Third Party Cyber Risk: The Weakest Link
In this article ITC’s Executive Chairman William Kilmer considers the biggest cyber security risk organisations face in keeping up with shifts in the current threat landscape.
The biggest cyber security risk organizations face is not a specific threat, but our ability to modernize our defensive approach to keep up with shifts in the current threat landscape. For example, for many years, organizations continued to focus on a perimeter defense approach long after it became clear that the adoption of laptops had shifted the threat to mobile devices. This happened again as infrastructure and software shifted to the cloud, opening another threat window. In each wave, organizations spend years trying to catch up.
Today, threats are shifting yet again, now taking advantage of our increasingly interdependent world by attacks via our third-party partner.
The risk posed by third-parties, including suppliers, affiliates, partners, and contractors, has been brought increasingly into the spotlight by several high-profile companies who have experienced very public and notable breaches that were perpetrated through their partners. One of the largest was Target Corporation’s breach which occurred through an attack on an HVAC supplier that gave hackers direct access to Target through their supplier portal. The attack resulted in a leak of more than 60 million customer records and 40 million credit card numbers, resulting in over $18 million in lawsuit settlements, the resignation of the CEO, a nearly 50% drop in their operating profit, and an incalculable loss of customer confidence.
This type of attack through a third-party is increasingly more common as attackers take advantage of the weakest link to reach high-value targets. This often occurs by breaching a third-party as in Target’s case to get access to the primary target’s information assets.
However, the threat has recently become worse as vendors increasingly share data with partners. Companies such as Philips, Best Buy, and Netflix have had employee, customer information or intellectual property breached while in the possession of a third-party.
A 2017 Ponemon study underscored the magnitude of the problem, highlighting that 65% of all breaches now occur through third-parties. Fortunately, there is hope that organizations are shifting their attention to this threat: a recent survey states that 94% of companies recently expressed that they plan to increase their spending on third-party defenses.
Organizations generally identify third-party risk by periodically surveying their partners directly. While this is a good start, it only provides a static snapshot of the organization, and sifting through surveys is a long, manual process. It’s no wonder that 83% of IT managers say they lack confidence in their existing third-party risk management programme.
A more-effective approach to addressing third-party risk that provides better information to organizations without an accompanying high cost should include:
- Prioritizing vendors and evaluating risk. First, organizations may have dozens or even hundreds of partners and will need to prioritize them based on risk. Start with a list of vendors and create a prioritized list based on an initial evaluation of their security posture, their importance to you, location, etc.
- Understand infrastructure access and asset exchange. Pay particular attention to organizations which have access to your infrastructure, or with which you share confidential information or assets. Review not only the technology but also understand their policies and how well they follow and enforce them.
- Integrate security and vendor procurement policies. Next, create your own governance around how you will review your third-parties, proper risk thresholds, and how you will address unmitigated risks. For example, define what is an acceptable risk and what isn’t, and what you will do if a company will not fix a security issue. Publish these policies and review ways to reinforce them contractually.
- Make it an ongoing process. It’s important that you don’t simply take a snapshot of an organization’s security situation and instead create an ongoing process to monitor your third-party relationships and their security posture on a regular, even monthly, basis.
To facilitate the regular monitoring and mitigation of third-party risk, ITC Secure now offers a third-party risk management service that gives organizations the information they need about their partners and suppliers along with the ability to track risks over time. We provide an outsider view of your third-party partners, reviewing information and providing an objective security score for each vendor on a monthly basis. To further assist organizations, our third-party risk monitoring solution provides real-time alerting, detailed information on the potential risk, and information on how to address and remediate the issue with your vendor.
A weak-link approach to cyber security—identifying the organization’s highest vulnerabilities and fixing those first — would dictate that spending on third-party risk will provide a better return on investment than adding to existing cyber defenses elsewhere. With some forethought, logic, and planning an organization can effectively manage their third-party risk and catch up to the latest threat vector before it’s too late. If you would like to know more about our solution, contact our ITC Secure team today.