Third-party cybersecurity risk has become a serious challenge for organizations in recent years. Large-scale third-party data breaches include SolarWinds, Kaseya, Mercedes and Okta. As organizations have increasingly adopted cloud and off-premise IT infrastructure, the difficulty of successfully managing third-party cyber risk has grown exponentially. For every third party a company shares data with, or provides system access to, there is a web of interdependent fourth and Nth parties that also may have access to that data.
Third-party cyber risk affects every organization from the small IT service provider that unintentionally distributed ransomware to its customers, to the enterprise organization that suffers a massive data breach traced to an HVAC vendor. This post explains how organizations can successfully manage third-party cyber risk throughout the vendor risk lifecycle.
Third-party cyber risk is defined as a potential exposure in the confidentiality, integrity, or availability of IT infrastructure and data that an organization takes on as a result of working with a vendor, supplier, or other business partner. Third-party cyber risk can take numerous forms depending on the role of the third party. Some common forms of third-party cyber risk include:
Third-Party Data Breaches: Third-party data breaches have become incredibly common. As cloud services, SaaS application usage, and use of third-party security and IT contractors have increased, so have the risks associated with data breaches. Organizations like Marriott, Volkswagen, and Capital One have all suffered data breaches in recent years as a result of the use of third-party contractors, applications, or IT infrastructure.
Compliance Issues: Numerous compliance requirements address third-party cyber risk. Regulations such as HIPAA, CMMC, GDPR, CCPA, and others create direct controls for how organizations can share data or provide third-party access to data. Failure to understand and meet compliance requirements can cause enormous legal, regulatory, and public relations issues for organizations.
Ransomware & Denial of Service Attacks: Ransomware hasn’t traditionally been seen as a risk stemming from third parties. But in recent years malicious actors have increasingly targeted software applications used by hundreds, or even thousands, of companies in an effort to distribute ransomware. According to the 2022 Verizon Data Breach Investigations Report, ransomware was one of the top methods used by attackers in third-party data breaches covered by the report. Third-party cyber risk emanating from software providers that require privileged access to IT infrastructure should not be discounted.
Let’s start with a quick recap of a concept that is crucial to understanding and managing third-party cyber risk. Third-party cyber risk can broadly be classified into three distinct categories based on a vendor or supplier’s characteristics, the services they provide to your organization, and the stage of your relationship with them.
Profiled Risk: Profiled risk comes from a combination of company information, geographic location, industry, and regulatory requirements. For example, third parties located in politically volatile countries, those that are typically targeted by cyber attackers, or those that are highly regulated will carry a higher profiled risk. As well, a third party’s financial status and health and reputation can be included in profiled risk, as poor marks in these areas can signal an inability to deliver on contractual promises.
Inherent Risk: Inherent risk is more specific to the service performed and is classified as the risk that the third party poses to your organization prior to the application of controls. Inherent risk is calculated by understanding the third party’s criticality to business performance and operations; its location(s) and related legal or regulatory considerations; the level of reliance on fourth or Nth parties; exposure to operational or client-facing processes; and interaction with protected data or internal systems. Organizations with high levels of access to sensitive data and infrastructure have higher inherent risk than those without.
Residual Risk: Residual risk represents the remaining risk posed to an organization by a third party after mandatory controls are implemented. Risk management teams should carefully consider and define acceptable versus unacceptable levels of residual risk or compensating controls.
On-Demand Webinar: The 5 Most Important Third-Party Cyber Risks
Join Dave Shackleford, founder of Voodoo Security, for a webinar where he highlights a process that you can use to prioritize third-party cyber risks.
Some degree of third-party cyber risk will be present with almost any vendor you do business with, even those with extremely minimal access to IT infrastructure or sensitive data. However, identifying vendors that expose your organization to unnecessarily high levels of cyber risk is critical to reducing the chances of a data breach or security incident further down the line. Here are a few questions to ask potential vendors, particularly those that have high profiled risk.
Identifying vendors that pose an acceptable degree of risk is only the beginning. Intake and onboarding is a crucial phase to enable both risk identification and reduction opportunities throughout the lifecycle of the contract.
Include specific data storage and cybersecurity requirements in your contract with the vendor based on compliance needs and profiled risk. Standardized clauses should cover when and how the vendor can share data with their third parties (i.e., your fourth parties). In addition, consider adding requirements to the SLA regarding encryption standards, identity and access management, and data retention.
Inherent risk scoring is critical to adequately managing third-party cyber risk. As mentioned above, an organization's inherent risk is the risk they pose prior to the implementation of specific controls required by your organization. Below are a few tips you can use to enhance your inherent risk scoring approach:
Don’t Take a One-Size Fits All Approach: Inherent risk scoring should be based on an organization's profiled risk. Vendors should be tiered based on the data and infrastructure that they have access to. Failure to appropriately tier vendors leads to wasted effort focusing due diligence on the wrong vendors, while those that may pose substantial organizational risk don’t receive enough attention.
Consider Vendor Location When Scoring Inherent Cyber Risk: Vendors based in specific locations may be partially owned or under specific data sharing requirements by governments, which may supersede the vendors' contractual obligations to your organization. Carefully consider vendor location and regional politics when determining the amount of inherent risk that a vendor poses.
Bonus Tip: Using a dedicated third-party risk management solution can enable you to tier vendors based on custom-built criteria.
If the vendor you are onboarding has a high degree of inherent risk based on their data and IT access, it may be worth examining their extended supply chain. Pay particular attention to organizations that work on their IT infrastructure or have access to data that they store. Understanding fourth and Nth party usage helps to inform your overall vendor risk management program, as well as to focus your third-party monitoring approach throughout the contract lifecycle.
Assessing and remediating cybersecurity risks emanating from third parties is crucial to your broader TPRM program. Here are a few tips you can use when assessing and requesting remediation from vendors:
If you have obligations under HIPAA, GDPR, NYDFS or other regulations, you must ensure that the vendor meets necessary controls based on the type of data they are handling. Utilizing third-party risk management software like Prevalent can make this step dramatically faster by automatically mapping cybersecurity frameworks used by the vendor to your organization's compliance requirements.
If the organization hasn’t had an outside organization certify that they are compliant with a well-known cybersecurity standard, don’t be afraid to request that they undergo an audit based on a framework (or compliance requirement that your organization falls under). It’s far better to lose a potential contract than to find out later that their self-certification of HIPAA compliance was exaggerated and your organization is liable for a breach as a result.
You should have a general idea of what outside organizations your vendor is using based on their answers during the intake and onboarding phase. As your organization conducts its formal vendor risk assessment, request the specific policies and procedures your vendor has for sharing data or access with fourth parties. If they don’t have formalized policies and procedures, request that they create them.
Risk isn’t static. The cyber risk that a vendor poses to your organization will likely change significantly throughout the contract lifecycle. Scope creep can result in vendors taking on additional jobs as they earn trust, which can also allow them to access additional resources that weren’t accounted for in the initial risk assessment. As the contract with the organization evolves, regularly reassess vendor risk to ensure that residual risk remains within acceptable parameters.
To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors that participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time required to spend collecting data.
The NIST Third-Party Compliance Checklist
The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.
Even if you regularly conduct risk assessments to monitor for third-party risk, rapid changes to a vendor's risk profile can slip by. Continuously monitoring for changes to your contractor's cybersecurity posture is critical to effectively managing third-party cyber risk. Here is a brief list of sources worth monitoring throughout the vendor lifecycle to ensure you don’t miss a significant security event.
When targeting large organizations, malicious actors will often coordinate and plan attacks on forums only accessible to authorized users using the TOR network. Monitoring dark web forums for mentions of third- and fourth-party vendors can enable you to rapidly identify potential cyberattacks that are in motion or have been executed against third parties.
Dark Web marketplaces like the Genesis Market sell botnets containing browser fingerprints that can be used by malicious actors to bypass 2FA and other controls. Monitoring these marketplaces can enable rapid identification if third-party access is for sale, alerting you to a potential data breach in progress. In addition, malicious actors often sell account access and stolen credentials on dark web marketplaces. These can then be used by other malicious actors to facilitate account takeover and phishing attacks. Monitoring these marketplaces can help you to better understand vendor cyber risk. Some questions to ask:
Not all data leaks and stolen accounts are on the Dark Web. In many cases, employees will accidentally leak third-party data that will appear on Pastebin and other public forums. To compound these challenges, malicious actors have also been known to dump files containing thousands of credentials on public access forums. Monitoring Pastebin and other public forums for proprietary information, stolen third-party credentials, and other sensitive data is a key part of conducting continuous third-party monitoring.
Vulnerability databases, such as the MITRE CVE database, can help your organization to identify exposures in software developed or used by your third-party vendors. Utilizing third-party risk management software can enable you to automatically identify third- and fourth-party software vendors with potential vulnerabilities.
Another important part of third-party cyber risk monitoring is searching for vendors in databases of reported data breaches, like those from Privacy Rights Clearinghouse and the State of California. Even a limited-scope data breach should prompt you to assess the risk to any data shared with the third party. It may also call for a review of applicable regulatory compliance requirements.
Third-party risk monitoring software can help to automate the process of identifying and quantifying vendor cyber risks. For instance, our risk monitoring solution enables you to reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.
Successfully managing SLAs across departments and vendors is crucial to effectively managing third-party cyber risk. Vendors need to be regularly assessed to ensure that compliance requirements are being met, and that additional compliance burdens haven’t been incurred through scope increases. Here are a few key considerations for third-party cyber risk management when managing SLAs.
Manually reviewing hundreds of contracts across dozens of departments and potentially thousands of vendors is challenging to say the least. Using third-party risk management software can enable you to automate key elements of SLA management with built in workflow and remediation.
Ensure that good cyber practices are written into the service level agreement. Specific considerations around data handling, contractor security requirements, staffing background checks, and other provisions can help ensure that third-parties are utilizing effective risk reduction techniques while providing services.
Not all data breaches happen during a contract. Offboarding and termination represent the final, critical stage in mitigating cyber risk posed by third parties. Many organizations with a lack of maturity in offboarding end up leaving vendors with access to critical data, accounts, and IT infrastructure. Below are a few best practices to use when offboarding vendors.
Ensuring compliance with applicable laws and regulations is key to successfully offboarding vendors. Assess your organization's compliance requirements and ensure that vendor offboarding, data deletion, and validation are all performed in accordance with applicable laws and regulations.
Third-party risk management platforms will have built-in reporting that aligns with these regulatory obligations, which can simplify the compliance process. Many organizations assume that data destruction has occurred upon the contract ending. Take the time to manually validate that all sensitive, proprietary, and regulated data in the vendor's possession has been destroyed.
Keeping up with vendor access, particularly vendors that work across multiple departments, can be difficult. However, it is imperative that you take the time to manually check each department and ensure the vendor has been fully and successfully offboarded across the organization. Leaving a vendor with access to IT infrastructure, accounts, or sensitive information can leave you vulnerable to a data breach or compliance violation months or even years down the road.
Many organizations rightfully focus on ensuring that vendors no longer have access to cloud servers, databases and SaaS applications. But it’s almost as imperative to not lose sight of the physical security of IT infrastructure and assets. Failing to revoke credentials or inform security teams that a vendor is being offboarded can result in security lapses, and potential breaches should an employee of a third-party vendor act in bad faith.
Successfully mitigating third-party cybersecurity risk to an acceptable level throughout the vendor risk lifecycle can be daunting. Third-party data breaches continue to mount as new vulnerabilities surface and as attack techniques evolving. Recent events such as the war in Ukraine and heightened geopolitical instability have compounded these risks.
Utilizing a third-party risk management solution can dramatically reduce the effort required to successfully mitigate risks stemming from third-party IT access. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.
Focus on preparation, communication, and lessons learned to be better prepared for the next vendor breach...