According to a Ponemon study, 59% of the surveyed companies had experienced a data breach due to their third-party vendors. While data breaches can be caused by several sources, those that involve a third-party have been found to increase the total cost of a data breach by approximately $370,000. And considering that data breaches affect an organization’s reputation, revenue, and compliance, third-party vendor risk management can no longer be an afterthought.
Given the level of access most vendors have to an organization’s network, traditional risk management frameworks fall short. Traditional strategies focus on vetting vendors, having a robust onboarding process, and periodic assessments. However, a rapidly evolving cyber threat landscape renders these assessments and findings obsolete, within a few days or weeks.
The failure of traditional vendor risk management is evident in the several high-profile breaches. Starting with the Target breach in 2013, to the recent Facebook and Airbus breaches, they were all traced back their respective third-party vendors. So, this calls for a more dynamic vendor risk management approach, which covers a wide range of vendor related risks.
In this article, we explore:
- Risks associated with third-party vendors
- Common pitfalls in traditional vendor risk management strategies
- Ways to upgrade your vendor risk management, and effectively reduce associated risks
Risks associated with third-party vendors
Outsourcing is an integral part of most businesses because they provide:
- Flexibility: Offering a dynamic workforce and adaptable operations.
- Scalability: Reaching new markets and serving more customers.
- Expertise: Catering to different sectors and industries.
- Cost cutting: Saving on infrastructure and operational costs.
For these reasons, outsourcing is here to stay. However, as vendors and organizations become more interconnected, the cybersecurity risks also multiply. Vendors serve as an entry point for threat actors to make their way into a company’s networks by:
Exploiting vulnerabilities in a vendor’s systems
While a business has control over patching and updating their assets, they cannot monitor a vendor’s systems, and ensure they do the same.
Ticketmaster’s data breach was due to a vulnerability in their vendor’s system:
A data breach at Ticketmaster, an American ticket sales and distribution company, was traced back to Inbenta, a third-party, which powers Ticketmaster’s customer support agent. Inbenta was one of the 800 victims targeted by Magecart’s digital credit card skimming campaign. An attacker targeted Inbenta’s front-end servers, where they stored code libraries used by Ticketmaster. Then, by exploiting a number of vulnerabilities, the attacker modified the code to steal customer data.
Using network/ system credentials exposed by vendors
Vendors usually need remote access to a company’s systems in order to access data and applications, or to carry out maintenance activities. And vendors could leave your network credentials exposed, or threat actors could compromise a vendor’s network to steal the credentials. This is especially damaging, if there is no proper network segmentation, giving the threat actor unbridled access to the company.
Threat actors used stolen vendor credentials to access Target’s PoS network
In one of the first major breaches, threats actors uploaded BlackPOS to Target’s point-of-sale (PoS) network, allowing them to steal credit card information and other personal details. It was later found that threat actors were able to compromise Target servers using credentials stolen from Fazio Mechanical Services. Fazio, Target’s HVAC vendor, had access to Target servers. And due to improper network segmentation, threat actors were able to compromise Target’s PoS network.
Using source code leaked by vendors
Most companies keep their source code confidential. So, unlike open-source software, the public cannot view or modify their source code. Leaked source code usually finds its way to dark web sites, where the code will be available to hackers even after it has been taken down from the original location. Hackers then use the source code to find vulnerabilities that can be exploited to launch cyber-attacks on the company and its customers.
Partners leaked the source code of Team Fortress 2 and CS:GO source codes
Team Fortress 2 and Counter-Strike: Global Offensive (CS:GO) source codes were found online and then uploaded to torrent sites. CS:GO confirmed that the code was originally shared with their partners in 2017, and was subsequently leaked. And despite reassurances that the leak doesn’t affect current players, several screenshots and videos made the rounds, purporting to be Remote Code Execution (RCE) exploits based on the leaked code. Thus, impacting the games’ reputations.
Sensitive information exposed by vendors
In the recent past, there have been several cases of vendors exposing Amazon storage buckets and databases that can be accessed over the internet. This gives threat actors easy access to sensitive information, which they then sell on the dark web, to the highest bidder.
Vendors exposed 540 million Facebook users’ records
Mexico based digital media company Cultura Colectiva exposed 146 GB of Facebook user data, including comments, likes, account names, reactions, and Facebook IDs, on an unsecured Amazon S3 bucket. Another S3 bucket, belonging to Facebook integrated app At The Pool, exposed 22,000 Facebook users’ friend lists, interests, photos, group memberships, and check-ins.
Common pitfalls in traditional vendor risk management strategies
While traditional vendor risk management frameworks are a good starting point, there are a few areas they need to address to be effective in a hyper-connected world. Dynamic third-party risk management should:
Address fourth/ nth party vendors
A 2019 survey found that only 2% of organizations identify and monitor all their subcontractors. And 8% of organizations monitor subcontractors only for critical infrastructure and IT. The remaining 90% said they lacked the required skills to monitor fourth/ nth parties.
Adapt to a constantly evolving cyberthreat landscape
Organizations generally perform vendor risk assessments, at the time of onboarding, and at regular intervals thereafter. During the intervals between assessments, new vulnerabilities, exploits and, malware and ransomware strains show up. Ans assessment don’t account for these unknowns.
Leverage automation and technology
Standard vendor risk management frameworks don’t offer a common, integrated platform that tracks the end to end process from risk identification and prioritization to issue tracking and mitigation. It also doesn’t provide actionable intelligence, which organizations can leverage, to make better cybersecurity decisions.
Ways to upgrade your vendor risk management, and effectively reduce associated risks
Companies need to upgrade their standard vendor risk management process, to ensure their vendors are not putting their data and network at risk. Organizations can do this by incorporating a few effective tools and processes such as:
Updating contractual standards
Update contracts to account for new regulatory and data privacy requirements. And ensure your vendor is obligated to disclose risks and data breaches in a timely manner. It would also help to have defined processes to mitigate risks and to respond to data breaches.
Focusing on nth party risk management
Ensure you have complete visibility of your vendor’s vendors. Determine if the products and services are provided directly by the vendor or by a subcontractor. And have contractual agreements with vendors that mandate such disclosures.
Continuous vendor risk monitoring
Incorporate processes and tools that ensure vendor related risks are monitored even between regular assessments. This includes real-time monitoring of the surface web, deep web, and dark web, for source code, sensitive information, and credentials. An IBM study found that the Mean-time-to-identify (MTTI) a breach is 197 days. It is during this interval that a comprehensive SaaS platform such as CloudSEK’s XVigil, will help. XVigil’s AI-driven engine scours the internet for threats related to your organization, prioritizes it by severity, and provides real time alerts. Thus, giving you enough time to mitigate the threats, before it can have adverse impacts on your business.