Imagine a world where people demand data on any device, from any location, 24/7.  To deliver this level of service, businesses are deploying cloud architecture for almost everything. But shadowing these decisions is the largest annual increase in successful cyber-attacks within the last six years, and when seen alongside a global shortage of IT security experts (3.1m) who might be able to help, it is no wonder the relentless pressure to keep pace with technology leaves most organizations feel overwhelmed.

Done well, cloud computing is of course a game-changer; but done badly, it can easily slide into an existential disaster. Sure, it introduces more flexible working, increased scalability, resiliency… yada, yada, yada. But compare these benefits with the reputational damage and total annihilation of your business from a data breach or by simply being offline, and any advantage from being able to offer your staff the ability to WFH might seem like semantics if the entire company has folded.

With such a vast increase in the attack surface emerging from the deployment of cloud, it is alarming that companies spend less each year on IT security. With 41% of IT systems now cloud-based, and a business world turned upside down by the pandemic, there has been an explosion in phishing campaigns, deceptive domains, and other malicious apps that crooks have used to turn their trade into profit. With over 80% of cyber-attacks within the last year reported as successful, 57% of which paid up, it is obvious their line of business is booming.

But while we are busy looking one way at a threat landscape from sinister attack vectors, as important as all those risks are, there is a much simpler and perhaps more devastating supply-chain threat sitting right in front of us. Yes, the new kid on the block in 2021 is ‘TPRM’ – Third-party risk management. 

So, what exactly is TPRM? 

Back in June, we experienced an inkling of supplier failure when cloud edge provider ‘Fastly’ experienced a massive internet blackout caused by an undiscovered software bug, albeit triggered by a valid customer change. This knocked out some of the world’s biggest websites as 85% of the company’s own network failed — this minor bug in Fastly’s software is estimated to have cost Amazon $32m in sales. Fastly is one of the largest suppliers of ‘Content Delivery Networks’ on the internet along with providers such as Akamai, Cloudflare, and Amazon’s own CloudFront product. These suppliers operate on the same principle that the internet is faster and more stable if users can connect to servers that are physically closer to them, offering undeniable benefits in performance.

But the risk is not the architecture. It is not the technology, intelligent enough to dynamically re-route network traffic to a backup data centre if any outage is detected. Nor is the risk from an ‘Active Persistent Threat’ from a state-backed cyber group. No, the risk is far more basic than any of these issues. It arises when all customers share a common platform. The Fastly outage (one of the largest in the history of the internet) was caused by a single customer changing a legitimate business configuration setting in their software.

The root cause analysis report is published here:

https://www.fastly.com/blog/summary-of-june-8-outage

Of course, speak to any vendor, they will effortlessly trot out an official line of diverse power supplies and telecom circuits, blinding customers with service uptime statistics and graphs that prove how safe their service is. But wait, none of that intelligence stopped the Fastly outage. If the cloud platform (or access to it) fails, then folks… everything stops. So, in summary, we are all at the mercy of any customer change going wrong. Indeed, the Fastly report proves the point by disguising the truth in plain sight. It reads as though in a matter of hours the supplier had fixed the issue and normal service had resumed. For them, yes, but for the rest of the world, not so. As cloud services are a global phenomenon, the impact reverberated into a second business day. This caused havoc across the world, partly by people not understanding what had happened. The chaos not only endangered and highlighted our increasing dependency on cloud services, but should also represent a huge wake-up call.

How many Execs know what CDN providers do? How many companies know the real risk of herding systems together in this way? The fact that more and more data is being poured into the hands of a few corporate giants is a risk that is much talked about in the mainstream media, but supplier management of that same architecture is not. 

Not convinced? How about Akamai’s DNS outage on the 22^nd of June. Whilst their service was only disrupted for an hour, the consequences were serious and widespread. No websites for Delta Airlines, Costco, American Express, Oracle, Amazon, Expedia, Airbnb, Home Depot. In total, 48 organizations were impacted.

And we haven’t even mentioned the SUNSPOT malware used to insert the SUNBURST backdoor vulnerability into software builds of the Orion suite; aka the SolarWinds attack. This major security breach affected over 3,000 customers, including major corporations like Cisco, Intel, Belkin, even the US Department of State, and the US Department of Homeland Security. Whether instigated by Russian hackers or not, it is one of the most sophisticated cyber-attacks in history, with malware lying dormant and evading detection for over a year. What better way to attack a corporation than through a legitimate supplier software update? 

In short, as businesses adopt the cloud, they need to understand the risks. Never has the network path to that architecture been so important. TPRM is about how to ensure suppliers behave as they should. After all, outsourcing your systems does not outsource the risk.

But it is not all doom and gloom! With businesses still reeling from the pandemic, hope is starting to emerge — a fundamental shift in the approach to survival. This is the key to successfully unlocking the challenges of TPRM. The issue being talked about now is no longer how to avoid being attacked. Instead, companies are assuming they will be and now figuring out how to respond by identifying services that enable the business to breathe.

We all happily recite that business no longer just depends on technology; that technology IS the business! Well, it is time to back that up with some action. Company executives can no longer base critical design decisions on simply trying to reduce cost. Yes, company CFOs should rightly have a voice, but no longer to the exclusion of technology. Traditional business roles have historically had representation on the Board from Sales, Marketing, and Finance but Technology has never quite been able to warrant a seat of its own. Too often it is assigned a shared role with representation via a single exec. Well, to hell with tradition, we now know better than that. The business landscape has evolved with tech leaders playing a more critical role than ever, and as a result, be demanding their seats at the big table.