It's easy for cybersecurity teams to think they're doing everything to stay ahead of data breaches and cyberattacks in this post-pandemic era.
For instance, you've probably rallied qualified experts to augment your IT ecosystem and supplied them with state-of-the-art threat detection and mitigation technologies that offer real-time insight into your infrastructure security. You may have also enrolled your staff in regular awareness training programs, most of whom are excelling in simulated phishing tests.
You may also have a step-by-step response plan ready to minimize the implications of security incidents. And so you relax, confident that you've covered every base to fend off threat actors and secure your organization against security incidents. But is this really the case? Maybe not!
The truth is organizations remain vulnerable provided they don't address third-party risk. Entities nowadays don't function as lone islands but interconnect with experts and suppliers to improve their services or products. While this approach may offer abundant benefits, it also comes with risks. If just one vendor vacillates information security, every company within the digital supply chain will face cybersecurity risks.
Therefore, it's essential to understand existing third-party cybersecurity gaps before choosing the best approach to managing third-party risk.
Top Third-Party Risk Cyber Gaps
Partnering with vendors means a potentially expanded attack surface. This is a significant issue, considering a data breach can cost a business about $3.86 million, with notable breaches where over 50 million records were stolen going as far as $392 million.
Numerous vulnerabilities come with vendor relationships, but these are the leading ones:
Leveraging Vulnerable Unpatched Technology
The use of unpatched technology is among the leading third-party cyber gaps. These products aren't usually updated, and these used versions come with numerous known exploits and vulnerabilities.
If you've managed production technology patching, you understand that organizations are affected mainly by outdated resources with known cybersecurity vulnerabilities. On the other hand, the updated versions come with critical enhancements and fixes to the data privacy and security loopholes.
The highly-publicized Solarwinds attack can be attributed to software updates. Criminals introduced a hacked code in the updates, and the company's security program couldn't detect it until later on when the damage had occurred.
Learn how to manage service provider risks >
Overlooked Third-Party GDPR Requirements
If you work with US-based third-party vendors and service providers, you might think that GDPR is the least of your worries – and you would be wrong.
Companies with offices or establishments in Europe, operate in the region by providing services or goods to residents of the European Union or observe the behavior of consumers in the EU must comply with the numerous GDPR rules. What's more, they must ensure that their third parties do so as well.
Enterprises that don't abide, or those whose third parties don't pay attention, risk severe penalties. This includes a harsh fine of €20 million or 4 percent of their global annual revenue.
Besides the penalties, GDPR compliance can immensely boost your security posture and simplify managing third-party risk if you work with business partners.
Your third-party security assessment strategy must entail reviewing your vendors' GDPR compliance for the above reasons.
Open Port with High-Risk Service
Open ports are UDP or TCP port numbers configured to accept packets. But a closed port ignores all packets or rejects connections.
Ports are integral in your internet connection model as they enable communication exchange. Services that use the internet (like web pages, file transfer services, and web browsers) receive and transmit information via specific ports.
Developers use these file transfer protocols to share data between hosts and run encrypted tunnels across devices. If a service operates on a particular port, running other services on it becomes impossible.
Open ports become a cybersecurity gap when security vulnerabilities allow attackers to exploit legitimate services or introduce malicious services using social engineering or malware. Criminals can gain unauthorized access to sensitive data (like private healthcare information) by running such services on open ports.
Unknown Third-Party Service Providers
It's common to find companies operating while unaware of their connected vendors, which can be a significant cybersecurity problem. In a company with numerous suppliers, you'll discover extra ones that the organization wasn't aware of, which could be a significant risk to your security controls.
Obviously, it's hard to prevent cyber mishaps from affecting your company if you don't know your third parties. Companies that ignore continuous monitoring to uncover their vendor relationships cannot pinpoint any cybersecurity loopholes caused by poor management of third-party risks.
Learn how to communicate third-party risk to the Board >
Failing to Use HTTPS for Significant Web Assets
Hypertext Transfer Protocol, or HTTP, enables communication between systems. It's commonly used to transfer data from web servers to browsers, allowing users to view web pages. You've likely come across the secure HTTPS sign, which appears as a padlock icon in the site address bar or an encrypted site connection.
Nowadays, major sites don't allow unencrypted HTTP traffic, but you'll still find websites that don't support HTTPS entirely, even in the sensitive healthcare sector. This is possible due to non-secure third-party resources like CSS, JavaScript, and images or missing, invalid, or expired SSL certificates.
But this isn't a secure internet protocol as criminals can easily eavesdrop on your communication across the network. Therefore, you must transport your sensitive data securely and make it only accessible to authorized web servers or users. This is why HTTPS was created.
Failure to Rely on Web Application Firewall
Numerous attacks target apps and websites, from DDoS and scraping to cross-site scripting and SQL injections. Web Application Firewalls, or WAF, are now necessary for basic protection, preventing sophisticated phishing, patching issues, cloud vulnerabilities, and evolving ransomware strategies. Its intrusiveness, complexity, and high cost can explain why several vendors try to get the most from it.
A WAF secures your applications and website by monitoring, blocking, and filtering malicious HTTPS traffic across the web application. It also protects unauthorized data within the app.
From its immense benefits to a company's cybersecurity posture, it's clear that companies that fail to leverage Web Application Firewall are jeopardizing their systems.
Untrusted Web Asset Certificates
Another third-party cybersecurity loophole is untrusted certificates scattered like socks on the bedroom floor. These could be invalid, expired, or self-signed and mainly occur when you fail to perform their authentication tasks.
Most vendors have untrusted certificates on their assets; hence it's not a high priority issue because these are probably unofficial or unused assets. But this poses a significant danger as threat actors are always looking for entry points like unpatched or unmonitored servers within the company's network.
User Behavior
Human error is a leading cybersecurity loophole in numerous vendor relationships. It results from staff who fail to practice due diligence. Most companies fail to examine the activities that could potentially introduce malicious software into their IT infrastructures. The most common risks attributed to human behavior are exposed credentials and file sharing.
These are possible if company staff fail to utilize peer-to-peer exchange protocols when sharing software and media. As a result, this could leave your network more susceptible to cyber threats like malware infections.
Compromised Systems
This could be infrastructure with a history of successful cyber attacks. While such a system doesn't necessarily cause data loss, each indicates compromise on the vendor's side.
You should recognize and categorize compromised systems as they correlate with the potential for system breach. But most companies fail to check whether any devices in their vendor network are infected with malware.
The Limits of Vendor Security Solutions
You may do everything to mitigate supply chain risk. But most of the currently-used approaches to handling vendor security challenges are not up to the task, hindering Vendor Risk Management efforts.
Companies usually make a monotonous, time-consuming attempt to assess each third party manually. But it's not sustainable for information security teams to invest their effort and time seeking vendor responses to questions regarding their security posture.
It might take weeks to get the responses, rendering the risk assessments outdated. This approach will likely communicate an inaccurate cybersecurity risk status, leaving the entire framework and company susceptible to cyber breaches.
Security rating services are a great place to begin your vendor risk evaluation and management. These solutions offer risk ratings demonstrating the risk level of transacting with a particular third party. However, it's likely to consider the context of your third-party relationships.
Other companies go for automated security questionnaires that enable faster turnaround than manual risk assessments, but they also have flaws. Questionnaires aren't often customized and may fail to ask relevant questions. Furthermore, they don't consider the partner's identity or part in the relationship.
If you lack this context, you'll experience hurdles prioritizing mitigation measures and responding appropriately, significantly impacting your cyber risk management.
Learn how to reduce the impact of third-party breaches.
Practical Third-Party Security Best Practices
You need a multifaceted approach to seal third-party risk cyber gaps. There's no standard approach to this, and companies can use a combination of layered defenses to secure their supply chains.
The most effective cyber risk management best practices include:
- Evaluate every third party based on your pre-determined cybersecurity metrics and KPIs before onboarding. Various automation approaches can come through for you.
- Increasing CISO oversight into VRM performance.
- Maintain an up-to-date in-use vendor inventory.
- Constantly monitor your third parties for security risks.
- Vendor cybersecurity collaboration works.
- Discuss third-party risk with your partners.
- Terminate relationships with bad business partners.
- Pay attention to fourth-party risk.
- Uphold the principle of least privilege to limit access rights through automation.