To date, some of the most dramatic cybersecurity breaches have occurred due to vulnerabilities from third-party vendors and providers, with threat actors gaining access to sensitive data. In this year alone AT&T, Cornerstone Home Lending, and Nissan are just a few companies that have been attacked via third-party threat vectors.
However, many organizations are still unprepared to meet this challenge. In fact, Cyber Security Dive reported in February that 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years. We spoke with Nathan Little, senior vice president of digital forensics and incident response at Arctic Wolf about why and how organizations should be assessing the cybersecurity posture of third-party providers.
What are some common types of third-party providers that organizations might need to consider for cybersecurity reasons?
Modern cyberattacks and big breaches often impact individual records, leaving personal email addresses, telephone numbers, credit card numbers, and more available to the highest bidder on the dark web. This same logic applies at scale for business as well. When it comes to cybersecurity, organizations need to be aware of all of the various third-party providers that they work with, as these providers can introduce major risks to their systems and [make] data [vulnerable] to threat actors. Some common types of third-party providers that organizations need to monitor for cybersecurity reasons include:
- Cloud service providers: Many organizations rely on cloud service providers to store data and run their applications. These providers must be carefully vetted to ensure that their security measures align with the organization’s requirements and that their service level agreements (SLAs) provide adequate protection.
- Payment processors: Organizations that handle payment information such as credit card data or bank account information must work with payment processors to securely process transactions. These processors must be PCI DSS compliant and should implement strong security controls to protect against fraud and data breaches.
- Software vendors: Organizations often use third-party software to perform various business functions. These software vendors must be vetted to ensure that their products do not introduce vulnerabilities or security weaknesses into the organization’s systems.
- IT service providers: Organizations often rely on third-party IT service providers to manage their infrastructure, provide technical support, or perform other IT-related functions. These providers must be carefully vetted to ensure that they have strong security controls in place and that they are properly trained in cybersecurity best practices.
- Marketing and advertising vendors: Many organizations work with marketing and advertising vendors to reach their target audience. These vendors may collect and use data on behalf of the organization, so it’s essential to ensure that they have strong data privacy and security practices in place.
These are just a few examples of the types of third-party providers that organizations need to consider when it comes to cybersecurity.
Are there common threads in terms of the risks involved in contracting with different provider types?
Based on our Arctic Wolf Incident Response data, we’re finding that modern threat actors are still relying on vulnerabilities that they know how to exploit against externally facing open ports on networks. 72% of our investigations stem from external exposure — meaning an organization simply didn’t patch a vulnerability nor lock down a system that was exposed to the public internet in time before a threat actor found it. Since major vulnerabilities like Microsoft Exchange and even Log4j are still so prevalent in our casework, we encourage open communication with any third-party vendors regarding their patching practices, or how they sustainably protect their external exposure.
Are companies usually aware of these risks you mentioned?
While most companies are aware of the potential risks associated with working with third-party providers, they may not always be fully aware of the extent of these risks or the steps that they need to take to mitigate them. Many companies assume that their third-party providers have adequate security measures in place, but this is not always the case. Additionally, companies may not be aware of the full scope of their third-party relationships, especially if they work with multiple providers across different departments or business functions. This can make it challenging to maintain oversight of all third-party providers and ensure that they are all properly vetted and managed. As a result, it’s essential for companies to conduct regular risk assessments and due diligence on their third-party providers, monitor their security practices, and establish clear policies and procedures for working with third-party providers. This can help ensure that companies are aware of the potential risks and are taking appropriate steps to mitigate them.
What are some best practices for vetting and managing vendors in regard to managing external cyber risks?
There are several best practices that organizations can follow to effectively vet and manage their vendors to manage external cyber risks:
- Conduct a risk assessment: Before engaging with a new vendor, organizations should conduct a thorough risk assessment to identify potential cyber risks associated with that vendor. This assessment should consider factors such as the vendor’s security policies and practices, their track record with previous clients, and the type of data and systems they can access.
- Establish clear policies and procedures: Organizations should establish clear policies and procedures for working with third-party vendors; including requirements for security controls, data protection, and incident response (IR). These policies should be communicated clearly to all relevant parties and enforced consistently. These policies and procedures also play a major role in an effective IR Plan so organizations can stay prepared and help streamline any potential IR services they may require in the future should disaster strike.
- Conduct due diligence: Before engaging with a vendor, organizations should conduct due diligence to verify the vendor’s credentials and ensure that they have adequate security measures in place. This may include reviewing their security policies and procedures, conducting background checks, and conducting on-site inspections. This goes both ways, since organizations that have a better understanding of their network infrastructure also fare far better when faced with a cyberattack according to our Incident Response experience at Arctic Wolf. Knowing what kind of data you’re storing, where, and how you’re sharing it applies here too.
- Monitor vendor performance: Organizations should monitor their vendors’ performance regularly to ensure that they are meeting their security obligations and complying with contractual requirements. This may involve conducting periodic audits, reviewing security reports, and conducting ongoing security assessments.
- Establish clear communication channels: Organizations should establish clear communication channels with their vendors to ensure that any security issues or incidents are promptly reported and addressed. This may include establishing a clear incident response plan and providing training to vendors on how to identify and respond to security incidents.
By following these best practices, organizations can effectively manage external cyber risks and minimize the potential impact of security incidents involving third-party vendors.
To learn more about Arctic Wolf, visit their website.
To learn more about Mark Greisiger, visit this page.