Strengthening Third-Party Cybersecurity Risk Management
Third-party providers of products, services, and software deliver tremendous business value, but also elevate cybersecurity risk that is often overlooked.
Key Points
- The latest research shows companies under-manage third-party cybersecurity risk, even as their reliance on outside business partners increases.
- Three in five companies work with product, service, or software providers that were breached in the past year.
- Smaller organizations are least likely to mount a third-party cyber risk program.
Consider every business you work with and how many computing devices they have in their organization. Each device represents a possible entry point for a third-party cyberattack. This ever-expanding attack surface poses a perpetual concern for companies that rely on dozens or even hundreds of providers of products, services, and software.
A Wall Street Journal Pro study found that 62% of organizations worked with product, service, or software providers that were breached in the past year.[1] The Identity Theft Resource Center (ITRC) meanwhile said that third-party/supply chain attacks publicly reported in the U.S. surged by more than 35% in 2022.[2]
ITRC’s “2022 Data Breach Report” profiled an attack on an accounts receivable management company that exposed the information of more than 600 client firms. This example underscores how third-party risk, usually associated with supply chains involved in producing and distributing goods, can be equally pernicious in companies’ growing relationships with partners ranging from office supply companies to collaboration platforms to managed service providers (MSPs).
Breach statistics such as those above have added impetus to expand cyber risk management efforts. The same WSJ Pro study indicates that two in three companies have launched a third-party cybersecurity risk management program. But these programs are mostly in midsize and large companies — just one in three small companies have mounted a similar response.
The Challenges of Third-Party Cyber Risk Management
Companies typically provide numerous third parties with access to private networks and sensitive databases, relying on them for business needs ranging from expense reporting and email services to managing industrial control systems, according the CyberRisk Alliance (CRA). A recent CRA study found that nearly one-third of companies have more than 100 third-party relationships, while some in financial services or healthcare may tally upward of 500.[3]
Cyberattackers often exploit third parties to reach their actual target. In the CRA report, nine out of 10 survey respondents expressed some concern that they could experience a breach or break privacy compliance rules due to a third-party vulnerability.
Making Progress Against Third-Party Cyber Risk
Tackling third-party cyber risk takes a combination of textbook risk management practices, new technology, and outside help. For instance, many larger companies are introducing so-called “zero trust” approaches and extended detection and response (XDR) technologies — not only in their own organizations, but into supply chains. A zero trust approach helps control access to data and networks based on the principle of “least privilege,” while XDR integrates important detection and response capabilities across all network connections. Still, measures like these are often beyond the reach of smaller companies, who increasingly turn to managed security service providers (MSSPs) instead.
A recent report by PwC points to measured progress by CISOs and other executives responsible for cybersecurity policies and resilience. Seventy percent of survey respondents said they have improved supply chain risk management. Still, 34% expect threats from third parties to affect them significantly in 2023, and 32% point to their software supply chain as a potential culprit.[4]
Best Practices in Mitigating MSP and Other Third-Party Risk
The U.K.’s National Cyber Security Centre (NCSC) recently singled out MSPs as representing a growing source of third-party cyber risk. The agency explained:
“Using an MSP is a security trade-off. You will gain the security benefits that come with using the MSP’s expertise, which will often include more cloud security expertise than you'll have been able to hire yourself. However, you almost always end up having to give the MSP administrative access to your data. This increases the attack surface, as there are now more systems that, if attacked, would compromise your data.”[5]
PwC offered best practices to consider when engaging an MSP or other third party, including:
- Vet any Partner with Whom You Share Data: “Data security and privacy are the Achilles’ heel of many organizations,” PwC said, yet only 43% of companies say they always vet third parties’ security arrangements.
- Invoke Zero Trust: Companies should apply the zero trust principle of least privilege to MSPs and other business partners, and immediately update privileges upon changes in administrative roles. Yet only 47% do so.
- Disable MSP Accounts That Are No Longer Managing Infrastructure: It seems like an obvious security risk, yet only 57% of companies say they always do this.
- Bind MSPs to Robust Disaster Recovery Requirements: This entails contractual arrangements followed by monitoring. But only 44% of companies require MSPs to include incident response and recovery plans that meet their own resilience and disaster recovery requirements.
- Enforce Multi-Factor Authentication (MFA): Implementing MFA for your employees makes sense, but what about third parties? While this is recommended, under half of the companies (46%) consistently go this far.
Other protective measures include extending your cybersecurity awareness programs to partners as well as staff and considering cyber insurance as a backstop.
The Bottom Line
There is no way to eliminate all the risks of attack that may stem from third-party/supply chain relationships. But there are best practices that companies can follow, including third-party risk management strategies, technology solutions, and managed services. While some companies are making progress in these areas, most still have far to go. Read how Mimecast’s integrated cybersecurity platform can help protect your company against third-party cyber risk.
[1] “WSJ Pro Research Survey: Third-Party Risk Management Results,” Wall Street Journal
[2] “2022 Data Breach Report,” Identity Theft Resource Center
[3] “CRA Study: Managing Third-Party Risk in the Era of Zero Trust,” CyberRisk Alliance
[4] “2023 Global Digital Trust Insights Report,” PwC
[5] “Threat Report 13th January 2023,” UK National Cyber Security Centre
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!