Organizations are struggling to defend and address the threat landscape due to lenient practices, talent shortages or a lopsided allotment of resources.
Third-party vendors — everything from core IT infrastructure to caterers — present businesses with a vast vector to defend against potential compromise. Once compromised, these vendors can lead attackers downstream, taking the form of phishing, malware, social engineering attacks, data theft and ransomware.
Mitigating threats from these sometimes once- or twice-removed relationships can be a burden, but there are steps organizations can take to bolster their defenses, analysts and cybersecurity professionals told Cybersecurity Dive.
Threat actors exploit weaknesses throughout the supply chain, and third-party vendors are an opportunistic target because they can be more easily infiltrated than organizations with sophisticated cybersecurity controls. Assumptions should be avoided, but a technology firm might have higher security standards than a marketing partner.
“It offers a way to outflank the primary target,” said Ron Westfall, senior analyst and research director at Futurum Research.
Organizations need to look beyond their internal controls and processes and implement a third-party risk management scheme that ensures third parties follow equally rigorous security safeguards, Westfall said.
Supply-chain attacks, such as those recently at Twilio and Mailchimp, underscore how an attack on one vendor can quickly spread to many unsuspecting victims.
Don’t neglect seemingly non-critical services
Risks can be glaring or lurking in the least likely places.
“If I were a CISO these days, I would be looking at things like the companies that supply our janitorial supplies if we have a mechanism for automatic reordering, or something like that,” said Curtis Franklin, senior analyst at Omdia.
“Look for absolutely the least obvious things you can imagine,” he said.
Cybercriminals that breached Target during the holiday season of 2013 — which led to the theft of 40 million credit and debit cards and data on 70 million customers — initially gained access via the retailer’s remotely accessible heating, ventilation and air-conditioning systems.
Organizations generally do a better job of mitigating potential risks from vendors deemed critical to operations because those tools or services also inherently pose more cybersecurity risks, said Alla Valente, senior analyst at Forrester.
These critical services — security software, IP servers, financial payments and processing, and network infrastructure, for example — pose a clear potential threat, if compromised.
“Unfortunately, most organizations just don’t do the same depth and diligence on technologies that are outside of the scope of what might be considered an IT vendor,” Valente said.
Organizations can mitigate some potential exposure by requiring two-factor authentication by default across all connections, she said.
Identify and protect data access points
Businesses need to flip third-party risk assessments from an IT-centric perspective to a data-centric approach.
“We have to think in terms of what type of data they have access to,” such as financial information, customer records or intellectual property, Valente said. “Not what business departments do they support.”
Organizations can limit risk by taking a hard look at their portfolio of third-party vendors, and cut unnecessary or overlapping tools. Some companies might have two or three endpoint detection and response tools when one will suffice, Digital Shadows CISO and VP of strategy Rick Holland said.
Businesses should also look for tools that integrate across the entire stack, he said, adding that most companies shouldn’t be investing in point solutions. “The point solutions just need to die,” Holland said.
Assessing third-party risks requires rigor and nuance — exercises that go beyond a generic checkbox in a spreadsheet.
This includes penetration tests and in-depth reviews of software bills of materials, Holland said. “What are the ingredients in this meal I’m about to eat?”
Beyond that, internal security settings and gaps in security monitoring should all be scrutinized often.
“I do hope that companies who have not necessarily experienced this firsthand yet are learning from the misfortunes of others,” Valente said.
Cyberattacks via third parties aren’t going to stop or let-up, she said, “but hopefully they won’t be as prevalent if we just engage in those best practices.”