Microsoft on resiliency.

Microsoft has published its Digital Defense Report for 2023, finding that following basic security hygiene practices, such as implementing multifactor authentication, can prevent 99% percent of attacks. The report notes, “A threat- and risk-free environment is defined as an environment protected by proactive measures—through tools and technologies—to prevent ransomware. These include malware detection, endpoint detection and response, vulnerability management, security operations center enablement, the enforced blocking of unhealthy devices, and brute-force protection for operating systems.”

Ransomware continues to rise.

The researchers also found that human-operated ransomware attacks have increased by 200% since September 2022, and between 80 and 90% of these attacks originate from unmanaged devices. Lockbit was the most common human-operated ransomware strain in 2023. The report adds, “Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacks.”

The importance of collective defense.

Jason Keirstead, Vice President of Collective Threat Defense at Cyware, approves of the report’s emphasis on cooperative defense. “I'm glad to see collective defense highlighted in Microsoft's Digital Defense Report,” he wrote. “ In today's constantly evolving threat landscape, no entity can stand alone. Individual defenses are critical, but as cyberthreats grow – and grow more sophisticated – taking rapid and effective action relies on the speed at which security teams can get the right intel to the right people. No organization can afford to waste time reinventing the wheel, developing defenses that have already been developed. Real-time collaboration among trusted internal and external entities expedites the ability to develop detection and response plans and to respond to threats.”

Managing third-party risk.

Paul Valente, CEO at VISO TRUST, commented by email on the importance the report attaches to managing third-party risk:

“This report underscores that third-party risk management must extend across our informational ecosystems and assess the defenses of trusted third parties well beyond our own organizational boundaries. For example, in the battle against social engineering tactics, the susceptibility of employees within these vendor organizations is often overlooked.

“As the report highlights, many vendors are missing a critical component in their security strategy: testing the susceptibility of their employees to social engineering attacks. This omission poses a shared risk to us as their partners, as a breach within their organization can potentially provide malicious actors with an entry point into our network as well. We've seen recent examples such as the Reddit and Slack breaches, where highly sophisticated phishing attacks compromised employees and subsequently jeopardized the security of the organizations they served.

“The crux of the matter is that whether a vendor has direct access to our internal systems or merely possesses contact details that are not readily available online, a successful third-party phishing attack can become a significant threat to our organization's security.

“So, what should we do if a vendor doesn't implement social engineering testing? In some cases, where a vendor has minimal access to our network, we should assess the potential impact of their compromise on our organization. Questions like "Could they access sensitive data?" are crucial. If the answers lean towards affirmative, it's incumbent upon us to look inward and explore ways to mitigate the risks that the vendor presents. If there are limited mitigation options, it may be prudent to explore alternative third-party solutions.

“In the fight against third-party social engineering vulnerabilities, we must focus on the human factor and adopt a shared responsibility approach. Acknowledging that phishing emails can occasionally slip through even the most robust defenses, both we and our vendors should prioritize employee training to resist clicking on malicious links. Regardless of the security measures our vendors have in place, closing security gaps requires teamwork and collaboration. We must work closely with our vendors, fulfill our part of the security equation, and assume a shared level of responsibility whenever feasible.

“To enhance our ability to identify and address third-party risks, we should consider leveraging tools and solutions like those offered by VISO TRUST. These tools can help us pinpoint blind spots in our third-party risk landscape and identify common controls that are susceptible to cyberattacks. It's crucial to proactively assess and manage third-party risks to bolster our overall cybersecurity posture.”