Avoiding the Domino Effects of Third-Party Risk

As cyber threats become more sophisticated, CISOs face mounting pressure to maintain end-to-end visibility across both enterprise systems and external vulnerabilities. With businesses expanding their digital footprints, risks now extend beyond internal environments to include third-party vendors and partners. As a result, breaches often occur indirectly, causing collateral damage through third parties rather than originating from direct attacks.

In today's age of integrated data, no company is an island, and few can avoid partnering with third parties, as cloud computing has achieved dominance in the digital infrastructure and vendors have moved towards online updates for their systems. In doing so, companies incur additional cyber risk if they are not careful. 

The state of third-party breaches

According to Gartner, third-party breaches cost 40% more to remediate than internal cybersecurity breaches. Breaches can damage the bottom line and company brand. Splunk’s report, The Hidden Costs of Downtime, shows that downtime from an outage or breach costs the Global 2000 $49 million in lost revenue and $14 million in brand trust campaigns yearly. Third-party breaches tend to incur additional regulatory fines and expenses to notify customers, not to mention their customers’ customers.

APTs (advanced persistent threat actors) are ramping up their attacks, targeting vulnerable back-door vendor connections with devastating precision. Recently, a ransomware attack on a single healthcare provider unleashed chaos, compromising sensitive data entrusted by countless patients, physicians, and hospitals. The fallout was catastrophic: system crashes, disrupted care, and billions in damages for vendor customers. This single breach became a full-blown crisis, exposing the far-reaching impact of third-party vulnerabilities.

So, what should organizations do to minimize this kind of risk?

Leading the way with people, processes, and technology

An organization should think through its people, processes, and technology to mitigate the risks of a third-party breach. When an organization adopts a vendor, the latter can gain access to the client’s systems without the knowledge of the security organization or information assurance managers (IAMs). Organizations often rush to onboard vendors without involving the security function — the very team needed to protect against the risks that come with it. This oversight leaves systems vulnerable and exposed. Security must be integrated into the process, ensuring robust checks and balances for third-party access. These safeguards can be broken down into a few critical categories:

• People: Education is key for our end users and our downstream and upstream personnel so they understand the risks involved. 
• Process: Include the cybersecurity organization in the third-party adoption process to help determine the risks involved and define and monitor the vendor's level of access. 
• Technology: Configure infrastructure so that the proper teams are automatically alerted when a third party gains access. End-to-end visibility, targeted automation plays, and integrated threat intelligence are key areas of investment for a defense-in-depth methodology.

You’re only as secure as your SLA 

When organizations onboard a vendor, IT teams manage governance and grant access to necessary systems. But without security in the loop, vendors can end up with more access to internal assets, data, and applications than intended. This is why security and technology leaders should collaborate to set explicit service-level agreements (SLAs) for all third-party vendors and regularly review the agreement to ensure it’s upheld as both parties evolve over time.

1. Loop in cybersecurity when creating SLAs: Give the cybersecurity team a seat at the table when crafting the SLA for a third party, so it can apply zero trust and ensure only the minimum necessary amount of access is granted. The SLA also helps cyber defense teams detect and respond faster when incidents happen. They’ll already know the types of trusts and understand the risk of the data and domains involved, as well as the parties responsible for the trust on both sides.
2. Review SLAs regularly: After creating an SLA, review it annually. Organizations' ecosystems tend to transform almost continuously. When teams conduct an annual review of the SLA, they address those evolving ecosystems, new threats, and emerging technologies as new trusts are created between the third party and client organization. This good cyber hygiene strategy makes organizations more proactive against third-party risks.

Third-party trusts are not bad; as a whole, organizations have relied on them to innovate and succeed. But they must responsibly and proactively manage the accompanying cybersecurity risks. By having end-to-end visibility across their ecosystems and managing risk across their people, processes, and technology, organizations can achieve a sustainable cyber strategy that is proactive not reactive as more third-party partnerships continue to evolve.  

Subscribe to the Perspectives newsletter to get more insights and expert analysis of today’s cybersecurity landscape.