Managing Third-Party Cyber Security Risks
Cyber attacks via third parties pose a huge and often unrecognized security risk to companies of all sizes. Fortunately, there are steps that you can take to minimize the risk.
- Although direct cyberattacks on organizations get most of the attention, indirect attacks via third parties are also a major source of cyber risk.
- Many companies are under-prepared to defend against threats from their supply chain or other third parties.
- You can help improve cyber resilience by taking steps to understand and enforce security procedures among third parties, and implementing regular cyber awareness training for your employees.
When defending your business against cyberattacks, it’s vital to understand that you’re fighting a war on several fronts. The first front—direct attacks on your organization—is the one that generally gets the most attention. Many organizations pay less attention to a second front: indirect attacks via third parties, including your supply chain. This second front is often much less well defended, which is ironic considering it is a source of considerable risk. Casualties of an incursion could include your bottom line, your brand and reputation, and your operations.
Connected Ecosystems Introduce New Risks
If you were a general being briefed on the threats from this second front, here’s what your defenders would want you to know. Risks from third parties have increased in part because almost no technology exists in isolation anymore. For example, consider a sophisticated tool used on an automotive production line. The tool sends diagnostic information to the manufacturer. That helps with maintenance, but it also opens a cyber channel into your IT environment.
Nearly all organizations today operate within a connected ecosystem that includes their suppliers. If any part of the ecosystem is attacked, other members of the ecosystem are at risk. The infamous 2013 Target data breach is one such example. The attackers first hacked into the retailer’s heating and air conditioning services subcontractor, then exploited lax access rights to steal data on millions of customers. The breach cost Target more than $18 million. Or consider that Best Buy and Delta Airlines were among several companies compromised when the online chat vendor they shared was infected with malware.
Risks from your third-party connections include:
- Man in the Middle (MitM) attacks
- Ransomware attacks
- Denial of service (DoS) attacks
- Attacks on IoT devices
Almost any time your organization connects with a third party (including via email) you’re potentially at risk. And that exposure may be wider than you realize. A 2018 study by the Ponemon Institute found that, on average, 471 third parties have access to a company’s sensitive data—and the true number may be even higher, because only 35% of respondents knew all the third parties with which they were sharing data.
Companies Are Often Unprepared for Attacks
This information gap suggests a widespread lack of awareness and preparedness that has left many organizations vulnerable to attack. That was underscored by the results of a recent Wall Street Journal survey, which found that only 62% of larger businesses are able to quantify and qualify the risk to or from their suppliers—and only 42% of smaller businesses are able to do so. Even though 70% of organizations see such third-party attacks as a threat, fewer than 60% feel prepared for them.
Given how many potential entry points attackers have, and that defense strategies are often not robust, perhaps it shouldn’t be surprising that cyber criminals are taking advantage. Another survey found that 41% of respondents had suffered attacks via third parties over the past 24 months.
Strategies for Building Cyber Resilience
Fortunately, there are strategies that can help to improve your cyber resilience by reducing the risk from third parties:
Map your data flow. Protecting your data is especially challenging if you don’t know where it goes. So it’s important to map the flow of each piece of data from its creation to its disposal. The goal is to identify where and how your data may be vulnerable. That includes incoming data from third parties. Aspects to consider include:
- Who owns and monitors the data
- What are the procedures for handling data
- What system controls are in place
- How are security policies enforced
Review internal and external security procedures. Once you understand where your data goes (or comes from), review your current procedures for protecting it. What’s working well and what isn’t? What are your opportunities for improvement? What’s your greatest exposure? Security is only as strong as its weakest link.
Understand what your third parties do. Knowing where your data comes from and where it goes is a start. But what happens to it when it’s in the hands of third parties? There are several possible approaches to assessing data safety:
- Evaluate metrics such as the volume of transactions and data sensitivity.
- Consider the impact of privacy laws in the locations where the data is processed.
- Assess the security measures that third parties use. One method is to ask third parties to complete a questionnaire about their practices. An alternative is to rely on security scores published by firms that conduct independent analyses. Conceptually, that’s much the same as lenders using credit scores to assess their potential risk when making credit decisions.
Define cyber security guidelines and processes for third parties. Experts note that requiring third parties to follow standard security processes can fortify your defenses. Such procedures might include frequent backups of critical data, timely notice of security breaches, and regular security reports. Another approach is to include security standards in your service-level agreements.
Invest in cyber awareness training. People make mistakes; in fact, human error is a factor in an estimated 95% of all security incidents. Users follow phishing links in emails from malicious actors impersonating your suppliers, they visit fake websites, and they download attachments hiding malware. The best way to reduce that risk is to regularly provide security awareness training to your staff.
Consider cyber insurance. Nothing you do can guarantee that you won’t be attacked, but if you are, insurance can help mitigate your financial losses.
The Bottom Line
Many organizations are unaware of the extent of their exposure to cyber risks from third parties. Fortunately, there are ways that you can better understand third-party risks and defend your organization against them.
 “What Is Cyber Risk in Third-Party Risk Management?,” Normshield
 “The Industries Most Vulnerable to Cyberattacks—and Why,” WSJ Pro Research
 “IBM X-Force Threat Intelligence Index,” IBM