"The Cloud Hopper campaign is a classic example of the evolution of third-party cyber risk, says Fred Kneip, CEO, CyberGRX. It takes advantage of the implicit trust that many organizations place on their cloud service providers and other third parties that they do business with."
"Although attacks via third parties are the second biggest source of security incidents, most organizations do not have a consistent process to help them understand which partners pose the most risk to their organization,” Kneip says. Organizations need to truly understand their residual risk from each third party, and perform their own validation of key controls as opposed to relying on self-assessments, he says."
“Customers need to ask relevant questions of their provider as to how they achieve customer segmentation and segregation,” advises Jim Reavis, executive director of the Cloud Security Alliance. “Customers also need to understand their own responsibilities and in many cases it is their job to add data protection controls like encryption or to use the provider's logging capabilities to monitor access to their own cloud instances.”