These days, vendor data breaches, PII/PHI exposures, and supply chain disruptions are constantly in the news, so it’s no wonder that risk and security teams are paying closer attention to third parties than ever before. However, taking on responsibility for evaluating third-party risk can be daunting for teams that are already overtaxed with handling internal security policies, controls, infrastructure, and training.
But let’s face it – third-party relationships are here to stay, and third-party ecosystems are expanding rapidly for most organizations. NOT focusing on these risks isn’t really an option, so what’s the answer? While I can’t prescribe a panacea for TPRM in a single blog post, I can share a strategy for prioritizing third-party cyber risks based on my experience working with clients.
Right at the top of the list is the theft of credentials, which are often exposed and posted for sale on the dark web. You need to focus on not only those credentials entrusted to third-party providers for direct access to your systems, but also on those credentials third parties use to access your organization’s data – including customer or patient data – regardless of where that data is housed.
With the proliferation of cloud storage like AWS S3 buckets, credentials and other sensitive data are now potentially exposed in more places than most people realize. For instance, the 2017 exposure of U.S. Department of Defense credentials by Booz Allen Hamilton is a just one striking example of credentials being ill-protected in a cloud service environment.
Another area that requires significant attention includes security incidents, validated attacks, and data breaches affecting your third parties. How do you find out about them and take action before they impact your organization? The perfect example of this is with the SolarWinds breach, where the software supply chain was wholly compromised before the software was distributed to unsuspecting customers.
Make sure your organization is conducting cyber risk monitoring
for “chatter” about incidents and breaches involving your third parties on the dark web or other forums, particularly when sensitive data has already been accessed by attackers and is available or imminently available for sale.
The 5 Most Important Third-Party Cyber Risks To Track - And Why
Join Dave Shackleford, founder of Voodoo Security, for an on-demand webinar where he highlights a process that organizations should use to prioritize third-party risks
Another major category of third-party cyber risk includes misconfigurations or vulnerabilities in web or application infrastructure. While evaluating third-party vulnerability management programs can be a hefty undertaking, it’s nonetheless critical to conduct assessments of key vendors’ patching, configuration management, and vulnerability scanning practices. It’s also helpful to determine whether critical third parties are actively looking for evidence of command and control or data exfiltration.
Finally, there are those cyber threats that pose direct threats to your brand reputation. Consumers and regulators increasingly judge organizations by the company they keep – so any incidents affecting a vendor in your supply chain may cast negative light on your organization. Take typosquatting, for example, where an attacker registers domain names that are similar to legitimate websites and uses them to host fraudulent and/or malicious content with false brand associations.
It's clear that we need to focus more on third-party cyber risk, but one of the most common questions is, “Where do we start?” The issues outlined here are great starting points in developing a third-party risk monitoring and assessment program, but they still only scratch the surface. For a closer look, watch my on-demand webinar, The 5 Most Important Third-Party Cyber Risks to Track – and Why.