P2P

24 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 2 1 Commercial software packages are available to perform ongoing hardware and software inventory scanning. Firms may find that implementing an automated inventory scanning solution is cost-justified when labor savings and risk reduction are considered. 2. Expand the Net Once you have your initial inventory of software used across the firm, think bigger. The costliest cyber breaches occurred when businesses did not think "out of the box" to discover overlooked security risks and were subsequently blindsided. For example, Home Depot paid $17.5 million to settle a data breach lawsuit that originated from hackers using a vendor's username and password to infiltrate the company's network. Target was hit by hackers who infiltrated its systems by using the network credentials of a third-party HVAC and refrigeration subcontractor. As a result, Target paid $18.5 million to settle claims from 47 states and the District of Columbia. Even technology hardware as commonplace (and seemingly harmless) as keypad door entry systems in offices has a web-based administrative console maintained by a SaaS interface. Some of these systems lack support for essential security capabilities such as multifactor authentication. Commonplace office items, including access control keypads, printers, and copiers, are easy to miss when compiling an inventory, but they can present real security vulnerabilities for the firm. Learn from other companies' misfortunes by making your security net wider – when in doubt, include and plan to protect everything. 3. Examine Your Processes and Go Deeper Look at the various processes throughout your firm, within the law practice, accounting, human resources, IT, and more. Each process has its own software supply chain, including a mixture of technology locally installed on desktop computers and cloud-based/SaaS tech delivered over the internet. However, this is just the first level— go deeper than just the firm's direct vendors and include their suppliers. For example, the firm's software providers may license or embed other companies' code in their technology. Additionally, if the firm's software suppliers have access to your network and data with inadequate security protection, their breaches could affect the firm's data. The firm's security should be rigorous, covering both their direct software suppliers and the third-party companies that service those vendors, too. 4. Formulate a Vendor Risk Management Process Implementing a strong vendor risk management process is essential to protect the firm. Questionnaire templates such as SIG (Standardized Information Gathering) and the abbreviated SIG Lite can provide a framework and sample questions to assist the firm in developing its questionnaires for existing and new vendors. Questionnaires can verify the vendor's defense networks, cloud security practices, software development lifecycle controls (for tech providers), their use of monitoring and scanning tools to detect vulnerabilities, and their history of breaches and security incidents. Ask about the credentials they require for data access, including how they are protecting passwords and ensuring their system is only accessed by authorized parties. Security-related evaluation questions should be embedded in the firm's RFPs (requests for proposal) and purchasing process to vet all suppliers vying to do business with the firm. 5. Perform Risk Triage and Evaluation Once vendors have responded to risk management questionnaires, IT can then evaluate them to flag the F E A T U R E S

• Cover