What do Dollar Tree, Bank of America, Comcast and Colonial Pipeline have in common? Unfortunately, all four have experienced a high-profile third-party data breach, joining a large and growing list of similarly affected enterprises.
Third-party data breaches happen when malicious actors compromise a vendor, supplier, contractor or other organization to gain access to sensitive information or systems of the victim’s customers, clients or partners. They can exact significant costs for businesses, both in direct costs and the reputational damage after sensitive information is compromised.
According to Gartner, 45% of organizations experienced third-party-related business interruptions over the past two years despite increased investments in third-party cybersecurity risk management (TPCRM). A study by third-party risk management software firm Prevalent found that 41% of companies across various industries have experienced such breaches, with 71% considering them a major concern.
Based on third-party cyber incident trends over the past year, we can expect to see more of the following types of risks in 2024 and beyond:
- Software and service failures and supply chain breaches
- Privileged and account-based attacks
- Malware infections/spread
- Unauthorized use/access
- Denial of service attacks
- Breaches and incidents in third- and fourth-level partners and vendors
But businesses are not defenseless against these breaches, even those that target partner and vendor organizations. To best manage third-party cyberrisks, it is essential to understand their unique nature and the holistic steps companies can and must take to fortify their defenses.
Understanding the Challenges
From a third-party risk perspective, businesses face several primary challenges. First, many companies do not have a complete inventory of all the third parties with whom they share data or system access. It is relatively easy to spin up a service or start paying for an AI subscription, for example, without considering the security implications or getting IT security’s buy-in first. In that sense, AI could be considered the new “shadow IT.” Your organization needs to know what tools are being used anywhere in the enterprise and to have good IT governance processes in place to ensure the secure usage of these tools.
Another challenge is a lack of active participation by vendors, suppliers and other third-parties in many organizations’ risk assessment processes. The vendor may have completed a SOC2 or ISO certification and might believe those audit reports provide everything customers need to assess their risks. However, the process typically involves more analysis, control mapping and a broader view of the impact of those risks on the business that only comes with a deeper inspection of internal controls.
Many companies simply skip these critical steps or perform only cursory examinations. Products that automate risk assessment and analysis can help make it easier and faster for all parties to accurately assess risks before deals are signed and business arrangements are set in stone.
How to Manage Third-Party Cyberrisks
Many third-party vendors that businesses rely on may not have taken thorough steps to satisfy compliance regulations or maintain an acceptable security posture. Conducting detailed due diligence and establishing incident response processes are critical cyberrisk considerations in third-party partnerships. The following five measures can help any business to minimize the risk of a third-party data breach:
1. Review procurement team processes for better third-party governance. In addition to standard compliance checks, understanding inherent cyberrisks when sourcing, selecting and onboarding new vendors will provide more visibility into potential vulnerabilities and help prescribe the right due diligence path.
2. Prioritize risk reviews. Third-party risk reviews should start by defining the controls with which the third party needs to demonstrate compliance. Then, determine the frequency of security reviews, and define a remediation and arbitration process to handle third-party risks.
3. Test third-party incident response procedures. Define an incident management process for dealing with third-party cyber incidents and continually test responses and communications using tabletop exercises. This process will improve breach communications and ultimately shorten recovery times in the event of an incident.
4. Isolate access and systems if a breach occurs. Leverage local host restrictions, network access controls, privilege restrictions and account removal/locks to stop attackers from freely moving throughout your network.
5. Continuously monitor for third-party breaches and vulnerabilities. Monitor internal behaviors from affected software and platforms, access to/from vendors and other parties, and reputation and threat intelligence services to determine the impact on your organization. Monitor the external threat landscape for significant third-party breaches and vulnerabilities. When breaches occur or supply vulnerabilities are identified, proactively reach out to assess your supply chain for risk and active response measures.
Additionally, businesses can work to shore up their defenses by incorporating risk mitigations specifically related to third-party cyberrisk into existing processes. Effective cyberrisk management requires thorough vendor assessments, defining clear risk criteria, using risk rankings to prioritize vendors, and establishing effective communication channels for breach notifications and incident response coordination.
Another critical step is conducting comprehensive reviews of procurement team processes to ensure that they are examining the full picture of risk that a potential third party introduces to the business. This includes cyber vulnerabilities, operational risks, reputational concerns, compliance obligations and financial standing. From a cyber perspective, a company must also assess vendor security controls.
Finally, a secure organization should have a structured risk remediation process in place to determine what constitutes acceptable risk to the business. By mitigating risks associated with third-party relationships, organizations can enhance their overall cybersecurity posture and protect sensitive assets from potential threats. These reviews also facilitate better alignment with regulatory requirements and industry standards, fostering a culture of compliance and risk awareness across the organization.
Developing Pre- and Post-Incident Plans
Effective planning before an incident makes all the difference when it comes to managing future risks. It is essential to have mechanisms to quickly identify the impact of a breach across the organization, such as documentation, up-to-date visibility of connections, and data flows between the business, third parties and fourth parties. This enables the isolation of impacted assets and services for the necessary triage. By quickly identifying the impact, organizations can also control the narrative better through factual external communications with impacted parties and drive any immediate resolution paths. Of course, if an organization lacks the resources or expertise in-house, respectable security firms should be able to assist.
Once the breach has been appropriately handled, it is always prudent to conduct a post-mortem highlighting the impact and resulting steps taken to ensure it is unlikely to reoccur. This feeds into a continuous improvement process, setting the organization up for success against future cyberrisks.