Third-Party Vulnerabilities Pose a Growing Threat to Organizations
Today organisations rely on diverse supply chains, but this can introduce third-party vulnerabilities to their systems.
Third-party risk is one of the top priorities for organisations across all sectors, said Katherine Kearns, cybersecurity senior manager in PwC UK.
These risks come in many forms, with cybersecurity increasingly becoming a major contributing factor to supply chain disruptions, Kearns said, a trend that is set to continue for the foreseeable future.
“Cybersecurity concerns are particularly acute for companies that are investing in digital transformation to modernise their operations and build new capabilities, for example in the manufacturing and energy sectors,” she said. “While digitisation brings significant growth opportunities, it presents a new spectrum of cybersecurity risks that production facilities have not had to manage before,” she added, noting that digital transformation can boost safety but relies on enhanced connectivity within the operational environment, increasing the attack surface.
Types of Supplier
Four types of suppliers are typically a bigger concern for any organisation, Kearns said. First, there are third parties with access to sensitive data. “If the organisation shares sensitive data (intellectual property, business information, customer data, employee information, health records etc) with a third party, this information is at risk of being exfiltrated from the third party’s systems by adversaries, causing data loss, regulatory penalties and brand damage to the organisation.”
Next is third parties with access to the organisation’s IT and/or OT environments. “Threat actors compromising a network of a third-party service provider or third-party software running on the organisation’s system can gain access to multiple clients’ networks, resulting in network breach, data loss and direct operational disruption,” she said.
Third, Kearns pointed to third parties that have a material business continuity impact. “When an organisation relies on a critical third party for the provision of specific services, products and components, a cyber-attack bringing the third party to a halt may cause a substantial operational disruption, threatening the viability of the organisation.”
Finally, Kearns highlighted the software supply chain. “If a third-party software used as a component of the organisation’s product has a backdoor or is otherwise compromised due to the developer’s poor security practices, product compromise may lead to a significant reputational and financial loss that may be difficult to recover from.”
Larger and more complex supply chains generally represent a wider attack service, Kearns added. A drive towards cost optimisation has seen organisations around the globe pursue more complex outsourcing strategies and grow their third-party ecosystems. This not only increases concerns over the risks those parties could bring, but also the dangers of unknown fourth or fifth parties.
However, “organisations with small but poorly managed third-party estates are equally at risk. Organisations placing strategic reliance on a small number of critical third parties are at risk of widescale operational disruption if those strategic partners fail to deliver due to a cybersecurity incident, breakdown of their own supply chains, or financial instability.”
Looking for more infosecurity & cybersecurity insights?
Keep up to date with the latest trends and expert insights from Infosecurity Europe.
Interaction with Suppliers and Partners
Tomer Nuri, CEO at strategic cyber consultancy firm The Cyber Edge, noted that the sector in which an organisation operates can make a big difference to the risk from third parties, with certain sectors imposing regulatory restrictions that govern how an organisation interacts with vendors, suppliers and partners. This is particularly the case in sectors like finance and insurance, he said.
“With companies who aren’t under such strict regulation, it can be a jungle,” he said. “Some of them have no understanding or predefined process for evaluating supply chain vulnerability.”
Nuri said organisations should have an effective supply chain procedure in place, including a document that a new solution provider should sign, depending on the nature of the service they provide. This document should provide information on any of their systems that will touch upon your own company’s digital assets.
There could also be questionnaires related to the cyber maturity of your provider, spelling out the controls they have in place, if they have a CISO, if there is an escalation process in place, etc. This should also list any cybersecurity incidents the company had in the past.
Finally, if it is feasible, there should be a penetration test of the proposed supplier, and if this is not applicable, perhaps something like a supply chain vulnerability monitoring process, Nuri added.
Kearns highlighted several steps towards third-party security. First, organisations should work to gain visibility of the third-party estate, including the identity of critical third parties and their inherent risk level. Second, there should be continuous third-party monitoring across numerous risk domains, including through real-time data-led risk identification and tech-enabled instant decision-making. And third, they should work with third parties to build resilient processes:
“Planning for and exercising crisis scenarios with critical suppliers not only allows [organisations] to prepare a robust response to an incident but builds a trusted relationship between the organisation and their suppliers and provides a foundation for sharing risk information.”
AJ Thompson, chief commercial officer at IT consultancy Northdoor, said processes to analyse supply chain vulnerabilities should be automated and systemised.
“You've got to be able to standardise the responses into some sort of format … you've got to be able to put a numerical value against all these risks to at least allow you to relate a sensible and comparable data set,” he said.
He said that Northdoor has hundreds of partners, meaning it would be a full-time job for someone to analyse written responses to supply chain questionnaires etc. Instead, the company uses its own software-based tool that enables it to non-intrusively analyse a company’s website to verify the security of their processes.
“I can tell when the servers were last patched, which ports are open, and which SSL certificates are mismatched,” he explained.
Larger organisations could in theory face bigger challenges than their smaller counterparts, said Ilan Kaplan, CSO at Sepio, a solution provider for asset risk management. On the other hand, large organisations usually possess very mature processes, including in some cases a full department dedicated to supply chain risk management. “They have many third-party, multi-tier suppliers to their vast infrastructure,” he said.
Any organisation with third-party suppliers should consider acquiring a platform to manage the risk and develop internal processes when bringing suppliers on board. However, it is also vital to follow up on such assessments, Kaplan added.
“It’s not just at the onboarding event that you need to assess asset risk,” he said. “You need to do an ongoing risk assessment over the life of the services or assets – the snapshot you got of the risk picture yesterday is not relevant for today.”
Enjoy this article? Make sure to share it!
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?