Whether it be contractors, suppliers, or vendors, working with third parties is essential to the success of most modern businesses. However, this arrangement also poses significant cyber security risks. Third-party risk arises when companies associated with another’s supply chain get access to its systems, data, and other privileged information, which could lead to incidents like IP theft, data breaches, and many more. Even if these incidents originate from a third party, the main organisation where it occurs can be held accountable.
Securelink and the Ponemon Institute published a 2021 report stating that 74 per cent of companies that were breached in the last 12 months claimed that the incident stemmed from providing third parties with privileged access. This use of third parties as an attack vector can be seen in a recent series of cyberattacks carried out on big-name companies like Nvidia, Samsung, Microsoft, and others. LAPSUS$, the group responsible for these attacks, commonly exploited trusted third parties to achieve their objectives, and it has become an effective tactic in their toolset.
Cyberattacks caused by third-party relationships may include:
● Data exfiltration
● Distributed denial-of-service (DDoS) attacks
● Credential theft
● Attacks on IoT systems and devices
● Fileless malware
● Phishing
● Ransomware attacks
● Man-in-the-middle attacks
● Intellectual Property (IP) theft
● Network intrusion
1. Practice due diligence with third parties
Undertaking due diligence in one’s supply chain can effectively mitigate, reduce, or remediate various risks prevalent in third-party relationships. Whenever an organisation plans to work with a new vendor or supplier or make changes to high-risk aspects of their business, they should perform initial checks first to prevent fraudulent interception of payments or goods.
A clear understanding of the third party’s security posture is also important, and it entails conducting a thorough security assessment of each vendor before signing off on the business contract. Furthermore, organisations should maintain updated records to stay on top of their security posture and ensure they continually meet regulatory compliance.
2. Adopt a third-party cyber risk management plan
The structured methodology involved in third-party cyber risk management entails the analysis, control, monitoring, and mitigation of cyber risks associated with third-party service providers, suppliers, and vendors. An effective management programme is indispensable for organisations to manage and mitigate their potential supply chain issues as it provides them with an in-depth understanding of the external entities they engage with and the quality of the security they have in place. Lastly, third-party cyber risk management should also spare no effort in comprehensively monitoring and assessing the many different areas that generate risks, such as vendor assessment and risk management and fourth parties (the third party’s own third parties).
3. Enforce the principle of least privilege
Implementing the practice of least privilege is just as critical for the organisation’s third parties as it is for its internal employees as it helps protect unauthorised access to sensitive data and reduces its risk of exposure.
4. Provide staff with security training
When evaluating third-party risk, the potential vulnerabilities created by their employees are most often overlooked. Human error is among the key factors in third-party breaches, as threat actors usually achieve their goals through phishing emails or stolen credentials. Hence, regularly training all employees regarding cybersecurity best practices is critical to mounting an effective defence against third-party attacks.
5. Manage fourth-party risk
Assessing the organisation’s third parties should also include looking into fourth parties, i.e. the third parties’ own third party relationships. This matters since the security posture and practices of a vendor’s suppliers can also increase an organisation’s vulnerability. Monitoring this type of risk entails requiring third parties to notify and possibly seek approval whenever they need to share sensitive information with fourth parties.
6. Include risk management in third-party contracts
Including cyber risk in drafting contracts with third parties, such as requiring regular security tests and/or maintaining a specific set of security controls, helps to hold them accountable in case of changes in their cyber risk posture and failure to respond accordingly.
Given the rampant increase in cyber incidents in recent years, businesses need to increase the scope of their cybersecurity efforts and extend beyond their four walls, which means including the third parties they work with. Since hackers have begun to exploit this relationship between companies, organisations should quickly adopt third-party cyber risk management to protect against this trending attack vector.
To ensure your business is always one step ahead of emerging cybersecurity threats, enlist the protection provided by cybersecurity services in Singapore today. At GROUP8, we provide a comprehensive ecosystem of industry-leading solutions that covers all your cybersecurity needs, from CREST-certified penetration testing to blockchain security. For more information, do not hesitate to contact us at hello@group8.co today.