Regardless of their size and industry, all businesses are subject to third-party risk. Simply put, third-party risk refers to any threat that may arise as a result of an organization’s involvement with outside parties, including vendors, clients, and suppliers.
While companies often recognize the potential financial, reputational, and legal risks associated with working with an outside organization, many are unaware of the cybersecurity risks. If the party you work with has access to your systems and/or sensitive information, a security weakness on its end can spell disaster for your business.
There’s no foolproof method to eliminate third-party risk, but understanding your exposures and how to address them is crucial to effective risk management.
Risks can arise from anywhere across the entire scope of connectivity. Common sources include software and other vendors, but internal third parties can also expose your business to threat actors through email exchanges, infected downloads, and malicious links.
Advanced attackers hide within an environment, search out vulnerabilities, and infect more endpoints. If a third party has access to your data or systems, a cyber event against it can directly affect you.
Third-party cybersecurity risk is nothing new, but it is becoming increasingly important to recognize due to the evolving threat landscape and nature of modern business.
The following factors contribute:
In recent years, attacks against specific companies have significantly impacted countless other businesses that work with them.
The SolarWinds hack was first reported in December 2020. Hackers believed to be linked to the Russian government broke into the systems of SolarWinds, an information technology firm, and added malicious code into its Orion software. When customers installed updates, they also introduced malware into their systems.
Similarly, in early 2021, reports emerged that threat actors known as “Hafnium,” believed to be sponsored by China, hacked Microsoft Exchange, potentially impacting hundreds of thousands of businesses that run the program on their servers. This mass exploitation targeted businesses seemingly indiscriminately, gathering information across industries.
While the Verkada hack of early 2021 was supposedly perpetrated to show the prevalence and vulnerability of video surveillance, it also highlights that an attack can affect systems you may not have previously considered. By gaining access to a “Super Admin” account, a hacker collective gained access to live feeds from a network of over 150,000 cameras, providing a window inside police departments, prisons, hospitals, schools, and companies.
However, not all third-party cybersecurity risks come in the form of hacks, as evidenced by the Facebook–Cambridge Analytica data scandal. Facebook reportedly provided consulting firm Cambridge Analytica with personal information harvested from users, which was then exploited for political campaigns. While this may be seen as a policy failure and/or a breach of trust, it also presents a serious third-party cybersecurity concern. When businesses work with third parties and share information, they need to know how that third party will use and protect that information.
You can’t eliminate risks that may arise from relationships with outside parties, but you can minimize them through the following tactics.
Before you connect your business with any third party, you should know what cybersecurity defenses they have in place. Working with businesses that have lax cybersecurity increases your risk. On the other hand, you may not meet the standards of those with more robust programs. It’s usually best for both parties to take a similar approach to cybersecurity.
Using a due diligence questionnaire (DDQ) can provide quick insight into a business’s posture. You may ask a prospective vendor questions about its policies, procedures, and training to get a clearer picture of the organization’s overall health. While this might not point to all potential vulnerabilities, it can provide a quick snapshot to help you detect any major red flags. For a more comprehensive overview, you may prefer a full audit that tests the company’s controls.
Since business email compromise is common, you should assess whether you can trust email contacts, especially before opening any links or attachments, since malware is often delivered via email. Some hackers also spoof email addresses of your known contacts, so even if you see the name of someone you trust, you should carefully consider whether the email may pose a risk. Communications must be normal, protected, and authorized.
Threat actors often aim at financial gain; stealing banking information is one of the quickest, easiest ways to do this. If you receive a request to provide financial information or alter existing details, have protocols in place to confirm the request through out-of-band communication. A cybercriminal can easily send an email posing as your bank, outside vendor, or even your boss. Verifying through another communication channel, such as an in-person meeting or direct phone call to a number already on file for the requester, can reduce the likelihood of your organization falling victim to these scams.
With the threat landscape constantly changing, no solution can prevent 100% of attacks. That’s why managed detection and response is critical. This type of service can scan your network, endpoints, and cloud to detect and mitigate threats before they cause serious damage. Otherwise, cybercriminals may have unfettered access to your systems for months before you become aware of their presence.
Advanced malware is designed to circumvent normal prevention tools. Having protections in place that monitor for deviations can help point to threats within your environment that may otherwise evade detection.
Even with the best defenses in place, some attacks will make it through. Cybersafe Solutions can give you peace of mind that your systems are well protected and any threats will be detected and contained quickly. Through SOL XDR, our most comprehensive solution, we monitor your environment 24/7/365 to collect, correlate, and analyze data across different threat vectors to spot early signs of an attack before it turns into a full-scale breach. Contact us today to discuss how we can help mitigate your third-party risk.