As cybersecurity professionals, our primary mission is to protect our organization’s information assets and IT infrastructure from cyber threats. We plan our resources and strategize what controls are appropriate for our business environment. The growing challenge now is ensuring that our vendors and partners that operate as extensions of the business are just as secure.
Companies and their third parties are interconnected. And they are connected to other clients, who could potentially be breached. With many services being outsourced such as supply chains, payroll services, cloud service providers, you incur a significant amount of risk if they are not practicing reasonable security or in compliance. If they get breached, so do you.
Third Party Risk Becomes a Priority
Nearly every business relies on outside firms for some of its operational services. As more companies partner with other organizations and access each other’s data, the potential cyber risks grow exponentially. This has become more prevalent as we see these types of trends:
- Software supply chain cyberattacks has grown over 742% in the past three years.
- Ponemon’s research indicated that of the firms that had security breaches, 74% of those said the breach was due to third parties having too much access to sensitive information.
- According to Cybersecurity Dive, 98% of organizations integrate with at least one third-party vendor that has been breached in the last two years.
The suppliers and service providers that have been engaged to make organizations more efficient are the ones who may be causing disruption and risks to their contracted customers.
A Forrester study estimated 60% of security incidents in 2022 were directly related to third-party issues and they expect the trend of threat actors targeting the vendors and suppliers will only increase in the coming years.
Many Companies are Unprepared
Gartner refers to Third-Party Risk Management (TPRM) as one of the most pressing challenges for compliance leaders today, yet according to their research, only 16% of organizations report the ability to effectively manage third-party risks. Gartner goes on to say that only 28% of organizations continuously monitor third parties throughout engagement cycles. The good news is that companies are increasing their technology budgets to manage supply chain risks. They predict that by 2025, legal and compliance oversight of environmental, social, and corporate governance (ESG) strategy and disclosures will drive new investments in TPRM solutions for 50% of organizations.
Breaches Caused by Third Parties
TPRM is the process of analyzing and controlling risks associated with outsourcing all types of services to third-party vendors such as IT, security, finance, and operations. TPRM affects organizations from all types of industry and government sectors. Here is but a small sample of the many attacks involving third-party providers.
- A debt collection agency called Credit Control Corporation (CCC) reported a data breach to the Department of Health and Human Services they detected on March 14, 2023. The attack took place the week prior and involved the unauthorized access of files that contained the sensitive information of some 345,523 individuals. CCC provides collection services to a long list of healthcare providers, and it was their patients that were affected in the attack.
- Discord is a VoIP and instant messaging platform company that notified its users in May of 2023 that some of their information was compromised in a cybersecurity incident due to the compromise of a third-party services provider (TPSP). It is believed that a threat actor gained access to the credentials of a third-party service provider that managed IT support tickets for the company. The compromised data included email addresses and the contents of customer service messages.
- A zero-day vulnerability in the GoAnywhere MFT file transfer solution allowed a ransomware organization in February of 2023 to access the information of many of its customers including the City of Toronto, Saks Fifth Avenue and Blue Shield of California.
- The New York City Department of Education confirmed that information involving an estimated 820,000 of its students had been compromised in the summer of 2022 by a cyberattack on one of its third-party service providers. In this case, the provider was a leading provider of student tracking software. Some of the compromised data included names, birth dates and information concerning behavioral incidents and student academic progress.
TPRM Challenges
As the number of your third-party relationships increases, so does the complexity of managing them. Complexity inhibits visibility and without proper visibility into the environments of your complete service and security stacks, meeting your performance standards, protecting your sensitive data, and meeting compliance regulatory standards all become highly challenging.
Effective TPRM necessitates rigorous due diligence, which includes a comprehensive assessment of the risk profile and appropriate security measures of your external suppliers. This process demands a thorough understanding of their cybersecurity policies and procedures, along with verified evidence of completed cybersecurity audits or penetration tests. This becomes especially crucial when these third-party entities are tasked with handling sensitive data of your customers, employees, business partners, or students. Consequently, it is imperative to evaluate their data safeguarding protocols and confirm their adherence to all applicable data privacy legislations such as GDPR or CCPA to ensure your own compliance and established reasonable security.
HALOCK can assess the security risks of not only your own organization, but your risk exposure to your interconnected providers and partners as well. Our security teams can begin with a risk assessment of your total environment and show where you are vulnerable and the reasonable security strategies to circumvent them. Along with our partner Panorays, we can also get an external view of the threat and security posture of a company you plan to engage to ensure their security profile and protocols align with yours.