other hand, offers one SOC managing one platform from one vendor. (Pratum uses Microsoft’s Azure Sentinel and Defender for Endpoint.) With a unified managed XDR platform, you get native integration of SIEM, endpoint protection, vulnerability scanning, antivirus and more. That eliminates cracks that weaken most multivendor systems.

The business advantage: Elimination of gaps that could render your security stack ineffective.

Actionable Alerts

Our incident alerts provide critical detail and context that let you drill down on specific improvements for your security program. The chart shown here illustrates how Pratum uses Azure Sentinel to dramatically reduce the number of alerts a client’s IT team would normally have to manage.

Most of the tickets that make it to the IT team require only a simple response to a question such as, “Was the addition of user ‘larrybird’ to AdminGroup a legitimate request?” Other alerts recommend a specific action such as blocking a specific IP address that is attempting multiple suspicious logins.

Diagram of How Managed XDR reduces your security workload

The business advantage: More IT efficiency through highly targeted alerts.

Reduced IT Workload

Despite marketing promises from some XDR vendors, XDR is not a plug-and-play tool. So if you’re considering implementing an XDR platform through your current IT team, make a careful review of what that will require. These advanced systems require regular fine-tuning for your environment to reach the full value you’re paying for. By managing your XDR system, Pratum’s SOC frees up your IT team to complete other business-critical projects. By minimizing false positives, we limit alerts to the critical events you specifically want to monitor.

The business advantage: Free up your IT team to complete the business-critical projects they were hired to do.

Dramatically Lower Downtime

Most breaches take days or weeks to discover. So the minute that you realize your system has been breached, you’re already behind. That makes timely digital forensics work a top priority. With 24/7 monitoring of your entire system and advanced threat hunting offered by managed XDR, you can typically reduce forensics analysis of attacks from days to minutes. That means you catch and eradicate intruders faster.

The business advantage: Business interruptions reduced to hours rather than days.

Strategic Guidance

When Pratum’s SOC analysts implement a new managed XDR relationship, they lead provisioning, rule creation and more. We work every day with multiple industries and dozens of clients—and apply the lessons to your XDR setup. Every lesson learned by Microsoft and Pratum improves your system.

The business advantage: Best practices gleaned from dozens of other XDR installations.

Better Results From Your Other Tools

Managed XDR monitors the effectiveness of security layers throughout your system. For example, if you have an e-mail filtering solution that isn’t stopping spam sufficiently, XDR lets you know. Sometimes, we’ll determine that XDR can actually replace tools, reducing your IT expense.

The business advantage: Full value from the tools you’re already paying for.

If you’re ready for a free consultation on how managed XDR can boost your bottom line, contact Pratum today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.