Cooperation is the key to success, so working with third parties helps your organization increase efficiency, offer better products and services, employ highly qualified experts, and cut costs. But all these benefits come at the price of additional cybersecurity risks.
Minor flaws in your third-party vendor’s security and privacy routines may lead to a breach in your organization’s cybersecurity. In this article, we analyze third-party cybersecurity risks and provide guidance on how to mitigate them.
Why manage third-party cybersecurity risks?
A third party is any entity your organization works and interacts with. Third parties include vendors, suppliers, partners, manufacturers, subcontractors, service providers, distributors, and resellers.
A third party could be an IT company providing you with the necessary software; an outsourced logistics firm transporting your goods; a third-party accountant helping you manage finances; and many more. With such variety among third-party entities, you can never be sure which ones could jeopardize your organization’s cybersecurity.
As third-party vendors often have access to your sensitive data or systems, cybersecurity incidents on their side can result in data breaches in your own organization.
Third parties may not take their network security as seriously as you want them to. Knowing this, hackers may choose not to attack your company directly. Instead, they may look for an easier target among your third-party vendors. A compromised subcontractor can easily be used as an entry point for cybercriminals. This is how a supply chain attack works.
Third-party-related attacks are on the rise
The number of third-party-related data breaches is increasing. According to the State of Cybersecurity and Third-Party Remote Access Risk study by the Ponemon Institute, 49% of organizations experienced a data breach or a cyberattack caused by a third party in 2022. This represents a 5% increase from 2021.
The results of annual Data Risk in the Third-Party Ecosystem studies by the Ponemon Institute also show an increase in third-party-related data breaches. However, organizations are now becoming more prepared for them:
Many organizations struggle to manage third-party security risks due to the lack of two things: visibility and control.
Organizations often don’t have the full picture of what their third-party vendors do with their critical data and systems. For example, if a third-party vendor uses a shared account to access your corporate network, you won’t be able to determine which of their specialists has made a particular change in the system.
Are organizations liable for third-party data breaches?
The formal responsibility for securing sensitive data may extend beyond the walls of your organization. Your responsibility for third-party data breaches is outlined in data security laws and standards you may be subject to:
- According to Chapter 8 of the General Data Protection Regulation (GDPR), when you (the data controller) outsource data processing to another organization (the data processor), you become responsible for that organization’s compliance. If a data breach occurs, both the data controller and the data processor have specific responsibilities.
- According to Requirement 12.8 of the Payment Card Industry Data Security Standard (PCI DSS), any organization involved in payment card processing must have policies and procedures in place to manage all third-party service providers. You must pre-assess the possible effects of any potential data breaches caused by your third-party vendor. Organizations must also check the compliance status of their third parties at least once every 12 months and make sure that they meet the applicable requirements.
- According to the Health Insurance Portability and Accountability Act (HIPAA), even when a data breach happens on a third-party vendor’s side, the healthcare provider is held responsible for not ensuring the safety of patient data.
In addition to liability risks, organizations may face many other risks depending on the nature of your cooperation with third-party vendors. Let’s look at the most common risk categories and the threats you need to be prepared to mitigate.
Request a free 30-day trial of Ekran System
to see how Ekran System can help you manage third-party risks.
What are third-party security risks?
The financial and technical capabilities of small service providers and subcontractors don’t always match the capabilities of their clients. Therefore, while aiming for a bigger win, cybercriminals may start small and look for an easy target within your supply chain.
A compromised third-party vendor may lead to multiple risks that can be split into five major categories:
- Cybersecurity risks — Subcontractors usually have legitimate access to their clients’ different environments, systems, and data. Attackers may use a third-party vendor as an entry point to get hold of your valuable assets.
- Operational risks — Cybercriminals may target your internal systems and the services you use. This can lead to partial interruptions of your operations or even halt them altogether.
- Compliance risks — International, local, and industry-specific standards and regulations set strict cybersecurity criteria that organizations should meet. If a third party fails to secure your data, non-compliance with data protection requirements may have legal consequences.
- Reputational risks — Having your valuable data and systems compromised is a red flag for your partners and customers. There’s no guarantee that you’ll be able to fully recover your reputation after a severe cybersecurity incident.
- Financial risks — Any of the risks above can affect your financial success. For example, an operational disruption caused by a third-party-related cyberattack could reduce your revenue. Or, a data breach caused by one of your vendors might lead to fines and compensations.
Common third-party security threats
Let’s get more specific.
To make your cooperation with subcontractors more secure, you need to understand the threats they can pose to your company’s cybersecurity. Let’s focus on six common types of threats:
- Privilege misuse — Third-party vendors may violate access privileges you grant them in various ways and for multiple reasons. For example, your subcontractor’s employees may misuse their privileges to engage in malicious activities or try to escalate their privileges in order to get unauthorized access to your sensitive assets.
- Human error — Your subcontractor’s inadvertent mistakes can cause just as much damage as intentional attacks. Common mistakes include accidentally deleting or sharing files and information, inputting the wrong data, and misconfiguring systems and solutions. These seemingly innocuous mistakes can still lead to data leaks, service outages, and significant revenue losses.
- Data theft — Alongside unintentional data damage, there’s a high risk of targeted data theft by third parties. Employees of your vendors, subcontractors, and even partners can steal valuable business information and use it to their advantage.
- Social engineering — Hackers may perform phishing attacks by pretending to be one of your third parties. In such a way, they can trick your employees into revealing sensitive information or downloading a malicious attachment to infiltrate your network.
- Software supply chain attacks — Cybercriminals may compromise the software or hardware provided to you by third parties. Injecting malicious code or hardware components into products your organization uses can lead to vulnerabilities and backdoors that can be exploited.
- Fourth-party threat — Fourth parties or second-tier third parties are subcontractors of your subcontractors. Ensuring that your third-party vendors meet your cybersecurity requirements and follow cybersecurity best practices isn’t enough. You also need to understand how they manage their own supply chains.
Examples of third-party security incidents
To get an idea of what your organization may be faced with, let’s take a look at a few recent examples of cybersecurity incidents involving third parties:
Type of incident
Data breach at a third-party supplier
- Disruption of business operations
- Production deficit of 13,000 cars
In February 2022, Toyota halted operations in Japan after a large data breach at their plastic parts supplier, Kojima. Since Kojima had remote access to their production facilities, Toyota needed a shutdown to safeguard sensitive data. Although Toyota did not seem to meet any direct cyber consequences, the company suffered from a production deficit created by the shutdown accounting for 13,000 cars, or 5% of the monthly production plan. The breach also impacted the operations of Toyota’s subsidiaries.
Type of incident
Data leak caused by third-party negligence
- 1.6 million sensitive records leaked
- Potential legal disputes with affected customers
In June 2021, another car manufacturer, Mercedes-Benz USA, announced a data leak through their vendor’s cloud storage. The leaked data contained customers’ and potential buyers’ sensitive and personal information, including social security numbers, addresses, and phone numbers. The Mercedes-Benz company claims that the breach affected fewer than 1,000 customers. As for how the breach was made possible, the data stored in a vendor’s cloud storage platform was “inadvertently made accessible”. This is why monitoring your third parties’ security measures is important.
Type of incident
Attack on a fourth-party service supplier
- Personally identifiable information compromised
- Potential fines due to non-compliance with healthcare data protection regulations
In March 2022, the Highmark healthcare company suffered a data breach after a cyberattack on a printing and mailing service provider, Quantum Group. The leaked information contained the personal data of Highmark’s members. Quantum Group received this information from Highmark’s marketing vendor, Webb Mason. This actually made Quantum Group a fourth party to the Highmark company. Managing fourth-party cybersecurity risks is even harder, as visibility over Nth parties is frequently close to zero. This opens up a new level of risk management called cyber supply chain risk management.
Luckily, you can effectively manage third-party security risks by following a set of supply chain security best practices that will significantly improve your company’s cybersecurity posture.
Third-party security risk management: 7 best practices
A systematic approach can help you mitigate potential cybersecurity threats and manage risks coming from third parties. Third-party risk management (TPRM) is an example of such an approach.
In a nutshell, TPRM is the process of determining, analyzing, and managing third-party risks. This process can cover different aspects of your company’s operations: work with sensitive data and intellectual property, access management, financial operations, and so on.
There are several international standards and commonly used frameworks that can serve as a basis for outlining your third-party risk management strategy. The following resources will prove particularly helpful:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publication 800-53
- ISO/IEC 27000:2018
- ISO/IEC 27001:2022
- ISO/IEC 27002:2013
The recommendations in these resources can be summarized as seven third-party security risk management best practices:
1. Make an inventory of your third parties
Start by making an inventory of all your third-party vendors and service providers. Next, classify them according to the level of their impact on your organization: low, medium, or high. The more critical data is exposed to a particular vendor, the higher that vendor’s possible impact on your organization. Consider developing a framework for categorizing vendor impact and use it when starting to work with new subcontractors.
Due diligence is also essential for understanding your third parties’ reliability, so conduct background checks and assessments of vendors’ attack surfaces. When assessing and documenting the potential level of impact and security of your third parties, ask the following questions:
2. Delineate responsibilities
To legally protect your organization and set the right expectations, it’s vital to establish robust contracts and agreements that clearly outline every security aspect of your cooperation with third parties.
Consider signing service-level agreements (SLAs) to determine who’s responsible for what in ensuring your mutual cybersecurity. Document everything: what kinds of sensitive information your third-party vendor can access and store, what security precautions they should take to protect that data, what compliance requirements they must follow, how often they should perform security audits, and so on.
3. Establish cybersecurity policies
Set clear cybersecurity rules for third-party vendors and your employees cooperating with them. Develop an internal policy that clarifies the responsibilities of each party and outlines standard actions for different procedures and cases. And make sure to familiarize both your employees and your subcontractors with these rules.
Additionally, you can implement a vendor management policy (VMP) that is specifically designed to guide you in mitigating third-party risks within your IT infrastructure. A VMP describes how to identify and manage third parties carrying potential risks.
4. Limit third-party access
If you grant third parties access to your IT infrastructure to provide them with some information or let them perform their services, do it wisely. Use the principle of least privilege as the basis of your access management, giving your third-party users the minimum level of access. By restricting access to only what’s essential to perform a specific task, you’ll reduce the risk of unauthorized third-party activity and potential security breaches.
Consider deploying a privileged access management (PAM) solution to make sure that only legitimate users can access your company’s sensitive information. Two-factor authentication (2FA) tools can also secure your critical accounts even if user credentials get stolen. When choosing an access management solution, give preference to those that can generate one-time passwords and put time limits on third-party access.
5. Enable continuous third-party activity monitoring
Continuous monitoring of user activity is a common requirement of many IT regulations, laws, and standards. Monitoring a third-party vendor’s activity within your network lets you see who does what with your critical assets and detect threats.
Look for a solution that can monitor and record user sessions in a comprehensive format suitable for further auditing of your third-party vendors’ activity. Reports based on the results of third-party vendor security monitoring can help you pass external audits, evaluate your cybersecurity during internal audits, and investigate cybersecurity events.
6. Plan for third-party incident response
Preparing for a vendor-related cybersecurity incident saves you time and money on incident remediation. To do this, analyze the scope of third-party cybersecurity risks relevant to your company and then develop formalized procedures for responding to third-party-caused security events.
To promptly detect cybersecurity threats, use a dedicated solution that can alert you about security events and suspicious third-party activity. Choose responsible personnel to be notified in case of a third-party-related cybersecurity incident, and add their names and contact information to your incident response plan.
7. Work with your third-party vendors to improve security
Performing regular audits and evaluations of your third-party vendors’ cybersecurity can help mitigate many risks. You can also use reports from your third-party security monitoring solution and incident response system to analyze the way your vendors interact with your critical systems and sensitive data.
In addition, consider performing regular assessments using vendor risk management questionnaires. You can compose questionnaires from scratch or use templates that match your company’s requirements. Having third parties fill out questionnaires will help you evaluate their cybersecurity approaches and identify vulnerabilities.
Common challenges of third-party security risk management
While implementing the aforementioned third-party risk management best practices, you may face challenges. The most common are:
1. Limited visibility
It’s quite difficult to assess the implemented security practices and detect the network vulnerabilities of your third-party vendors. Self-assessments performed by your vendors are frequently subjective and might not reveal the actual state of third-party vendors’ security. The number of third parties your organization interacts with also plays a crucial role, as keeping track of hundreds or even thousands of vendors, suppliers, and subcontractors is challenging.
To address this issue, your organization can employ continuous monitoring solutions. This might not give you the complete picture of third-party security, but will provide visibility into the activities and security practices of third-party vendors within your infrastructure.
2. Negotiation difficulties
Negotiating security terms and enforcing security clauses in contracts with third parties can be difficult, especially when dealing with large vendors who may resist these terms. Furthermore, your third-party vendors’ security standards and procedures may differ from yours. Aligning these standards with your organization’s security needs might be challenging, potentially resulting in security vulnerabilities.
To solve this problem, establish clear security requirements in SLAs, engage in open dialogues, and compromise where necessary while minimizing potential risks.
3. Poor engagement
Engaging vendors in cybersecurity discussions can be tough, especially when they have different perspectives and priorities. The struggle often involves persistent follow-ups that can extend for months to obtain questionnaire responses.
To foster better engagement, it’s essential to centralize all third-party risk management activities. This approach can help you streamline the process, eliminating issues like cumbersome spreadsheets and version control problems, which will result in a more efficient and scalable security assessment process.
4. Incident response coordination
Coordinating incident response is a major difficulty in third-party security risk management. Time is critical when a security breach or event involving a third party happens. Effective communication and collaboration are essential for quickly containing and mitigating the breach. The challenge lies in coordinating several parties, including your organization, the third-party vendor, incident response teams, and sometimes legal entities.
Therefore, it’s vital to establish clear lines of communication and incident response protocols ahead of time in order to streamline the coordination process and reduce response times.
5. Supply chain complexity
Managing security in organizations with complex supply chains can be extremely difficult. These intricate networks frequently involve numerous tiers of third-party vendors and providers, each with its own set of cybersecurity procedures and vulnerabilities. This intricacy can make risk management more difficult because it requires a solid grasp of security throughout the whole supply chain.
To succeed in managing your supply chain risks, your organization should monitor each level of third-party interaction, identify any security gaps, and implement appropriate security controls.
Trends and the future of third-party risk management
As the digital landscape evolves, so do the challenges associated with managing third-party risks. Let’s explore the main third-party risk management trends you can leverage in the near future:
Increasing emphasis on supply chain resilience
Gartner suggests that organizations should put an increased focus on third-party security risks in the supply chain, considering supply chain risks are only going to increase in the foreseeable future.
“Recent cybersecurity incidents have highlighted weaknesses in supply chains. By 2025, 60% of organizations will use cybersecurity risk as a significant factor in conducting third-party transactions to prevent the compromise of information, systems, and infrastructure.”Gartner, 2023 Leadership Vision for Security and Risk Management Leaders (Subscription required)
Your third-party risk management program should define all inherent risks posed by your supply chain and ensure that you implement relevant cybersecurity measures.
Addressing AI threats
Gartner predicts that more than 80% of enterprises will deploy generative artificial intelligence by 2026, up from less than 5% in 2023, which will influence third-party risks as well. For example, a third-party vendor could potentially compromise your sensitive data by using it as a prompt in generative AI tools.
Forbes suggests organizations identify any AI apps that could potentially increase their risk exposure and double down on their third-party risk management in 2024.
Implementing zero trust
Zero trust security is the future of cybersecurity.
“By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.”The Gartner Top Cybersecurity Predictions 2023-2024 (Subscription required)
The zero trust security approach assumes that both your and your third-party vendors’ accounts can be compromised and, therefore, requires verification from anyone trying to access your sensitive data. By implementing zero trust, you can significantly enhance your third-party risk management and minimize the chances of data breaches.
As the volume and complexity of vendor relationships continue to expand, organizations will increasingly turn to automation to reduce third-party risks. Using dedicated software can improve the efficiency of your third-party risk management processes while reducing manual workloads and increasing your security team’s productivity.
Automation and risk assessment technologies can be of great help, so read on to learn more about them.
Monitor third-party security risks with Ekran System
As an all-in-one insider risk management platform, Ekran System can help you manage third-party security risks. Among other things, Ekran System enables your organization to:
- Monitor the activity of your third-party vendors and service providers inside your IT infrastructure in real time
- Collect and review records of third-party user sessions in a searchable screenshot format
- Granularly manage access for your third-party users, providing them with role-based access permissions, one-time passwords, and manual access approval
- Verify third-party user identities with the help of two-factor authentication to protect your critical accounts
- Detect and respond to security threats with the help of highly customizable user activity alert rules
- Leverage the AI-powered user entity and behavior analytics (UEBA) module to automatically detect third-party logins at unusual hours
- Generate detailed reports based on a wide selection of criteria
Ekran System can help you enhance visibility into the actions of every user in your network. The Ekran System platform is stable, customizable, easy to manage, and can be integrated with your current SIEM and ticketing systems.
Your third-party vendors often have legitimate access to your organization’s critical systems and sensitive data. Yet many subcontractors’ cybersecurity measures aren’t on par with your expectations. For this reason, cybercriminals may target your third-party vendors and service providers instead of attacking you directly.
The best way to mitigate these risks is to follow the third-party vendor risk management security best practices described in this article and to deploy a sophisticated monitoring solution. Ekran System offers a rich selection of user activity monitoring, access management, and incident response functionalities to help you effectively manage third-party security risks.
Want to try Ekran
System? Request access
to the online demo!
See why clients from 70+ countries already use Ekran System.