Third-party Vendor Risk: Protecting Your Company Against Cyber Threats
In a world of ever-growing cybersecurity threats, it’s no longer enough to focus on your own company and its defenses and the fraudsters plotting to break through them. You also have to worry about the potential danger posed by third-party vendors in your supply chain.
According to Verizon’s 2022 Data Breach Investigations Report (DBIR), released in May 2022, 62% of system intrusion incidents in the past year came through an organization’s partner.
“Compromising the right partner is a force multiplier for cybercriminals,” Verizon notes. In other words, it’s very efficient for them to compromise a supply chain vendor, because once that’s done, all the vendor’s clients are compromised too.
Forms of third-party risk
The danger associated with supply chain cyberattacks is often referred to as “third-party risk,” and there are two primary forms:
▪ Risk associated with service partnerships. Your company assumes additional cybersecurity risk when you use third-parties to support or directly provide a service to your customers. Often such a partnership requires your business to share customer data with the third-party.
The added risk of working with third-party providers is that you are no longer counting on just your company’s own defenses to protect your customer’s data. You are also relying on the defenses of those third-parties.
▪ Risk associated with your interconnectedness with a supply chain partner or vendor. This is the risk that a third- party, having access to your network, could unwittingly serve as an access point for a fraudster to compromise the network or data you have stored there.
An example of this danger is the highly publicized data breach at retail giant Target Corp. in late 2013 that affected more than 41 million of the company’s customer payment card accounts. According to published reports, cyberattackers gained access to Target’s computer network through credentials stolen from one of the company’s heating and air conditioning vendors.
The fraudsters breached the vendor’s network through malware delivered in an email. They stole the virtual private network credentials the vendor was using to remotely connect to Target’s network and used those credentials to gain access to Target’s customer service database.
Effectively managing supply chain cyber security risk requires companies to extend their information security perimeters. Failure to do so, as Target and others have discovered, can lead to a range of consequences, from customer data breaches to account takeovers. Such events can cause operational disruptions; loss of data, including intellectual property; financial losses; and reputational damage.
Evaluating a third-party’s policies and practices
To minimize third-party vendor risk, companies need to thoroughly review the information security policies and practices of their vendors before bringing them on and then at regular intervals.
Start by reviewing the vendor’s Service Organization Control 2 (SOC 2) report, an outside auditing firm’s evaluation of its controls. Make sure the vendor has implemented key security principles such as segregation of duties and “least privilege.”
The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it.
Companies should also investigate to see if a vendor has any technical vulnerabilities. For instance, does its software have all the necessary, up-to-date patches? Are its security settings properly set, allowing it to defend against unauthorized access? And is any of the vendor’s technology at the end of its life or no longer supported by the supplier?
You should review higher-risk vendors at least once a year. Also, consider reviewing vendors with access to your company’s most sensitive data and core banking processes on site, where your staff member or a contracted auditor can witness whether the vendor is actually practicing the principles such as segregation of duties and least privilege that are attested to in the SOC2 report.
Companies can also use third-party information security ratings providers to bolster their evaluations. These providers will review a vendor’s technology controls and provide a report with a score. Be sure to choose a provider that is commonly used by your industry.
Also include in your evaluations a review of the vendor’s financial health and stability. This can tell you if the vendor is well-positioned and a healthy company, and therefore more likely to invest appropriately in information security.
Avoiding a supply chain attack
Here are four actions you can take to protect your company against supply chain cyberattacks:
Addressing a huge and growing risk
The potential for supply chain cyberattacks is a huge and growing risk for companies. These days, all businesses are connected to the internet, and the threat has only been magnified as we’ve moved from local to global supply chains.
As a result, it’s critical that all companies work to fully understand the risks they face related to third-parties, have a complete list of all companies involved in any of their supply chain activities, and ensure they have the proper controls in place to protect themselves.