The Top Third-Party Cybersecurity Risk Priorities of 2024 – and What to Do About Them

2023 showed that third-party data breaches impacted organizations across all industries. Prevalent’s annual TPRM industry study found that 41% of companies reported a third-party breach, and 71% consider third-party security breaches to be a top concern. Organizations of all types and sizes are taking a more serious look at how they can stay on top of the growing number of third-party cyber risks. The challenge is only growing into 2024.

There is a lot that we as security and risk professionals need to do to improve the state of third-party risk management. Confusion persists about what third-party risk is, what controls to implement, how to assess vendors, how to manage vendors, the impact of regulatory compliance, and so much more. Therefore, it’s not surprising at all that stakeholders across most organizations are confused (yet concerned) about the state of third-party associations. Cybersecurity and risk teams need to develop and implement cohesive, informed plans that help everyone get on the same page in the face of new and growing threats.

In this post, I examine the top third-party cyber risks to watch for in 2024 and suggest a list of 7 priorities to address those risks.

Top Third-Party Cybersecurity Risks to Watch for in 2024

Based on third-party cyber incident trends over the last year, in 2024 we’ll see more of the following types of risks:

• Software and service failures and supply chain breaches
• Privileged and account-based attacks
• Malware infections/spread
• Unauthorized use/access
• Denial of Service
• Breaches and incidents in 3rd and 4th level partners, and vendors

However, I’d like to focus specifically on software supply chain risks as the trend is increasing significantly here.

The software supply chain creates and delivers software from its conception to its eventual end-user. It encompasses all the steps involved in creating and delivering software, from the initial idea to the final product. The supply chain can be divided into three main sections:

• Development: The steps taken to create a piece of software, including design, coding, testing, and bug fixes.
• Distribution: The process of getting the software to its end users, including packaging, marketing, and delivery.
• Consumption: Installation and use of the software once it has been delivered

MOVEit is a classic example of a software supply chain breach. In May 2023, a ransomware gang called Cl0p began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer solution. Since then, more than 2,000 organizations have reported being attacked and Progress Software has issued numerous patches.

Top 7 Third-Party Cyber Risk Management Priorities of 2024

In 2024, security teams must prioritize third-party cyber risk management to get ahead of potential software supply chain attacks. Here are seven places to start:

1. Conduct a thorough review of procurement team processes for better third-party governance. Seek to answer questions such as:
   • How is vendor review initiated?
   • How are contract terms defined and reviewed?
   • What recourse do you have if a vendor product leads to a breach or vulnerability?
   • How often are vendor reviews performed after the contract?
   • How are third-party reviews documented?
2. Prioritize risk reviews. Third-party risk reviews should start by defining the controls with which the third party needs to demonstrate compliance. Next, determine the frequency of security reviews. Finally, define a remediation and arbitration process to handle third-party risks.
3. Leverage risk rankings. Use third-party risk solutions that offer supplier risk ratings or rankings compared to other industry organizations. Monitoring the overall risk ratings of third parties provides information on industry perceptions of security posture.
4. Improve third-party breach communications. Reach out to the impacted vendor and determine your potential exposure and any contractual service level agreements (SLAs).
5. Isolate access and systems if a breach occurs. Leverage local host restrictions, network access controls, privilege restrictions, and account removal/locks.
6. Remediate risks. While controlling the “blast radius” of a third-party breach you should identify and classify impacted data and investigate compliance impacts.
7. Continuously monitor for third-party breaches. Monitor internal behaviors from software/platforms affected, access to/from vendors and other parties, and reputation and threat intelligence services to determine the impact to your organization.