Whether it is vendors, suppliers or contractors, third parties are critical to the success of most organisations. However, they can also present significant cyber security risks.
In this blog post, we discuss the different types of challenges that third party relationships present and outline specific ways to defend against them.
Third party risk is created when companies in an organisation’s supply chain have access to its data, systems or privileged information. This can lead to issues such as data breaches, IP theft or other security incidents. Organisations can be held accountable for security breaches even if they originate from a third party. A 2021 report by the Ponemon Institute and SecureLink revealed that 74% of companies breached within the previous 12 months stated that the incident was caused by granting privileged access to third parties.
Types of third party-related cyber attacks
Cyber-attacks occurring as a result of third party relationships could include:
- Attacks on IoT devices
- Credential theft
- Data exfiltration
- Denial of service (DoS) attacks
- Fileless malware
- Intellectual Property (IP) theft
- Man in the Middle (MitM) attacks
- Network intrusion
- Ransomware attacks
- Spear phishing
Examples of third party attacks
A multitude of third-party cyber-attacks have been featured in the headlines in recent years, including:
- A major automotive company learned that a vendor had left unsecured data on the internet for a long period of time. This was then accessed by an attacker in a breach which led to the exposure of sensitive information affecting many of its customers.
- The company behind a US medical system worked with a law firm which was hit by a breach of its email systems. The attack resulted in the exposure of the identifiable and protected health information of employees and patients.
- An attack on a third party which stores a major charity’s data led to the compromise of the confidential information of thousands of people, some of them extremely vulnerable.
Key steps for defending against third party cyber-attacks
Managing third party risk should not be viewed as a “set-and-forget” security practice. Many organisations fail to recognise the importance of regularly reviewing the risks within their supply chain, increasing their vulnerability to cyber-attacks. Different types of relationships with the same vendor can create different levels of risk. Organisations are also vulnerable when a lack of resources or traceability means that they are unable to keep up with tracking and assessing their supply chain risk.
Companies can significantly reduce the risks through the following steps:
Adopt third party cyber risk management
Third party cyber risk management is a structured methodology for analysing, controlling, monitoring and mitigating cyber risks associated with third party vendors, suppliers and service providers. An effective third party risk management program is critical to managing and mitigating supply chain issues. It gives organisations an in-depth understanding of the third parties they work with and the quality of the safeguards those third parties have in place. A third party cyber risk management program should comprehensively monitor and assess the many different areas which can create risk, such as vendor risk management, fourth parties (your third parties’ own third parties) and vendor assessment.
Undertake extensive third party due diligence
Effective supply chain due diligence can significantly reduce, mitigate or remediate many types of risks created by third party relationships. Organisations should conduct checks when planning to work with a new vendor or supplier and when making changes to high-risk aspects of the business in order to protect against the fraudulent interception of goods or payments.
Gaining a clear understanding of a vendor’s security posture is vital. This involves undertaking a comprehensive security assessment of each vendor before working with them and maintaining up-to-date records to ensure a clear understanding of their security posture and confirm that they meet regulatory compliance.
Provide security training for all employees
When assessing third party risk, it’s easy to overlook the potential vulnerabilities created by your own employees. Human error can be a key factor in third party breaches, with attackers often achieving their aims through stolen credentials or phishing emails. Regular security training for all employees is an important aspect of effective defence against third party attacks.
Apply the principle of least privilege
Working to the practice of least privilege is as important for your third parties as it is for employees within your own organisation. It helps to safeguard access to sensitive data and reduces the risk of it being exposed.
Manage fourth party risk
Assessing your third parties should also include checking their third party relationships. This is because the security standing and practices of your own vendors’ suppliers can make your organisation more vulnerable. Keeping track of this type of risk involves actions such as requiring third parties to let you know if and when they share sensitive information with a fourth party.
Include risk management in third party contracts
Including cyber risk in third party contracts helps to hold vendors accountable in the event of changes in their cyber risk posture and their failure to act in response. This can include contractual requirements such as maintaining a specific set of security controls or requiring security tests on a regular basis.
How Kroll can help
Kroll’s third party cyber risk management services provide a comprehensive evaluation of the diverse security risks presented by third party relationships. We offer supply chain due diligence services, dark web monitoring, cyber risk advisory services and a wide range of penetration testing services.
Benefit from our unique insight gained through in-house experience of managing third party risk and handling more than 3,000 diverse cyber incidents every year, supported by today’s most advanced technology. We can help you protect, detect and respond with confidence and can deploy remote solutions quickly and/or be onsite within hours.