It has become the norm for businesses today to rely on a multitude of third-party service providers and other vendors to support core business functions. It’s also pretty common for these third-party entities to have access to a company’s data and its internal systems. This interconnectivity presents an inherent risk that must be managed. After all, you can outsource the function, but never the responsibility.
Since the massive Target data breach in 2013, the cybersecurity risk that third-parties pose has been generally accepted. However, the risk does not seem to be diminishing. Some 75% of the IT professionals surveyed by the Ponemon Institute acknowledged that the risk of a breach from a third party is serious and increasing. And according to a survey by Soha Systems, 63% of all data breaches can be linked either directly or indirectly to third-party access.
Vendor Data Breach: Typical Scenario
Most cybercriminals are looking to steal valuable information that they can profit from, including credit card numbers, social security numbers, bank account information, etc. If your organization stores or processes this valuable information, you could become a target.
Once you’ve been targeted, the bad guy is going to do some reconnaissance on your organization. It’s easy to find useful information on the internet. Likely the research will turn up several of your third-party vendors. If the hacker isn’t able to penetrate your security defenses, they will turn their focus to your vendors’ networks. They’ll check their ports and protocols, or maybe send phishing emails. Odds are, they are going to get a hit. It only takes one.
Once they gain access to the vendor’s network, they will typically try to move throughout their network to see if they can find a way into yours. Hackers use a technique called pivoting, which is using the compromised device to access other devices.
If your vendor doesn’t have the right security controls in place, they may not even detect that a breach has occurred. The hacker could potentially sit on their network for days, weeks, or even months until they get the credentials needed to pivot onto your network.
With the necessary credentials, they have access to your data. They can employ ransomware on your systems. They can exfiltrate your information.
Potential Third-Party Vendor Relationship Risks
Organizations should take a risk-based approach to managing their vendors. Managing risk is critical, and that process starts with a risk assessment. If you don’t assess your risks, they cannot be properly managed, and your business is left exposed to threats. As part of this process it’s important to keep in mind the different types of risks that vendors can pose to your organizations, including:
- Compliance risk is related to violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or business standards.
- Strategic risk is related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
- Operational risk is related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
- Transactional risk is related to problems with service or product delivery.
- Reputational risk is related to negative public opinion.
Mitigating Third-Party Vendor Risks
When you give network access to your vendors, you are providing additional avenues for threat actors to find a route into your network. That means you need to ensure that your vendor’s are taking cybersecurity as seriously as you do. In addition to implementing security controls that will help prevent breaches, they should also be focused on cyber resiliency if an attack should occur.
The NIST Cybersecurity Framework, provides a great guideline for all businesses to follow.
- Identify: The first step is to identify what the potential threats are.
- Protect: Then everything that can be done to protect and prevent should be done.
- Detect: Next we need to be able detect when an event is occurring to determine if it rises to the level of incident.
- Respond: We also need to develop what our response to various incident scenarios will be.
- Recover: Finally, how do we recover? Depending on the extent of the incident and the amount of damage done, this one could be difficult to ascertain.
One of the best ways to mitigate cybersecurity risk posed by third-party vendors is to implement a Vendor Risk Management Program. Learn how to build an effective program in our blog post, Seven Steps to a Successful Vendor Risk Management Program.