The attacks of 2016 & 2017 revealed the scope of cyber warfare is limitless, that no individual, no organization and no region is impenetrable. Over these past two years, hackers have targeted a diverse array of institutions. The National Security Agency, the Federal Bureau of Investigation, and the presidential campaigns in both the United States and in France are a few of many organizations to have experienced data breaches.
Corporations of all sizes have been breached, and in our connected and outsourced world, according to Soha Systems, 63% of data breaches are in some way connnected to our vendor ecosystem. But still only 2% of IT professionals surveyed consider vendor risk management a top IT priority. And the problem is not going away; in fact it is getting worse. 87% of IT respondents report their organization’s use of vendors has increased 49% since 2013, and 40% expect it to increase even more during the next 3 years.
the political response
Cyber warfare is increasingly being tackled through international organizations and globalized collective action. In response to Petya’s attack on the Ukraine, NATO assumed a more aggressive role in approaching cyberterrorism. Jens Stoltenberg, the NATO Secretary general, pledged to invoke the alliance’s mutual defense clause, Article 5 of the North Atlantic Treaty, to help better Ukraine’s cyber defense. The European Union has also pushed initiatives to become more invested in enhancing global cybersecurity. In July of 2017, the EU pledged to spend €450 million in cybersecurity research under its innovation program Horizon 2020.
In step with international organizations, the United States government is taking greater measures to combat cyberattacks. In May of 2017, the Trump Administration passed a long awaited executive order designed to improve the nation’s cybersecurity. The order outlined three key priorities: protecting federal networks, updating outdated systems, and directing all department and agency heads to collaborate and consolidate information. Furthermore, states are passing legislative action to minimize data breaches, specifically breaches by third party vendors. The New York Department of Finance implemented stringent cybersecurity regulations, outlined in Act 23 NYCRR 500, which requires identifying and assessing the risk of third party vendors with access to sensistive informations, minimum cybersecurity practices to be met by third party vendors,due diligences processes used to evaluate the cybersecurity practices of third party vendors, and periodic assessments of the third party’s cybersecurity practices.