Back to Blog

Third-Party Risk and Mitigation Strategies    

By Talon Marketing | September 9, 2022

CISOs and CIOs at organizations of all sizes have several common goals – one of the most pivotal may sound simple, yet it can be tough to achieve: reduce enterprise risk. Many factors impact an organization’s overall risk profile, but a growing one is reducing third-party risk, especially as enterprises leverage third parties more than ever to conduct business. 

In fact, a recent report by the Ponemon Institute found that 51% of businesses have suffered a data breach caused by a third party. Why is working with third parties so risky, and what makes them so vulnerable?  

When these questions are posed to security decision-makers, it’s a lot to consider. On the one hand, it’s difficult to stop threats or even keep track of all the outside vendors with access to an enterprise’s applications or infrastructure. On the other hand, you must reflect on the defenses within your own enterprise and do your best to set up processes to protect against third-party risk. 

Let’s dive in… 

The Risk of Third Parties

To understand the full risk profile that third-party vendors pose, several security factors must be considered. Following is a quick rundown. 

• Network Security Policies: In most cases, an organization’s security policy does not extend to third-party vendors. Just because your employees are educated in best practices and work only in secure workspaces does not mean contractors will do the same. For example, your employees may understand not to click on suspicious URLs, and when they do, your protection measures may block it. However, you can’t be sure that a third party’s employees are as careful as your own. 
• Insiders: Insider threat is always a risk with third parties. You have little to no control over whom they hire, and they could recruit an individual that has the motivation to steal your data. Plus, there’s always the risk of unintentional insider threats, much more common than malicious internal actors, leading to data breaches and compromise. 
• Unmanaged devices: Unmanaged devices are one of the most pervasive threats to enterprise security today. According to Microsoft, users are 71% more likely to be infected when using an unmanaged device. The devices they use are not managed by your organization and may be personal devices, making them unmanaged and a potential risk.
• Data safety: Your organization may have an incredible solution for data loss prevention (DLP), but it only protects data stored in your organization. What about the data you have shared with third parties? How can you ensure they will protect it with the same level of security? Without in-depth knowledge of each vendor’s security stack, you have little to no idea of the solutions that are being used to protect your data. 

Why are third-party vendors vulnerable?

A simple question calls for a simple yet powerful answer. These vendors are vulnerable because they become the first line of defense as soon as they possess information about your business. The inherent risks of third parties provide adversaries with all they need to initiate an attack.  

As with traditional attacks on a network, the attack life cycle begins with the first stages of reconnaissance and exploitation. Once criminals compromise a device, they can move laterally and extract critical data. This means that an attack against one of your third-party vendors can very easily compromise your systems and data as well. 

For example, take a look at Zoho’s bug. Zoho ManageEngine ADSelfService Plus is a password management system and single sign-on tool for use with active directories and cloud accounts.  

In September 2021, Zoho released a Security Advisory urging customers to upgrade their software to resolve an authentication bypass vulnerability (CVE-2021-40539). A little over two months later, they released an additional advisory for CVE-2021-44077 indicating that the previously mentioned update also fixed a remote code execution (RCE) vulnerability that was being exploited in the wild.  

A few months after the discovery, CISA and the FBI warned about active exploitation by APTs. In February 2022, Red Cross said the hackers used an exploit for CVE-2021-40539 to gain an initial foothold inside their network. In summary, Red Cross used Zoho as a third party to manage their most secret keys – their passwords – and risked their data and users’ data. 

Another example is the Target data breach, which was one of the biggest security incidents in history. This compromise started with a third-party heating, ventilation and air conditioning (HVAC) contractor that Target was working with to renovate its stores. The only data connection between the two companies was a billing system.  

As a result, Target was required to pay an $18.5 million settlement after hackers stole 40 million credit and debit records. Even though this happened in 2013, the lessons we can learn about the risks of working with third parties from this incident are still relevant today. 

It is worth noting that many other breaches started from a third-party vendor, like the General Electric breach, Instagram breach, and many more. 

How can organizations limit third-party risk?  

While there is a multitude of processes and technologies to help address third-party risk, below are some of the basics that you should make sure to have covered. 

Third-party risk assessment 

Ensure your third-party vendors’ internal controls align with your security and compliance requirements. However, in most cases, vendor risk assessments are not sufficient since there is no real way of knowing whether third parties are following your best practices or not.

Authenticate users and access  

To ensure only authorized users are accessing corporate resources, leverage multi-factor authentication (MFA) to make it harder for bad actors to compromise your systems even if third-party credentials are stolen. 

Isolate the workspace of your third parties 

Isolating the workspace of your third parties with an enterprise browser protects you from compromised endpoints and reduces the attack surface. Enterprise browsers have a comprehensive set of embedded security options to protect your applications and data from malware-infected endpoints, malicious insider activities, and unpatched operating systems. 

Prepare for third-party incident response 

Be sure to respond fast to a third-party related incident, and analyze the scope of cybersecurity threats and risks to pick the most relevant ones for your company. From there, you can develop formalized procedures for mitigating those risks. 

To ensure timely detection of cybersecurity incidents, use a dedicated solution to configure alerts and notifications for possible suspicious actions and events related to third-party activity. Choose responsible personnel who will get notified in case of a cybersecurity incident related to third parties, and make sure to add their names and contact information to your cybersecurity policy. 

To learn more, read our eBook on “Five Best Practices for Securing Third-Party Access and Employee-Owned Devices.” 

---

---