Managing third-party cybersecurity risks in the supply chain

Many large companies including Uber, SolarWinds and Microsoft have suffered significant cybersecurity incidents because third parties and partners were compromised by threat actors. Criminals exploit connections between systems to find a way to steal data. And while the incidents may be initiated via a third party, the reputational and business impact rests solely with the affected organisation’s brand.

Third-party cybersecurity breaches occur when the victim’s defences are compromised through a partner or service provider. For example, if one of your suppliers’ systems is attacked, an attacker may use their access to infiltrate your systems. Regardless of the sector, business size or geography, every organisation is part of an ecosystem of suppliers, customers and partners. And every one of those third parties is an extension of that organisation’s business. That means a cybersecurity incident that impacts part of that network can impact your operations and reputation. This is not a new challenge, but the approach to managing third-party risk must evolve.

A proactive approach is crucial to identify and remediate vulnerabilities throughout supply chains before cybercriminals can exploit them. Organisations must act now and consider the cybersecurity risks that relationships with third parties can introduce to their environment. Even the most robust internal security measures can become irrelevant if third parties present potential vulnerabilities.

Managing third-party risk presents several key challenges. Organisations may have different views of what constitutes a risk and how different types of potential threats need to be managed. There can be a significant difference in resource availability and budget for cybersecurity. Incident response processes may primarily focus on internal impacts and not on external parties.

To overcome these challenges, organisations must start to view third parties as allies and an extension of their own business. That means working with third parties to help them uplift their cybersecurity posture. This needs to be done in a contextually appropriate way: having a standard 300-question survey may not be the right approach for every partner. Understanding each partner’s security posture requires a dialogue where the risks for each party are articulated and understood — only then can appropriate mitigation strategies be put in place.

Threat intelligence is also critical and needs to take a broad view. While it will always be important to ensure there is a focus on threats and risks that directly impact an organisation, the scope of intelligence monitoring needs to include critical partners, suppliers and customers — particularly if they have direct access to systems. In one recent attack, the threat actor was able to compromise secure VPN access through an MFA fatigue attack. Organisations need to consider what attack methods partners may be vulnerable to and assess trusted third-party supply chain partners accordingly.

Security standards remain a useful tool for articulating, assessing and managing third-party risk. When talking to partners, organisations can use tools such as the ASD Essential Eight, Prudential Standard CPS 234 and ISO 270001 to help to gauge the risks and develop mitigation strategies.

Effective management of third-party risk is no different to the management of any other risk. It requires regular monitoring and plans to manage new and changing risks. But managing third-party risks has the added complexity of working with people whose approach, capability and resourcing may be different to yours. This is why partnership is critical.

It’s said that a rising tide lifts all boats. By raising the security posture of partners, suppliers and customers, organisations can improve their ability to protect their systems and data from threat actors.

Image credit: iStock.com/BlackJack3D