3 Reasons Why Third-party Cyber Risk Assessment is so Critical
“In my opinion, third-party risk is the biggest risk facing organizations right now. Most businesses simply don’t have the capacity to do their due diligence on third-parties, and it only takes one bad apple in the supply chain to create huge risks.”
Charles Denyer, co-founder of the National Security Association, and advisor to corporations and government on cyber security issues, believes that corporations are not paying attention to the risks inherent in connecting third-party suppliers and partners to their network security infrastructure. Third-party cyber risk can be described as the imminent threat of a cyber attack on a business that occurs through a third-party company, often a supplier or partner, whose network infrastructure is legitimately connected to the primary business but is vulnerable to attack.
And these businesses tend to be less prepared to defend against sophisticated cyber attackers who are merely using them as a means to steal the data of much larger and more lucrative targets. Furthermore, since 2017, the instances of attacks on small businesses have increased by 424%.
It’s never been more critical to understand why these third-parties represent such significant risk to corporations.
1. Businesses are more likely to be attacked through a third-party supplier
A watershed moment for global corporations occurred in 2013, when retail giant Target was hacked via a tiny 3-person heating and ventilation company attached to Target’s network. Over 40 million credit cards were stolen, with damages totalling over $162 Million USD. In that case, network credentials were stolen from the vendor, a tiny Pennsylvania company – Fazio Mechanical Services – that has worked for other big name brands including Trader Joes and Whole Foods at locations in 5 states.
Since then, the corporate world seems to have taken more notice of the inherent risks in allowing small companies to access the corporate networks of larger organizations. However seven years on, most businesses are continually failing to identify and prepare for the risks associated with those connections. According to Gartner, average corporations contract with 5,000 third-parties, and 44% of corporations experienced a significant data breach through a vendor. Graham Cluley writes in Tripwire that industry giant GE experienced a significant theft of employee data in 2020 (including birth certificates, passports, drivers licenses, and medical information) which was stolen from Canon Business Process Services via a poorly secured Canon email account.
In Panorays, Yaffa Klugerman says: “A combination of supply chain complexity, increased cloud storage, new data privacy regulations, remote work and rising cyberattacks have created the perfect storm for third-party cyber risk—and the numbers bear this out.”
- SecureLink’s 2020 report on third-party security indicates that 51% Of Organizations Experienced a Third-Party Data Breach After Overlooking External Access Privileges
- 74% of organizations breached within the last 12 months said the exposure originated from granting too much privileged access to third-parties.
- 68% of security professionals believe they are not prepared for a cyber attack on their supply chain
- 57% of organizations surveyed don’t have an inventory of all third-parties with whom they share information and only 17% of respondents feel they’re highly effective at mitigating third-party risks.
Not only are these attacks increasing in frequency, economic impact and volume of data stolen, but small businesses remain far less likely to be able to fend off such an attack, and CISO’s may not be paying close enough attention to the risk.
2. Third-parties are less likely to be prepared for an attack
Smaller third-party suppliers to big businesses often lack the resources required to maintain security infrastructure that’s required to prepare for – and defend against – a cyber attack. As a result, their network connections to their large corporate clients introduce significant vulnerabilities to those clients’ data. And it doesn’t just have to be weak network security. In 2020, burglars stole a laptop from a small contractor to healthcare organization Health Share of Oregon. As a result, over 650,000 patient records were taken.
While awareness grows, even corporations who believe they have properly vetted their small suppliers’ security infrastructure fail to implement ongoing procedures to monitor and review vendors’ preparedness.
“Anyone who has the keys to the castle, we should know them in and out and have ongoing reviews,” said Forrester Security Analyst Steve Turner in ZDNet. “These are folks that are helping you generate revenue and, operationally, should be held accountable [to be] on the same level as your internal security posture.”
The statistics are sobering. Maddie Shepherd from Fundera lists:
- 43% of cyber attacks target small businesses.
- 3 out of 4 small businesses say they don’t have the personnel to address IT security
- 54% of small businesses don’t have a plan in place for reacting to cyber attacks.
Perhaps most alarming of all, 60% of small businesses that are victims of a cyber attack go out of business within six months, impacting not only their employees and investors, but the supply chain of the corporations they serve.
3. Corporate attacks via Small third-party Suppliers Present Significant Financial and Reputational Risk to Enterprises
Target’s 2013 breach that impacted 41 million consumers ended up costing the company $18.5 Million. The Ponemon Institute and IBM published a report showing that the average cost of a data breach is $3.92 Million. However when the breach occurs as a result of a third-party, the average cost increases to over $4.29 Million. Even if the breach occurs through a third-party, corporations can be held responsible for all customer records exposed or data lost. Legal battles and investigations are costly, and corporations can be exposed to class action lawsuits as well.
Major costly breaches and fines have been occurring for many years:
- Capital One (2018) – $80 Million (civil penalty)
- Chubb (2020) – $20 Million
- American Medical Collection Agency (2018-19) – $4.2 Million and filed for Chapter 11
- Morgan Stanley (2020) – $60 Million fine imposed for lack of appropriate systems.
And it’s not just about the hard costs incurred by corporations before and after the fact. In 2019, Forbes reported that a data breach can lower a company’s share price by an average of 7%. Target’s share price has still not recovered from the massive hit it took after the 2013 breach. Consumers will willingly stop doing business with a company if a data breach occurs, with a recent PriceWaterhouseCoopers study indicating that 87% of consumers said they would stop patronizing a business in the event of a breach.
Executives are taking notice, and they understand the risks. Deloitte surveyed 400 CEOs and board members to determine how they prioritize investments based on a given area of risk. 41% of respondents indicated that “security, including physical and cyber breaches” was the greatest threat to the corporation’s reputation.
Given the speed and evolution of the sophistication of cyber attacks, and given the rapid increase in their frequency and number, it’s widely accepted that corporations will never be able to fully and permanently protect their assets against cyber attack. The frightening vulnerabilities exposed by ongoing and escalating third-party attacks show that the problem isn’t going away anytime soon. Considering the huge number of third-party companies that supply services to corporations, and the vast array of security vulnerabilities they represent, Chief Information Security Officers (CISOs) need to find ways to prioritize the analysis and remedy of the most pressing concerns. Rather than just another security scorecard, they need the means to organize and