By Talon Marketing | September 9, 2022
CISOs and CIOs at organizations of all sizes have several common goals – one of the most pivotal may sound simple, yet it can be tough to achieve: reduce enterprise risk. Many factors impact an organization’s overall risk profile, but a growing one is reducing third-party risk, especially as enterprises leverage third parties more than ever to conduct business.
In fact, a recent report by the Ponemon Institute found that 51% of businesses have suffered a data breach caused by a third party. Why is working with third parties so risky, and what makes them so vulnerable?
When these questions are posed to security decision-makers, it’s a lot to consider. On the one hand, it’s difficult to stop threats or even keep track of all the outside vendors with access to an enterprise’s applications or infrastructure. On the other hand, you must reflect on the defenses within your own enterprise and do your best to set up processes to protect against third-party risk.
Let’s dive in…
The Risk of Third Parties
To understand the full risk profile that third-party vendors pose, several security factors must be considered. Following is a quick rundown.
Why are third-party vendors vulnerable?
A simple question calls for a simple yet powerful answer. These vendors are vulnerable because they become the first line of defense as soon as they possess information about your business. The inherent risks of third parties provide adversaries with all they need to initiate an attack.
As with traditional attacks on a network, the attack life cycle begins with the first stages of reconnaissance and exploitation. Once criminals compromise a device, they can move laterally and extract critical data. This means that an attack against one of your third-party vendors can very easily compromise your systems and data as well.
For example, take a look at Zoho’s bug. Zoho ManageEngine ADSelfService Plus is a password management system and single sign-on tool for use with active directories and cloud accounts.
In September 2021, Zoho released a Security Advisory urging customers to upgrade their software to resolve an authentication bypass vulnerability (CVE-2021-40539). A little over two months later, they released an additional advisory for CVE-2021-44077 indicating that the previously mentioned update also fixed a remote code execution (RCE) vulnerability that was being exploited in the wild.
A few months after the discovery, CISA and the FBI warned about active exploitation by APTs. In February 2022, Red Cross said the hackers used an exploit for CVE-2021-40539 to gain an initial foothold inside their network. In summary, Red Cross used Zoho as a third party to manage their most secret keys – their passwords – and risked their data and users’ data.
Another example is the Target data breach, which was one of the biggest security incidents in history. This compromise started with a third-party heating, ventilation and air conditioning (HVAC) contractor that Target was working with to renovate its stores. The only data connection between the two companies was a billing system.
As a result, Target was required to pay an $18.5 million settlement after hackers stole 40 million credit and debit records. Even though this happened in 2013, the lessons we can learn about the risks of working with third parties from this incident are still relevant today.
It is worth noting that many other breaches started from a third-party vendor, like the General Electric breach, Instagram breach, and many more.
How can organizations limit third-party risk?
While there is a multitude of processes and technologies to help address third-party risk, below are some of the basics that you should make sure to have covered.
Third-party risk assessment
Ensure your third-party vendors’ internal controls align with your security and compliance requirements. However, in most cases, vendor risk assessments are not sufficient since there is no real way of knowing whether third parties are following your best practices or not.
Authenticate users and access
To ensure only authorized users are accessing corporate resources, leverage multi-factor authentication (MFA) to make it harder for bad actors to compromise your systems even if third-party credentials are stolen.
Isolate the workspace of your third parties
Isolating the workspace of your third parties with an enterprise browser protects you from compromised endpoints and reduces the attack surface. Enterprise browsers have a comprehensive set of embedded security options to protect your applications and data from malware-infected endpoints, malicious insider activities, and unpatched operating systems.
Prepare for third-party incident response
Be sure to respond fast to a third-party related incident, and analyze the scope of cybersecurity threats and risks to pick the most relevant ones for your company. From there, you can develop formalized procedures for mitigating those risks.
To ensure timely detection of cybersecurity incidents, use a dedicated solution to configure alerts and notifications for possible suspicious actions and events related to third-party activity. Choose responsible personnel who will get notified in case of a cybersecurity incident related to third parties, and make sure to add their names and contact information to your cybersecurity policy.
To learn more, read our eBook on “Five Best Practices for Securing Third-Party Access and Employee-Owned Devices.”
For this special occasion, we reached out to five of our own Talonsists to get their top cybersecurity tips. Here's what they had to say.
Throughout this series, we’ve focused on the past and the present, but now, let's look at the future.