In June 2024, the U.S. government banned the sale of and updates to software developed by cybersecurity company Kaspersky in the United States. The announcement followed a 2017 law that prohibited the use of Kaspersky software in government agencies. The U.S. is not the only country to make this decision. Governments in the United Kingdom, Germany, Italy, the Netherlands and other countries have also banned or are significantly limiting the use of Kaspersky software.
Although there is no direct evidence that illegal activity is occurring, the ban comes from concerns that the Russian government may have access to the Kaspersky network and their customer data. These governments are concerned that the access that Kaspersky uses to protect computer systems could be exploited to steal sensitive information or install malware. The Russian invasion of Ukraine furthered concerns of Russian cyberattacks leveraging access to the Kaspersky systems to conduct offensive operations against nations supporting Ukraine.
Third-party vendors and suppliers in these countries should have already cut ties with Kaspersky software in light of these bans. There’s no guarantee of this though, so it’s critical that organizations investigate their vendors and supply chains to identify instances of Kaspersky to avoid potential cyber, legal or reputational damage.
In light of this new ban, this post examines steps that organizations can take to discover and monitor instances of Kaspersky in their third-party vendor and supply chains and reduce risk.
Consider these seven steps to discover, triage and monitor the use of Kaspersky in your vendor ecosystem. These steps also apply to any other banned technology, but we focus on Kaspersky in this instance.
A centralized inventory of all third-party vendors and suppliers adds governance and process to vendor management, and it reduces the likelihood of unmonitored vendor relationships introducing risk to your IT operations. Inventorying your vendors should be done in a centralized platform – not spreadsheets – that way multiple internal teams can participate in vendor management and the process can be automated for everyone’s benefit.
You can build a central vendor inventory by importing vendors to your third-party risk management platform via a spreadsheet template or through an API connection to an existing procurement or accounts payable solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized and customizable intake form and associated workflow for approval. This capability should be available to everyone via email invitation, without requiring any training or solution expertise.
A central inventory of third-party vendors and suppliers has the added benefit of creating a single supplier profile that includes key attributes such as firmographic details, financial data, operational information, and other important insights into the company.
Collect 4th-party technologies deployed in your vendor ecosystem during the inventorying process to help identify relationships between your organization and third parties based on certain technology usage. Doing this will help you visualize attack paths into your enterprise and take proactive mitigation steps. You can accomplish this through a targeted assessment or via passive scanning.
In the case of Kaspersky, having a map of vendors that utilize the now-banned tool would help you zero in on which vendors to assess for potential malware exposure. Focus on top-tier or business critical vendors first, as a disruption in their operations would potentially impact your organization more acutely.
After you centralize vendors and assess the presence of impacted technology, conduct inherent risk scoring assessments to help you determine how to assess your third parties on an ongoing basis according to the risks they pose. Attributes used to calculate an inherent risk score should at least include access to sensitive information or systems, regulatory and legal requirements, and geographic location.
Vendor Risk Assessment: The Definitive Guide
Download this 18-page guide to gain comprehensive guidance on how to conduct and implement vendor risk assessments at your organization.
Proactively engage at-risk vendors with simple, targeted assessments that align with known industry standards. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide workflow automation, review and analysis, supporting evidence management, and built-in recommendations to speed remediation and quickly close those gaps.
Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential.
You can monitor these sources individually, or you can look for solutions that unify all the insights into a single source, so all risks are centralized and visible to the enterprise. Correlate all monitoring data to assessment results and centralize them in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.
Automating incident response is key to shortening mean time to detect (MTTD) and mean time to respond (MTTR) to third-party incidents, which can reduce the impact of the incident on your operations. As you continually improve your incident response plans:
By centralizing third-party incident response into a single enterprise incident management process, your IT, security, legal, privacy and compliance teams can effectively work together to mitigate risks.
Be sure to include enforceable provisions in vendor contracts that prohibit the use of banned technology and require third parties to attest to its non-usage. To simplify the process and integrate with the third-party risk assessment program, leverage contract workflow capabilities to automate the lifecycle from onboarding to offboarding and look for AI capabilities that automatically extract key contractual details for centralized tracking and enforcement.
Taking a manual, reactive approach to third-party risk management will only increase your likelihood of a business disruption, legal or compliance sanction. Instead, follow the seven steps in this post to be better prepared for future software bans.
The Prevalent Third-Party Risk Management Platform can help by:
For more on how Prevalent can help discover, triage and mitigate the risk of banned software in your vendor ecosystem, request a demo today.
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024
Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily...
10/07/2024
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024