What is risk of third-party participation and how can CISOs deal with it?

What is risk of third-party participation and how can CISOs deal with it? ...

In today's world where business processes are becoming more complex and dynamic, organizations have begun to rely on third parties to improve their abilities for providing essential services.

Third-party vendors who share systems with an organization may pose security threats that have significant financial, legal, and business consequences.

Organizations that hesitantly expand their ecosystem due to fear of the risks it might engender will likely be overtaken by organizations that boldly decide to take advantage of third-party relationships, confident in their ability to identify and manage the associated risks. Therefore, it is critical to deal with third-party security threats effectively and effectively.

Risk and compliance

Third-party vendors can increase an organization's vulnerability to several hazards, including interrupted or disjointed operations, data security issues, compliance violations, and an inconsistent understanding of goals for the organization. According to an Intel471 threat intelligence analysis, 51% of organizations experienced a data breach caused by a third party.

“Organizations may grant third parties access to networks, applications, and resources for legitimate business reasons. However, when doing so with a legacy VPN, they often provide overly broad access to an entire network rather than precise access to the specific applications and resources required to do their job,” said John Dasher, Banyan Security's VP of product marketing.

Third-party risks have risen so much that compliance regulations have become an integral part of an organization's processes and policies. However, despite evolving regulations and increasing confidence for risk programs across the board, a Deloitte report found that third-party risk estimates have also concluded that more than 40% of organizations do not do enhanced due diligence on third parties.

The growing cybersecurity threat

As the necessity for third-party risk management becomes more apparent to organizations, risk management teams have begun going to great lengths to ensure that vendors do not become liabilities when they become a vital part of business operations.

Nevertheless, when organizations incorporate a third party into their business operations, they unknowingly incorporate other businesses, now or in the future. This can cause organizations to unknowingly take several forms of risk, especially in terms of cybersecurity.

“It’s a real concern as companies can’t just stop working with third parties,” said Alla Valente, a senior analyst at Forrester. Many businesses doubled the number of third parties in their ecosystem as a result of the epidemic.

"Third-parties are essential for your business to achieve its objectives, and each third party is a source of breach and an attack vector. Therefore, if your third parties cannot perform due to a cyberattack, an incident, or operational disruption, it will impact your business," said Valente.

If a third party fails to manage or follow a cybersecurity program, they may have some form of integration within their network. As a result, any vulnerability within their cybersecurity framework may be exploited and used to access the original organization's data.

This becomes a growing concern when a complex web of various vendors is created through third-party relationships that are all connected throughout their network.

Adam Bixler, the global head of BlueVoyant's third-party cyber risk management, claims that threat actors exploit the weakest link to gain access to their target and, in many cases, the most vulnerable link in a third-party supply chain that threat actors focus on in order to get to the intended business.

"In general, we have observed that cyberthreat actors are opportunistic. This has been a very successful technique, and until security practices are implemented consistently and equally throughout the whole third-party ecosystem, all parties are at risk of this type of attack," said Bixler.

When BlueVoyant surveyed corporate cybersecurity professionals with responsibility for cybersecurity across the globe, it was discovered that 97% of those surveyed businesses had been negatively impacted by a cybersecurity breach in their supply chain.

A large majority (993%) admitted to having suffered a direct cybersecurity breach due to weaknesses in their supply chain, and the average number of breaches experienced in the last 12 months increased from 2.7 in 2020 to 3.7 in 2021, a 37% year over year increase.

Non seulement is cybersecurity a major threat, but any disruption to any business across the web of third parties can cause a chain reaction and thus greatly impede essential business operations.

“The real danger lies in accepting third-party files from unauthorized or authorized vendors who don’t know they have been compromised.” According to Karen Crowley, Deep Instinct's director of product solutions, over 80% of attacks originate from weaponized office and pdf files that appear legitimate. If those files are allowed inside your organization, they might pose a threat if downloaded.

Crowley noted that multistage attacks are light and slow, with threat actors willing to wait for their turn to get to the crown jewels.

Risks of a third-party data leak

Enhancing data sharing and access may provide social and economic benefits to organizations while demonstrating good public governance. However, data access and sharing also carry several hazards, including the dangers of confidentiality or privacy breaches and the violation of other legitimate private interests, such as commercial interests.

"The primary hazards of sharing information with undocumented third parties or third-party vendors is that you have no way of knowing what their security program consists of or how it is implemented, and therefore no way to know how your data will be maintained or secured once you share," said Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant.

According to Anessi, it is critical to protect your proprietary information and to demand the same level of security from third parties/vendors you engage with. She recommends that enterprises develop a system to onboard vendors that includes a thorough understanding of the third party's cyber-risk posture and how these hazards will be mitigated.

Organizations that fail to take appropriate measures to protect themselves against third-party risks expose their businesses to both security and non-compliance threats.

These data breaches may be significant to your business and have significant implications, including the following:

  • Monetary losses: Data breaches are costly regardless of how they occur. According to the Ponemon Institute and IBM’s cost of a data breach report, the average cost of a data breach is $3.92 million, with each lost record costing $150. The reason for the breach is one aspect that increases the cost of the breach, and a breach costs more if a third party is involved. Based on the analysis, the price of a third-party data breach often rises by more than $370,000, with an adjusted average total cost of $4.29 million.
  • Exposure of sensitive information: Third-party data breaches can result in the loss of your intellectual property and consumer information. Several attack vectors can expose a company’s private information and inflict considerable damage, ranging from data-stealing malware to ransomware attacks that lock you out of your business data and threaten to sell it if the ransom is not paid.
  • Damaged reputation: Reputational harm is one of the most severe repercussions of a data breach. Even if the data breach was not your fault, the fact that your clients trusted you with their information and you let them down is all that matters. This might also have a significant financial impact on your company.
  • Potential for future attacks: When cybercriminals access your data through a third party, that breach may not be their endgame. It may simply be the beginning of a more extensive campaign of hacks, attacks and breaches, or the information stolen might be intended for use in phishing scams or other fraud. The collected data might be used in later attacks.

Best practices for reducing third-party risk

Philip Harris, IDC's director of cybersecurity risk management services, believes that in order to minimize third-party danger more effectively, it is vital to work with the appropriate teams within your organization that have the most expertise about all the third parties the company deals with. "Doing so can not only help create an inventory of these third parties, but also help classify them based on the serious nature of the data they hold or whether they are part of a critical business process," said Harris.

Jad Boutros, the co-founder and CEO of TerraTrue, believes it is important for businesses to assess their third parties' security posture during due diligence and security certification audits.

CISOs may follow these strategic guidance strategies to avoid security hazards from third parties, according to Boutros.

  • Understand what data is shared between the organization and the third party. If it is possible to avoid sharing susceptible data or transform it (i.e., with bracketing, anonymizing or minimizing) to defend against certain misuses, such mitigations are worth considering. 
  • Some third parties may also expose particularly risky functionalities (e.g., transferring data over insecure channels, or exposing additional power-user functionality); if not needed, finding ways to disable them will make for a safer integration. 
  • Lastly, regularly reviewing who in the organization has access to the third party and/or elevated access helps reduce the blast radius of an internal account compromise.

Other preventive measures

Other strategies that businesses may employ to mitigate third-party hazards include:

The need for a robust third-party risk management program (TPRM) program has expanded for all sizes. This is particularly true for high-risk vendors who handle sensitive data, intellectual property, or other sensitive information.

CTI architectures are used as a preventive security measure; they gather and evaluate information regarding current and future threats to an organization's safety or assets. It's intended to provide businesses with a thorough awareness of the hazards that pose the greatest threat to their infrastructure and to counsel them on how to defend their operations.

Security ratings, also known as cybersecurity ratings, are becoming a popular way to analyze third-party security postures in real time. They allow third-party risk management organizations to undertake due diligence on business partners, service providers, and third-party suppliers in minutes, rather than weeks, by analysing their external security posture promptly and objectively.

Traditional measures are time-consuming, point-in-time, costly, and often rely on subjective judgements. Moreover, proving suppliers' assertions regarding their information security policies might be difficult. Third-party risk management teams may obtain objective, verifiable, and always up-to-date information by using security ratings in combination with existing risk management strategies.

Future challenges and important considerations

Harris argues that third parties have always been an area where the attack surface has developed, but this hasn't been taken too seriously, and corporations have turned a blind eye to it rather than seeing it as a real possibility.

"Third parties must be a board-level topic and a part of overall security measures created to manage security holistically," Harris said. There are many solutions, but these unfortunately require humans as part of the assessment process.

Risk monitoring is a common failure in third-party risk management, according to Gartner's survey. An enterprise risk management (ERM) function can assist in the management of third-party risks. Organizations that monitor changes in the scope of third-party risk relationships yield the most positive risk outcomes, and ERM can assist in managing the risk better.

According to Avishai Avivi, the CISO at SafeBreach, most third-party risk solutions available today only give an overview of cybersecurity, but the problem is far deeper.

Third-party breaches through supply chains are another growing security threat that CISOs should consider, according to Avivi. To avoid attacks through supply chain endpoints, he strongly recommends that businesses that work with a significant amount of customer-sensitive data develop a complete privacy policy.

“Solutions must evolve in order to support third-party assessments of the vendor's privacy posture. While there are plenty of third-party audits that get SOC 2 and ISO 27001, they are still not enough to have their privacy practices audited,” Avivi added. Most businesses do not seek for the “privacy” category of SOC 2 or the ISO 27701.

You may also like: