Request Demo

Kaspersky Ban: Third-Party Risk Management Implications

Follow these seven steps to discover, triage and mitigate the risk of banned software in your third-party vendor and supplier ecosystem.
By:
Scott Lang
,
VP, Product Marketing
August 22, 2024
Share:
Blog kaspersky 0824

In June 2024, the U.S. government banned the sale of and updates to software developed by cybersecurity company Kaspersky in the United States. The announcement followed a 2017 law that prohibited the use of Kaspersky software in government agencies. The U.S. is not the only country to make this decision. Governments in the United Kingdom, Germany, Italy, the Netherlands and other countries have also banned or are significantly limiting the use of Kaspersky software.

Although there is no direct evidence that illegal activity is occurring, the ban comes from concerns that the Russian government may have access to the Kaspersky network and their customer data. These governments are concerned that the access that Kaspersky uses to protect computer systems could be exploited to steal sensitive information or install malware. The Russian invasion of Ukraine furthered concerns of Russian cyberattacks leveraging access to the Kaspersky systems to conduct offensive operations against nations supporting Ukraine.

Third-party vendors and suppliers in these countries should have already cut ties with Kaspersky software in light of these bans. There’s no guarantee of this though, so it’s critical that organizations investigate their vendors and supply chains to identify instances of Kaspersky to avoid potential cyber, legal or reputational damage.

In light of this new ban, this post examines steps that organizations can take to discover and monitor instances of Kaspersky in their third-party vendor and supply chains and reduce risk.

Seven Steps to Mitigate the Risk of Banned Technology in Your Third-Party Vendor or Supply Chain

Consider these seven steps to discover, triage and monitor the use of Kaspersky in your vendor ecosystem. These steps also apply to any other banned technology, but we focus on Kaspersky in this instance.

1. Develop a centralized inventory of all third parties

A centralized inventory of all third-party vendors and suppliers adds governance and process to vendor management, and it reduces the likelihood of unmonitored vendor relationships introducing risk to your IT operations. Inventorying your vendors should be done in a centralized platform – not spreadsheets – that way multiple internal teams can participate in vendor management and the process can be automated for everyone’s benefit.

You can build a central vendor inventory by importing vendors to your third-party risk management platform via a spreadsheet template or through an API connection to an existing procurement or accounts payable solution. Teams throughout the enterprise should be able to populate key supplier details with a centralized and customizable intake form and associated workflow for approval. This capability should be available to everyone via email invitation, without requiring any training or solution expertise.

A central inventory of third-party vendors and suppliers has the added benefit of creating a single supplier profile that includes key attributes such as firmographic details, financial data, operational information, and other important insights into the company.

2. Build a map of third parties to determine technology concentration risk

Collect 4th-party technologies deployed in your vendor ecosystem during the inventorying process to help identify relationships between your organization and third parties based on certain technology usage. Doing this will help you visualize attack paths into your enterprise and take proactive mitigation steps. You can accomplish this through a targeted assessment or via passive scanning.

In the case of Kaspersky, having a map of vendors that utilize the now-banned tool would help you zero in on which vendors to assess for potential malware exposure. Focus on top-tier or business critical vendors first, as a disruption in their operations would potentially impact your organization more acutely.

3. Conduct an inherent risk assessment

After you centralize vendors and assess the presence of impacted technology, conduct inherent risk scoring assessments to help you determine how to assess your third parties on an ongoing basis according to the risks they pose. Attributes used to calculate an inherent risk score should at least include access to sensitive information or systems, regulatory and legal requirements, and geographic location.

Vendor Risk Assessment: The Definitive Guide

Download this 18-page guide to gain comprehensive guidance on how to conduct and implement vendor risk assessments at your organization.

Read Now
Blog vendor risk assessment questionnaire 0920

4. Assess third parties’ business resilience and continuity plans

Proactively engage at-risk vendors with simple, targeted assessments that align with known industry standards. Results from these assessments will help you target needed remediations to close potential security gaps. Good solutions will provide workflow automation, review and analysis, supporting evidence management, and built-in recommendations to speed remediation and quickly close those gaps.

5. Continuously monitor at-risk vendors and suppliers for cyber-attacks

Being continuously vigilant for the next attack means looking for signals of an impending security incident. Monitoring criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases is essential.

You can monitor these sources individually, or you can look for solutions that unify all the insights into a single source, so all risks are centralized and visible to the enterprise. Correlate all monitoring data to assessment results and centralize them in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

6. Test your third-party incident response plan

Automating incident response is key to shortening mean time to detect (MTTD) and mean time to respond (MTTR) to third-party incidents, which can reduce the impact of the incident on your operations. As you continually improve your incident response plans:

  • Leverage a centralized event and incident management questionnaire to cut down on response times and simplify and standardize assessments
  • Track questionnaire completion progress in real time to reduce the potential for impact
  • Enable vendors to proactively report on incidents to add context and speed response times
  • Use workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Issue remediation guidance to the vendor to get down to an acceptable level of risk to your organization

By centralizing third-party incident response into a single enterprise incident management process, your IT, security, legal, privacy and compliance teams can effectively work together to mitigate risks.

7. Enforce vendor contract provisions

Be sure to include enforceable provisions in vendor contracts that prohibit the use of banned technology and require third parties to attest to its non-usage. To simplify the process and integrate with the third-party risk assessment program, leverage contract workflow capabilities to automate the lifecycle from onboarding to offboarding and look for AI capabilities that automatically extract key contractual details for centralized tracking and enforcement.

Next Steps for TPRM in the Kaspersky Ban

Taking a manual, reactive approach to third-party risk management will only increase your likelihood of a business disruption, legal or compliance sanction. Instead, follow the seven steps in this post to be better prepared for future software bans.

The Prevalent Third-Party Risk Management Platform can help by:

  • Centralizing vendor contracts, automating the management of key provisions, and natively integrating with the risk assessment process.
  • Automating the management of vendors and building a map of all third, fourth and Nth parties.
  • Providing a single comprehensive profile for each vendor available to all stakeholders.
  • Profiling and tiering vendors to accurately categorize and prescribe the right due diligence.
  • Assessing vendors against dozens of industry frameworks using more than 750 risk assessment templates with built-in remediation recommendations.
  • Continuously monitoring cyber, business, reputational, and financial risks to validate assessment responses.
  • Managing the third-party incident response process.

For more on how Prevalent can help discover, triage and mitigate the risk of banned software in your vendor ecosystem, request a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

Related Posts
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo