The rise of breaches caused by third-party vendors reached an all-time high in 2018. This has driven organizations to take a much closer look at supplier and contractor security controls, as well as risk exposure throughout the delivery supply chain.
According to a survey conducted last year by the Ponemon Institute, the average organization has 583 third-party vendors with access to sensitive data within their network. This level of interconnection resulted in 59 percent of organizations having experienced a breach caused by one of their vendors. Another 22 percent admitted that they couldn’t say for sure whether such a breach had occurred or not. Despite increased efforts to protect their kingdoms, there are too many unintended pathways being made available for attackers to exploit.
The Rise of Third-Party Attacks
Cybercriminals are crafty. They understand that while many companies have taken steps to better secure data within their own networks by bolstering their cybersecurity teams and adding new tools to their security stack, the same is not necessarily true of their vendors. Many attackers are actively seeking ways to circumvent these added corporate security measures by attacking them through outside parties. Anyone with physical or virtual access to IT systems, software code, company credentials, customer data, or other sensitive information presents a risk. To a potential intruder, this presents new opportunities to exploit, and may often be the path of least resistance.
Relatively few organizations truly understand the degree of risk they are exposed to. The same Ponemon survey revealed that just 34 percent of organizations keep a comprehensive inventory of vendors. Additionally, only 37 percent believe they have the resources necessary to effectively manage those outside relationships, and only 35 percent rate their third-party risk management capabilities as “highly effective.” Less than half felt their safeguards were even capable of preventing a vendor-driven breach.
This is a complex situation that has to balance the trade-offs for access versus the needs of security. Too often these decisions are made with a well-intended security framework, but without the checks and balances to continually assess compliance and reliability of controls. Too few organizations have put in minimum compliance requirements, and even fewer have the infrastructure in place to monitor whether standards are being met or if everything is working as it should.
Addressing Third-Party Threats
There are simple, foundational steps that organizations can take to reduce the threat posed by third parties to secure their supply chain.
The first involves properly vetting and setting security standards for the vendors that organizations plan to work with. For many companies, this will start with improving their partner management tracking, policies, and contracts. Organizations can start by implementing practices such as effectively cataloging what vendors they are working with, what their roles are, and what information they have access to. With just 37 percent of organizations reporting that they are capable of effectively managing those relationships, the policies put in place must also be ones that can be maintained with available resources.
These threats can come in both expected and unexpected forms. One may not expect the delivery person, the cleaner, or a plant watering service to be an imminent threat. But what if they installed an access point behind a filing cabinet, collected passwords that were written down, or simply had their organization spoofed to get confidential details through phishing? What if they simply shared access without thinking through the consequences?