<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Free Quickscan →
Cybersprint Digital Risk Protection Platform

The Cybersprint Platform

We’ve developed a unique Digital Risk Protection SaaS-platform that works 24/7 as an automated ethical hacker, continuously in search of online vulnerabilities. Read more

Cybersprint provides realtime insights

Make the world more cyber-secure

Cybersprint protects organisations by providing real-time insights into their online footprint. Read more

close

Control over third-party risk

by Sebastiaan Bosman Blog 8 Apr 2020

Most organisations outsource parts of their IT infrastructure. This brings different opportunities for the services they deliver, such as cloud accessibility or faster web traffic through external web hosting. But there is a downside. As more parts of the online footprint are in the hands of third parties, the digital attack surface of your organisation grows. Even though you cannot directly control those assets, your brand can be held accountable when data is leaked. So, does an increased complexity of the digital infrastructure also mean more risks to an organisation’s online footprint? And how can you find out?

 Investigating outsourcing

To answer this question, we created a framework and conducted a study using our Digital Risk Protection platform. We scanned 415 European brands from a wide variety of markets for different kinds of vulnerabilities in their online footprint. The size of an online footprint is determined by the number of assets an organisation has. Assets are things such as ip addresses, web pages, social media accounts, etc. We found 323,000 assets in total.

It is logical that large organisations also have a larger online footprint compared to small organisations. To determine the difference, we divided the 415 brands equally over three categories: organisations with a big, medium or small online footprint. We wanted to see by what margin larger organisations use more third parties, and whether this increased spread of assets also increases the risk profile.

Providers into perspective

First, we scanned for the number of third parties as part of the 415 brands’ online footprint. We found a total of 5,381 unique providers. By far, most providers supply services to the brands with the largest online footprint, as can be seen below.

The larger brands divide their IT infrastructure over multiple third parties. This has benefits, e.g. less impact on the whole system if a provider experiences unplanned downtime, but is also harder to keep track of and manage, and it increases the digital attack surface.

Organisation size related to risk rating

As outsourcing the IT infrastructure to third parties increases, so does the complexity of effectively mapping your online footprint - and staying in control of it. But does an increased complexity also means that there are more vulnerabilities?

The Digital Risk Protection platform automatically subjects each asset to a number of scans and analyses. The result is a security rating from A to F. An F-rating means there is one or more critical vulnerability found for that asset, which needs to be mitigated with priority.

As can be seen below, the brands with the big online footprint have a lower percentage of critical vulnerabilities compared to the medium and small brands. This implies that outsourcing more parts of the digital infrastructure might make it more difficult to manage, but it does not necessarily mean it makes the organisation more vulnerable.

Still, it must be taken into account that these percentages are based on the risk rating of the total number of assets per brand group. That means that, in absolute numbers, there are still more assets with a critical security rating in bigger organisations than in smaller ones. Only not as much when compared with organisations with smaller online footprints. However, the threat level goes up when these assets are controlled by third parties. That makes them much harder to detect, and even more difficult to manage and mitigate.

Deep dive webinar

The threat landscape is pushing towards more regulations and due diligence, as is already the case for financial institutions. The European Banking Authority has imposed guidelines for financial institutions, which usually means other markets will follow suit. See our four key takeaways from the report here.

Would you like a more complete picture of how to assess your third parties without the use of long questionnaires or forced audits? Watch our webinar here, in which CEO Pieter Jansen and SVP Strategy Eward Driehuis give a more detailed explanation of the issue, including how to map your organistion’s footprint more effectively. 

Watch the webinar


pasfoto001

Sebastiaan Bosman is Content Marketeer at Cybersprint.
With a background in Comm
unications and Linguistics,
he is responsible for the creation and editing processes of most internal and external communication. He writes content such as blogs, whitepapers and case studies, primarily based on Cybersprint’s own research data. Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.

How to prevent CEO-fraud with your digital footprint

CEO-fraud is the most common form of cyber-crime to target businesses worldwide. It’s now a 26-billion-dollar scam and continues to grow rapidly, with a 100% increase between 2018 and 2019. Creating awareness among employees is critical, but doesn’t offer full protection. What technical measures should you take to prevent a CEO-fraud attack at your organisation?

read more

Mitre PRE-ATT&CK: What is it and how to use it

One of the best ways to improve your digital security is to let the past help prepare you for the future. Knowing the tactics threat actors have used in other cyber-attacks will help you determine what you should protect your systems from. Luckily, you needn’t figure that out by yourself. Mitre has created frameworks of the many different ways cyber-attacks have been orchestrated in existing use cases. Here’s how you can use this information to strengthen your cyber-resilience. What is the Mitre PRE-ATTACK framework? Mitre is an American organisation conducting federal-funded research into various markets with the aim to create a safer world through their research. Cybersecurity is one of those markets. To help organisations understand where their might need to focus more security resources on, they created two matrices of all techniques cyber-criminals have used to set up and execute attacks in the past. These are called the ATT&CK and the PRE-ATT&CK frameworks. Even though the ATT&CK framework is most well-known, we see a shift occurring, as PRE-ATT&CK is starting to step out of the shadow of ATT&CK with a more specific focus. Whereas the ATT&CK framework concentrates on the steps taken once an attack is launched, the PRE-ATT&CK framework focusses on the preceding preparation phases, allowing organisations to predict and prepare for attacks before they happen. Mitre’s frameworks match with other models, helping to frame the extensive matrices. To illustrate how PRE-ATT&CK differs from ATT&CK, we’ve plotted the frameworks in the ‘7 stages of the cyber kill chain’, as created by Lockheed Martin. All steps needed to execute a cyber-attack can be divided over these seven stages. As shown below, the first two stages are broadly covered by Mitre’s PRE-ATT&CK, and the other five by the ATT&CK framework. How to apply PRE-ATT&CK Preventing an attack is far more cost-effective than having to repair damages to IT systems, let alone the financial or reputational impact it can have. It is hard and expensive to determine the impact of an attack with IT forensics and replacing infected systems can have a negative effect on overall business productivity. Incorporating an automated outside-in perspective of your brand’s online exposure allows you to discover vulnerabilities in the same way an attacker might look for entry points into your IT infrastructure. This approach empowers you to regain control over your digital attack surface and mitigate risks before they can be exploited. This approach is called digital footprint management and can be placed under the concept of Digital Risk Protection. Below is an overview of Mitre’s PRE-ATT&CK framework. The complete matrix is a little too large to be read in detail, so a deep dive into the content is available via this video. The highlighted fields represent the areas covered by Digital Risk Protection and digital footprint monitoring. The light green indicates partial coverage and deep green full coverage. Combining the PRE-ATT&CK framework with your existing security procedures can help you identify potential threats and weak spots in your systems. Still, you first need to have a complete overview of your organisation’s digital assets before you can confidently say where you are more likely to be hit. That’s why the digital footprint approach works so well with PRE-ATT&CK. Having both will help you determine and validate where you might have underspent or overspent on security measures, for example. Besides improving the cyber-resilience of your systems, incorporating the Mitre PRE-ATT&CK framework in the organisation’s digital footprint will bring more business value to the organisation as a whole. This whitepaper explains the PRE-ATT&CK framework in more detail, and describes the specific ROI for your organisation. Looking for a comprehensive clarification of the security tactics described above, explained with actual use cases? Watch our recorded webinar. Sebastiaan Bosman is Content Marketeer at Cybersprint. With a   background in Communications and Linguistics, he is responsible for   the creation and editing processes of most internal and external   communication. He writes content such as blogs, whitepapers and   case studies, primarily based on Cybersprint’s own research data.   Previously, Sebastiaan worked as Content & Communications   Advisor at ING Global.

read more

From practice to preventing: How criminals adapt their attack methods

Similar to traditional ‘brick-and-mortar criminals’, not all cyber-criminals employ the same method to reach their goal. A burglar wouldn’t enter a house with an alarm or when there are people inside, but go for an easier opportunity. The same goes for internet-thieves. Their risk/reward balance depends on the required investment beforehand to successfully carry out their attack. What are the aspects they take into consideration?

read more

Do you have a question?

Our experts have the answers

Contact us