Cooperation is the key to success. Working with third parties helps businesses increase their productivity and efficiency, produce better products and services, employ highly qualified experts, and cut costs. But all these benefits come at the price of increased cybersecurity risks.
Minor flaws in your third-party vendor’s security and privacy routines may turn into cybersecurity weaknesses for your company. In this article, we analyze the particular cybersecurity risks related to third parties and how you can mitigate them.
Third-party-related attacks are on the rise
Cybercriminals always look for your weak spots.
Third parties may not take their network security as seriously as you want them to. Knowing this, hackers may choose not to attack your company directly. Instead, they may look for an easier target among your third-party vendors. A compromised subcontractor can easily be turned into an entry point for cybercriminals. This is how a supply chain attack works.
Meanwhile, the number of third parties organizations work with as well as the amount of sensitive data disclosed to them is increasing every year. The same goes for data breaches caused by third parties. From 2017 to 2019, the number of data breaches caused by third-party vendors increased by 35%. The results of annual studies by the Ponemon Institute from 2016 to 2018 also show a disturbing dynamic:
Here are only a few recent examples of cybersecurity incidents involving third parties:
- Magecart attacks — Since 2015, a group of cyber criminals called Magecart has executed several attacks on major retailers all over the globe. The group is believed to be responsible for the recent attacks on Ticketmaster, British Airways, Newegg, Feedify, and Magento 1 stores. Magecart hackers usually infect third-party web services used by their victims to steal valuable information, particularly credit card data.
- Atrium Health data breach — In 2018, Atrium Health suffered a data breach that resulted in the exposure of personal information of over 2.65 million patients. The breach was caused by a compromise of servers used by Atrium Health’s billing vendor, AccuDoc Solutions.
- Amazon data leak — In 2020, Amazon, eBay, Shopify, and PayPal fell victim to a massive data leak. A third-party database with approximately eight million UK online shopping transactions was published online. Noticeably, this is not the first time Amazon has suffered from third-party-originated incidents. In 2017, attackers hacked several third-party vendors working with Amazon and used their credentials to post fake deals.
- General Electric (GE) data breach — In 2020, GE reported a data breach caused by their service provider Canon Business Process Services. A compromised email account led to the public exposure of personally identifiable information of GE’s beneficiaries and employees, both current and former.
Depending on the nature of third-party vendor compromise, an organization may face different risks. Let’s look at the most common risk categories and the threats you need to be prepared to mitigate.
What are the risks?
A compromise of your subcontractor may affect you too.
The financial and technical capabilities of small service providers and subcontractors don’t always match the capabilities of their clients. Therefore, while aiming for a bigger win, cybercriminals may start small and look for an easy target within your supply chain.
A compromised third-party vendor may lead to multiple risks that can be split into four major categories:
- Cybersecurity risks — Subcontractors usually have legitimate access to different environments, systems, and data of their clients. Attackers may use a third-party vendor as an entry point to try to get a hold of your valuable assets.
- Operational risks — Cybercriminals may target your internal systems and the services you use instead of just your data. This can lead to partial interruptions of your operations or even halt them altogether.
- Compliance risks — International, local, and industry-specific standards and regulations set strict cybersecurity criteria that organizations should meet. Furthermore, third parties working with these organizations also have to comply with these requirements. Non-compliance usually leads to substantial fines and reputational damage.
- Reputational risks — Having your valuable data and systems compromised serves as a red flag for your partners and customers, both current and future. Regaining their trust will take a lot of time and effort. And unfortunately, there’s no guarantee that you’ll be able to successfully recover your reputation after a severe cybersecurity incident.
What’s the root cause of all these risks?
The reason why many organizations struggle so much when it comes to securing their work with third parties is the lack of two things: visibility and control.
Companies often don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a third-party vendor uses a shared account to access your corporate network, you won’t be able to determine which of their specialists has made a particular change in the system.
Also, organizations often have limited control over their third parties. Yet it’s the organization’s responsibility to make sure their supply chain vendors meet all necessary cybersecurity requirements. According to the Health Insurance Portability and Accountability Act (HIPAA), even when a data breach happens on a third-party vendor’s side, the healthcare provider is held responsible for not ensuring the safety of their patients’ data.
Understanding the particular threats
Let’s get more specific.
In order to make your cooperation with subcontractors more secure, you need to understand what threats they can pose to your company’s cybersecurity. Let’s focus on four common types of threats:
- Privilege misuse — Third-party vendors may violate access privileges you grant them in various ways and for various reasons. Your subcontractor’s employees may willingly pass their credentials to others. Or, if access permissions in your network aren’t configured properly, a third-party vendor may get access to data that’s not supposed to be shared with them.
Ensuring a high level of access control is especially important if your third parties have access to your company’s privileged accounts, critical assets, and sensitive information.
- Human errors — Inadvertent mistakes by your subcontractor’s employees can cause just as much damage as intentional attacks. Common mistakes include accidentally deleting or sharing files and information, inputting the wrong data, and misconfiguring systems and solutions. While being unintentional, these mistakes can still lead to data leaks, service outages, and significant revenue losses.
- Data theft — Alongside unintentional data damage, there’s a high risk of targeted data theft by third parties. Without a proper third-party vendor management policy in place, there’s a risk of third-party employees stealing valuable business information and using it to their advantage.
- Fourth-party risks — Fourth parties or second-tier third parties are subcontractors of your subcontractors. Ensuring that your third-party vendors meet your cybersecurity requirements and follow cybersecurity best practices isn’t enough. You also need to understand how they manage their own supply chains.
Luckily, you can effectively manage all these risks and threats by following a set of third-party vendor risk management best practices that will significantly improve your company’s cybersecurity resistance.
Third-party vendor risk management: 7 best practices
Analyze and control risks stemming from your subcontractors.
A systematic approach can help you mitigate potential cybersecurity threats and manage risks coming from your third parties. Third-party risk management (TPRM) is an example of such an approach.
In a nutshell, TPRM is the process of determining, analyzing, and managing third-party risks. This process can cover different aspects of your company’s operations: work with sensitive data and intellectual property, access management, financial operations, and so on.
There are several international standards and commonly used frameworks that can serve as a basis for outlining your third-party risk management strategy. The following resources will prove particularly helpful:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publication 800-53
- ISO/IEC 27000:2018
- ISO/IEC 27001
- ISO/IEC 27002:2013
By analyzing the recommendations in these resources, we can summarize seven third-party security risk management best practices:
- Make an inventory
Start by making an inventory of all your third-party vendors and service providers. Next, classify them according to the level of their impact on your organization: low, medium, or high. The more critical data is exposed to a particular vendor, the higher that vendor’s possible impact on your organization.
Pay the most attention to vendors who have a high impact on your organization’s operations and cybersecurity, as their compromise will affect you the most. Also, consider developing a framework for categorizing vendor impact and use it when starting to work with new subcontractors.
- Delineate responsibilities
Use service-level agreements (SLAs) to determine who’s responsible for what in your cooperation with a third party. You need to take everything into account: what kinds of sensitive information your third-party vendor can access and store, what security precautions they should take to protect that data, what compliance requirements they must follow, how often they should perform audits, and so on. Think of every detail relevant to your business and make sure to mention it in your SLA.
- Establish cybersecurity policies
Set clear cybersecurity rules for both your third-party vendors and your employees cooperating with them. Develop an internal policy that clarifies responsibilities of each party and outlines standard actions for different procedures and cases. And make sure to familiarize both your employees and your subcontractors with these rules.
- Limit access
Consider deploying a privileged access management solution to make sure that only legitimate users can access your company’s sensitive information. Secure your critical assets with two-factor authentication (2FA) to make it harder to compromise your network even if someone’s credentials are stolen. One-time passwords and manual access approval also can help you prevent attackers from entering your network.
- Enable continuous user activity monitoring
Continuous monitoring of user activity is a common requirement of many IT regulations, laws, and standards. By monitoring a third-party vendor’s activity within your network, you can see who does what with your critical assets and when they do it.
Look for a solution that can monitor and record user sessions in a comprehensive format suitable for further auditing of your third-party vendors’ activity. Reports based on the results of vendor monitoring will be helpful in passing external audits, evaluating your cybersecurity during internal audits, and investigating cybersecurity incidents.
- Plan for third-party incident response
Prepare for responding to a subcontractor-related incident before it happens. Analyze the scope of cybersecurity threats and risks to pick those that are relevant to your company. Then develop formalized procedures for mitigating those risks.
To ensure timely detection of cybersecurity incidents, use a dedicated solution to configure alerts and notifications for possible suspicious actions and events related to your subcontractor’s activity. Choose responsible personnel who will get notified in case of a cybersecurity incident related to third parties and make sure to add their names and contact information to your cybersecurity policy.
- Perform regular audits
Perform regular audits and evaluations of your third-party vendors. Use reports from your user activity monitoring solution and incident response system to analyze the way your vendors treat your critical systems and sensitive data.
Additionally, perform regular assessments using vendor risk management questionnaires. You can compose such questionnaires yourself or use templates that match your company’s requirements. Having vendors fill out questionnaires will help you evaluate your vendors’ cybersecurity approaches and identify potential weaknesses in them.
Monitor your third-party vendors with Ekran System
While there are a variety of tools that promise to help security officers mitigate subcontractor-related risks, Ekran System has several advantages. Particularly, Ekran System enables you to:
- monitor the activity of your third-party vendors and service providers along with other users
- collect records of user sessions in a searchable video format
- manage access granularly, using role-based access permissions, one-time passwords, 2FA, and manual access approval
- detect suspicious activities and respond to them in real time
- generate detailed reports based on a wide selection of criteria
Ekran System gives you full visibility into the actions of every user in your network. The Ekran System platform is stable, easy to manage, and customizable, and it can be easily integrated with your current SIEM and ticketing systems.
Third-party vendors have legitimate access to clients’ critical systems and sensitive data. Yet many subcontractors can’t match the level of cybersecurity measures and precautions implemented by large enterprises. This is why cybercriminals often focus on third-party vendors and service providers instead of directly attacking their real targets.
A cyberattack on a third-party vendor creates cybersecurity, operational, compliance, and reputational risks for all organizations the vendor works with. Dealing with these risks can also result in substantial financial losses.
The best way to mitigate these risks is by deploying a sophisticated monitoring solution and following third-party vendor risk management security best practices. Ekran System is the solution for compliance with ISO/IEC 27001, NIST 800-53, and other security requirements. Our platform can help organizations manage third-party vendor risks and implement most of the practices that are critical for this process. The platform provides a rich selection of user activity monitoring, access management, and incident response functionalities.
Start your 30-day trial to evaluate Ekran System’s capabilities.