The convenience of the digital age is a two-edged sword. On the one hand, increased connectedness is a clear advantage. On the other hand, widespread assets give you less visibility into the security posture of each. It’s a “can’t live with it, can’t live without it” type of scenario that companies will have to deal with. Third-party vendor risk poses a critical threat, and those that evolve to come through it are the ones who understand it inside and out.
The risk of third-party vendors
To understand the trend, let’s start back a few years ago. Supply chain attacks experienced a 300% increase in 2021, and Forrester predicted that 2022 would see 6 out of 10 security incidents stemming from third parties.
An international KPMG study revealed that nearly three out of four respondents had experienced at least one significant disruption caused by a third party in the past three years. Not surprisingly, per the same study, the number of businesses that will vet all third parties for risk will rise to one out of three by 2025. And an Intel471 threat intelligence report puts the number of organizations that have experienced a third-party-driven data breach at over half (51%).
Another trouble is that the definition of ‘third-party’ is more extensive than most companies may think. As Forrester Senior Analyst Alla Valente commented, in the wake of Log4j, companies were reminded afresh that “open-source software is third-party software.” OS code is widely used by newer, cloud-native companies, and these savvy startups find their way into the software supply chain or act as hubs. Latent OS bugs could be deployed within the new software, resulting from the gap in the chain.
“Third parties are critical for your business to achieve its goals, and each third party is a conduit for breach and an attack vector. Therefore, if your third parties cannot perform due to a cyberattack, incident, or operational disruption, it will impact your business,” expounded Valente. “It’s a huge concern as companies can’t just stop working with third parties,”
She noted that many businesses switched from ‘just-in-time’ efficiency to ‘just-in-case’ resilience post-pandemic. To this end, companies took on a slew of third-party vendors to achieve those goals. Now, those emergency-mode decisions are backfiring.
Third parties always present a security risk, as their individual security habits are a mystery. Do they mesh with yours? Are they up to the same standards? And if they aren’t, how can we know it?
There are ways to stay out of the third-party danger zone. This brand of security best practice may require more due diligence than some companies are used to, but the alternative is equivalent to carrying around a ticking time bomb.
Nested under Third-Party Cyber Risk Management (TPRM), several key best practices exist when mitigating third-party risk.
- Frequently review third-party management policies | Per the same report, less than half (43%) performed this step with regularity. Automating third-party management policies is a helpful way to keep on top of this.
- Learn from third-party breaches | What caused them? What was learned from that? How will the company prevent such attacks in the future? These are the crucial questions that redeem the disaster of an attack and turn it into a worthwhile
- Improve visibility through SOC reports| In a recent PwC 2022 Global Digital Trust Survey, 75% of executives said their organizations are overly complex, leading to associated cybersecurity risks. Only one in three said their Nth party understanding came from an enterprise-wide assessment; the rest were limited, ad-hoc, or non-existent. Requesting a System and Organization Controls (SOC) report can provide transparency into the control environment of third parties, including where Nth parties are used.
- Capitalize on automation | However you approach it, keeping track of Nth degree partners will be more sustainable with automated processes in play. In addition to preventing misconfiguration, an automated security policy can “consolidate all relevant information to enable easier understanding and even alert companies about emerging risks.
- Follow the principle of least privilege | Where possible, maintain granular access controls over what information ends up in which hands. Per one industry study, of the 44% who had experienced an attack within the past year, nearly three in four said it was due to giving third parties too much information.
The ZeroFox approach
Knowing that unknown third parties bring on inherent risk is enough to make many companies just not come out and play. However, Gartner notes that organizations that play it safe and refuse to expand their ecosystem “will likely be overtaken by organizations that boldly decide to seize the value of third-party relationships.” It’s do or die, but do requires vast knowledge, critical oversight, and diligence.
That’s where ZeroFox comes in.
Forrester’s Alla Valente states, “Investment in TPRM technology is high.” At ZeroFox, TPRM means embedding third-party intelligence into your strategy and overseeing all partner risks with one centralized platform. Third-party intelligence consists of the following:
- Periodic risk assessment
- Review of emerging attack plans in the criminal underground against your organization or its affiliates
- Detection and monitoring across the entire digital supply chain
- Evidence of a data exposure
- Disruption of attacker infrastructure, ultimately preventing attacks
ZeroFox leverages ‘the world’s only historically complete threat data lake with attacker campaigns and infrastructure history’ to produce bespoke security requirements for your organization. By combining AI processing, dark ops agents, and deep learning tools, ZeroFox can sift through datasets across the surface, deep and dark web.
This in-depth visibility extends beyond your own network and into the liable networks of your third and Nth parties, providing a more complete picture of your total risk burden as you take on partners and suppliers across the globe. And it presents this picture in a complete external cybersecurity solution that not only provides threat intel but protection, disruption, and response.
The ZeroFox Platform unifies asset discovery, digital risk protection, full-spectrum threat intelligence, security policy and analysis, alert notification/workflow, adversary disruption, and reporting, consolidating all elements of your TPRM program into one comprehensive system.
Keeping up with expanding business goals shouldn’t mean falling behind in security. With ZeroFox, it never will.