There has been an increasing spotlight on organisations supply chain and how they manage 3rd parties – and it’s no surprise that this has happened. Security Magazine recently reported research showed that “98% of organizations are affiliated with a third party that has experienced a breach. Furthermore, third-party attacks have led to 29% of breaches.”
Security Magazine also noted that the sectors with the highest 3rd party breaches were healthcare and finance.
The recent CrowdStrike incident is a case in point about how a 3rd party can literally bring everything to a halt, and that’s not the only situation that has brought 3rd party risk to the forefront of cyber security.
We know that managing the ecosystem of an organisation no longer takes a linear approach – so many radical changes have occurred that have propelled the technology evolution and with this evolution comes risk and none more so prevalent than 3rd parties who have access to the very environment you are trying to protect.
Whilst focused on financial entities, the introduction of the Digital Operational Resilience Act (DORA) shines a greater torch on 3rd party risk and how organisations will need to have greater oversight on who they operate with.
What Are the Key Cyber Security Issues with 3rd Parties?
You have no control over their cyber security: And why would you? They’re a separate business entity and yet they have so much control and access to your business ecosystem. Organisations have very limited visibility and control over their cyber security measures. So if they have weak cyber security practises, and they have access to your environment that then makes entry points for attackers very easy.
Access to your data: Yor 3rd parties may have access to your organisations sensitive data. If your 3rd parties experience a breach, then your data could also be exposed.
Inadequate incident response: How 3rd parties react to an incident very much depends on their ability to detect, respond and recover. If they are not monitoring their environment adequately then their delay could also pose a threat to your business ecosystem.
The 3rd parties insider threats: You have no idea how well trained or aware your 3rd parties teams are. Inadequate training of their teams may mean that cyber attackers who manage to infiltrate your 3rd party can infiltrate your systems too.
Compliance and regulatory risks: Third parties not adhering to the right regulations can expose the primary organisation to legal and financial penalties.
What Are the Steps That Organisations Should Take to Mitigate Any 3rd Party Risk?
Ensure stringent due diligence: Conduct thorough cyber security risk assessments on any 3rd party before embarking in a contract. Review their cyber security policies, past cyber security incidents and insist on continuous monitoring of their cyber security environment throughout the duration of your relationship.
Implement contractual safeguards: Cyber Security measures will need to be considered in any contracts with 3rd party’s. Include specific cybersecurity requirements in contracts, such as adherence to certain standards (e.g., ISO27001, NIST), breach notification timelines and the right to audit.
Least privilege and access: You need to control what access any 3rd party has to your systems and data, ensuring that it is only access that is completely necessary using role-based access control to enforce it. But coupled with that you should ensure that regular reviews are periodically performed.
Make sure your data is encrypted: Any data shared with 3rd parties should be encrypted in transit and at rest reducing the risk of any exposure if a breach occurs. Mask the data so that your suppliers are handling anonymised data.
Architecture of your zero trust: After all this you should have enough elements implemented to trust your 3rd party but as an added layer make sure your zero trust encapsulates them and continuous verification of access is enforced. This includes network segmentation, multi-factor authentication (MFA) and strict identity and access management.
Regulatory compliance: It is essential you monitor their regulatory compliance – we know there’s enough to do to monitor yours, but you must hold them accountable to adhere to whatever regulatory compliance is necessary. If you are a financial entity then the Digital Operational Resilience Act (DORA) will enforce this and it is our opinion that other regulations will follow, as well as stipulating continual monitoring as an essential part of maintaining compliance.
As ever, proactivity is the key with your 3rd parties and eliminating as much risk as possible including implementing a cyber security strategy that specifically focuses on their cyber risk. This is not to say that this is not challenging particularly with own organisational challenges, but 3rd party cyber security must become integral to your overall cyber security strategy.