The New Normal: The Ubiquiti IoT Breach and Future-Proofing Your Third-Party Risk Management (TPRM) Program

Blog post Zachary Jarvinen 2021-05-01

third party risk management

Ubiquiti, a major player in the Internet of Things (IoT) market, suffered a catastrophic security breach in December 2020. Malicious actors reportedly compromised the credentials and other private details of Ubiquiti customers in the attack.

The company’s stance about the incident hasn’t been very forthcoming, and the publicly disclosed details of the breach are sparse. But cybersecurity researchers believe that vulnerabilities in a third-party cloud hosting solution served as the gateway to the breach.

The case of Ubiquiti highlights the importance of future-proofing third-party risk management (TPRM) in an era when IoT is becoming part of our daily lives. Organizations can no longer afford to neglect internal and external due diligence concerning all their third-party vendors to avoid the ever-looming threat of hackers and cybercriminals targeting IoT networks.

A comprehensive TPRM strategy, assisted by automated tools, is the need of time for organizations to safely traverse the evolving threat landscape. A solid TPRM program can address the sophisticated vendor security challenges, preparing organizations for proactive actions against looming threats.

Let’s have a look at the steps that characterize a practical and modern TPRM program:

The Ubiquiti Security Breach

Ubiquiti released a statement in January 2021, admitting that threat actors have access to some of their systems. These systems were apparently breached through unauthorized access to a third-party cloud services provider.

The statement further pointed out that the data exposed in the event could include users' names, email addresses, passwords, phone numbers, and even physical addresses. There’s no denying that the magnitude of the breach is alarming.

The amount of damage that such breaches can cause to an organization’s reputation is undoubtedly acute. A survey by IDC revealed that the exposure of information in a security breach caused 80% of the consumers to lose trust in a business and move on to using services/products of a competing provider.

It is impossible to measure the impact of Ubiquiti’s breach at this time due to the recency of the incident. But it wouldn’t be surprising if the company starts losing customers.

In light of these facts, organizations must use modern approaches to cope with the evolving third-party vendor risks. Doing so can ensure business continuity, resilience, and growth. It makes sense to have a well-established TPRM strategy in place to future-proof your organization against third-party risks.

Mitigating Risks With TPRM Best Practices

There’s no one standard TPRM program or framework for every organization to mitigate risks. The type of programs and frameworks differ from organization to organization and industry to industry. However, there’re certain best practices that every organization can use to future-proof its TPRM program.

Pre-Contract Analysis and Standardized Frameworks

Organizations need vendors to operate and grow and to stay competitive and profitable. As your business grows, so will your supply chain. The challenge is that the more vendors there are in your network, the higher the difficulty of managing, analyzing, and assessing the risks posed by each. The Ubiquiti IoT breach serves as a case in point.

It is a good idea to implement pre-contract analysis and have standardized frameworks in place. Doing so will allow you to effectively assess the risks involved in onboarding potential vendors.

Using standardized questionnaires can significantly simplify this procedure by providing a single, consistent assessment framework for all your third-party vendors. When there’s standardization and consistency in risk measurements for each vendor, performing risk analysis naturally becomes more accurate.

Holistic, Wide-Angle View

Future-proofing TPRM necessitates reasonably in-depth assessment and vetting of vendors. The accuracy of decision-making, such as whether the benefits of working with a particular vendor outweigh the risks, often hinges on a broad, comprehensive analysis of the vendor’s financial, operational, reputational, security, and privacy risks. In the context of IoT services, this may mean vetting third-party vendors for any existing vulnerabilities in the form of backdoors or inadequate encryption protocols in their systems.

A holistic, wide-angle view of your third-party risks can help you categorize and segment your vendors by similarity in the magnitude as well as the kind of risk they pose to your organization. The resulting clarity and holistic understanding of the implications of your relationship with each vendor will facilitate better decision-making. These decisions can help you avert disasters and ensure continuity in critical junctures of your business’s future.

Tracking Escalations and Managing Problems

While the ideal goal of every TPRM program is to prevent risks from materializing and wreaking havoc on your organization, it’s practically impossible that any strategy can ever be foolproof. Even the most rigorous and stringent evaluations can let risks fall through the cracks.

Therefore, a well-rounded TPRM strategy emphasizes risk remediation if a threat starts taking a toll on your organization. Leveraging technology that facilitates collaboration and communication with third parties is an effective way of countering threats. Close collaboration and communication will help you get seamless updates on the remediation process from your vendors.

Modern vendor risk management tools help document essential details about security problems and risks. They also help analyze the severity or magnitude of a program, such as an outdated privacy policy or an initiative that violates data protection regulations in a way not immediately apparent.

In addition, they provide recommendations for resolution and make the tracking progress quick and effective. Having procedures in place for remediation and resolution of issues improves response time, enhancing your ability to contain any damage resulting from the problem within tolerable limits.

Periodic, Ongoing Assessments

The reliance on legacy systems and spreadsheets is the major obstacle to accelerating vendor risk assessments' frequency and depth. Suppose each evaluation incurs hefty costs on your organization in terms of time, energy, and budgets. In that case, you’re unlikely to maintain due diligence while also managing a sound frequency of third-party risk assessments.

Modern TPRM tools with automation functionalities allow organizations to step up due diligence and frequency of evaluations unhindered by the delays that characterize the manual methods and legacy systems. This results in a robust, ongoing assessment framework that lies at the core of successful, future-proof TPRM programs.

Future-Proof Your TPRM With Vendor360

Vendor360 is a state-of-the-art third-party risk management tool by CENTRL. It is designed to help you implement a comprehensive TPRM program, all the way from vetting vendors before they’re taken on board to periodic monitoring of vendors.

This advanced software has a centralized database that allows you to aggregate all relevant vendor documentation for in-depth evaluation. The pre-built assessment survey questionnaires and functionalities for creating streamlined workflows make Vendor360 a complete TPRM solution for organizations.

Equip your business with the sophisticated functionalities of automation and lead your organization well-guarded against the evolving vendor risks and threats.

Find out more about how Vender360 can future-proof your TPRM strategy or experience the potential of the tool yourself with a Live Demo.

Similar resources

More resources