When security teams devise data protection strategies, they generally build plans against unknown attackers. But if you look at the statistics on data breaches, it appears you are far more likely to be attacked by someone you know rather than a stranger.
If that sounds contradictory, consider this: According to Verizon’s 2022 Data Breach Investigations Report, 62% of all systems intrusions came through an organization’s business partner. That is nearly two of every three breaches. Alla Valente, senior analyst at Forrester covering governance, risk, compliance, and third-party risk management, said that number is likely higher.
Valente said that many third parties are not tracked by IT teams, and therefore go unvetted, unmonitored, and uncategorized by security controls. Using a corporate marketing department as an example, Valente said the department could be working with dozens of vendors, including agencies, creative and content contractors, service providers, and software-as-a-service providers, and each of these third parties has hundreds, even thousands, of vendor partners.
The supply chain can become massive, which makes it difficult to ensure that secondary, tertiary, or more remote members of the supply chain are secure.
Assessing the Hidden Dangers
Valente provided a real-life example to illustrate how a compromised piece of software, located deep in the chain, can have far-reaching consequences. Specifically, Valente highlighted a decommissioned trading platform on a connected network that had been compromised. This compromised platform went on to affect a company further up the chain, even though it had no direct relationship with the original compromise. Despite the developer’s assurance that the trading platform was no longer supported, it remained online and vulnerable for two years, leading to the company’s compromise. This situation illustrates the common risk posed by unpatched software, both as an entry point for cyber attackers directly and as a potential vulnerability in the supply chain.
“They can't exclude these huge sectors of third-party relationships just because they don't fall into the traditional tech,” Valente said. If there's any type of shadow IT procurements that's happening, where unsanctioned purchases are being made on corporate cards, you need to assess those as well, be it for technology or non-technology third parties.
“For net-new purchases, or even for you [have] major renewals, ask in the RFP or before [when] that contract is being negotiated: 'Who are the critical third parties that you have that are required for you to support this thing that you're doing for us?' Because when you [say] ‘deal or no deal,’ all of a sudden they answer quite quickly,” she added.
Shay Colson, managing partner of cyber diligence at Coastal Cyber Risk Advisors, underscored the importance of conducting the equivalent of an asset management analysis of all third-party partners, identifying each one and classifying their level of access and interaction with corporate data as well as their level of importance to the company’s cybersecurity profile.
“If you have a strong classification system, and you understand how much data you have, then use those as metrics to help your board understand the amount of exposure you have with third parties,” Colson said. For instance, you can identify the number of vendors with access to 10% or less of your customer data, the number of vendors with access to 50% or less, and the number with access to more than 50%.
“Those are the sort of things that you need to help define and then communicate so that this kind of abstract notion of third-party risk becomes real for both the leadership team and the management team who are at the tactical level,” Colson continued. “What you'll find is when you start describing it in these ways, you get a lot more engagement [from management].”
While a small or medium-sized business (SMB) might have similar vulnerabilities as an enterprise, it generally does not have the same security maturity. If that SMB is a third-party partner, the enterprise can effectively say, “‘I don’t trust your security, so you’ll have to use mine,’ ” Colson said. In that case, the enterprise could send the partner a laptop configured with the enterprise’s security for use in all interactions between the partners.
Optimizing Third-party Risk Management
Gartner last year published 4 Third-Party Risk Principles That CISOs Must Adopt, which did not pull any punches on recommendations for companies to follow. According to Gartner, the most effective actions in terms of customer effort and decision value involve conducting formal, on-site assessments carried out by either an internal team or external consultants, as well as obtaining reports from third-party assessors. On the other hand, self-attestation questionnaires and marketing materials that describe a company’s security program were found to have lower decision value in determining third-party risks.
Luke Ellery, Gartner vice president analyst on the procurement, asset, and vendor management team and co-author of the mentioned paper, stressed that the management of third parties primarily revolves around governance, even though nearly every department within an enterprise may engage partners without corporate oversight.
To illustrate the limited control companies have over third-party procurement, Ellery shared an example from his experience. He mentioned that he once signed up for a Salesforce.com account using his phone while traveling on a train, and the process was incredibly fast. It’s common for corporate departments to engage third parties using a corporate credit card, bypassing the standard corporate procurement procedures. Ellery intended to test the speed of the procurement process, and he was able to complete it within a matter of minutes.
Ellery noted that although most technology-related third-party products undergo a formal procurement program, many non-technology third parties and even some technology offerings do not follow the same process. To address this, he recommended that companies should prioritize and assess products and services to proactively identify potential risks. Specific concerns should include the following: Does the product involve the handling of data? If yes, what type of data is involved? Will it be connected to a network, potentially leading to data exports? By conducting this analysis, the user can then determine the appropriate level of rights or permissions that should be assigned to the product.
