As our world becomes increasingly digital and connected, it is imperative for businesses to work with third-party vendors to grow more efficiently and to collaborate to establish secure connections.
However, despite all this collaboration, cybercriminals have found a new way into the systems of large, secure companies through their smaller third-party vendors. As hackers go after bigger fish, the security vulnerabilities these services create have become a significant threat.
The Expanding Attack Surface
Every time you add a new vendor or contractor to your business, you create another attack vector for cybercriminals to exploit your company. Most of these third-party vendors do not have the same level of cybersecurity maturity and, therefore, are generally easier targets for hackers. A good example of third-party risk is the Target breach back in 2013. Cybercriminals gained access to Target’s payment systems through a third-party heating and air conditioning vendor, exposing the credit card information of over 40 million customers. That event, still to this day, is one of the most frequently cited incidents of cybercriminals leveraging third-party suppliers to exploit a trusted third-party vendor. This is why attack surface management has become a critical priority for organizations managing complex vendor ecosystems.
High-Profile Breaches Highlight the Risk
More recent case studies include the SolarWinds cyberattack, which exploited weaknesses in the supply chain. The hack involved injecting malicious code into SolarWinds’ software updates (patches), which it sold to thousands of customers, including the federal government and Fortune 500 companies. Another example is the Kaseya ransomware attack. Cybercriminals found a weakness in Kaseya’s remote management software, affecting several managed service providers. They ultimately brought down the systems of the managed service providers’ clients.
And yet another recent case of criminal cyber activity targeting exposed customer information using a third-party vendor was the MOVEit Transfer breach. Several organizations worldwide lost sensitive customer information due to a weakness that hackers exploited in MOVEit Transfer, a file transfer tool used by many businesses today. This case illustrates that we need to keep a watchful eye on third parties who can impact our data security on a much larger scale.
The Vulnerability of Third-Party Vendors
Third-party suppliers typically place greater emphasis on cost and usability than on security, and the visibility a given organization has into a third-party supplier’s systems makes accurate risk assessments difficult. Organizations may conduct initial due diligence on third-party suppliers before entering into business agreements, but do not consistently monitor these suppliers for risks after contracts have been executed. The complexity of today’s digital supply chain makes it very difficult to track all connections among an organization’s various vendors to determine risk and/or vulnerability.
Improving Third-Party Risk Management
To effectively manage third-party risks, organizations must adopt a proactive approach. This will require developing formal vendor assessments before contracting, continuous monitoring of third parties after a contractual agreement is in place and implementing strict security standards within each organization’s supply chain. Organizations must adopt a “zero trust” architecture, as no entity is considered trustworthy by default. Lastly, cyber security is no longer a fence around an organization, with the expansion of third party ecosystems, organizations must understand that their cyber security is only as strong as that of their weakest link with respect to securing its supply chain network; therefore, organizations must implement third party risk management to achieve resilience against the current state of cyber threats facing most organizations today.
This article is authored by Mandar Patil, Sr. Vice President at Cyble
Disclaimer: This article is authored by an external contributor. The views, opinions, and information expressed in this piece are those of the author and do not necessarily reflect the official position or editorial views of the publication. Readers are advised to independently verify any claims, data, or recommendations before acting on them.