Third-Party network: Your friendly Dark Web?

April 20, 2021
Third parties accounted for over half of all data breaches in the U.S. in 2019 alone
Imagine waking up to an email from your employer stating that “while their systems remain unaffected, some of your personal data such as names, addresses, social security numbers, driver’s license numbers, bank account numbers, dates of birth, and passport numbers may have been exposed due to a cyberattack on the company’s third-party service provider”.  This is precisely what happened to several past and present employees of General Electric (GE). In this case, hackers obtained the credentials for a corporate email of their third-party service provider, Canon Business Process Services, who had unsupervised access to sensitive data. The hacker inadvertently gained access to everything the Canon employee had, without any security compromise at GE’s end. This is just one of many examples. Third-parties accounted for over half of all data breaches in the US in 2019 alone and are becoming increasingly popular as a path of least resistance for threat actors, accounting for 16% of malicious breaches.

While organizations are beginning to secure their perimeter and remote-working environments, the cyber risk postures of the third- and ‘nth’ party vendors remain vague. The typical enterprise has an average of 5,800 third parties and the problem they face with so many vendors in their network is that securing the nth party becomes cumbersome. While 34% of organizations keep a comprehensive inventory of direct third parties, the statistic slips for nth parties to a mere 15%.

Third-Party Risk Management (TPRM) has been performed through questionnaires during the onboarding, and despite digitization and cloud migration, 82% of organizations still use spreadsheets to log, assess, and manage third parties. This process is neither quick nor efficient nor is it completely transparent. The solution to these hurdles came in the form of the second wave of TPRM through automated outside-in assessments. Businesses were quick to adopt these solutions in order to take advantage of their obvious efficiency. However, even this method of TPRM reviewed third-party risks through tinted glass and was not as intricate as required. For instance, third parties are likely to withhold security information unless it is required contractually, which may include leaving out critical data.

Take for example when you visit a science museum they don’t hand out 600-page studies to prove electricity exists; they demonstrate it and let you infer from it. Similarly, TPRM cannot be based on spreadsheets and reports that (almost) no one reads. Instead, businesses need to move towards a program that is all-in-one, meaning it can be done in real-time, be self-explanatory and unified.

TPRM Requires a New Wave of Imagination

Most organizations secure their top 15% of risky vendors; however, cyberattackers aren’t approaching businesses through these sources. Today, assessing just your direct third-party contractor is inefficient. Businesses will have to evolve to have visibility towards their nth party ecosystem, to consistently monitor their SaaS applications as well as individual risk postures and independent policies monitoring sub-sets of their own business.

One-time questionnaire assessments are time-consuming, but real-time monitoring comes with its own set of challenges. How does one simplify the mountain of data generated from the web of third-party networks? The representation of their risk needs to be in a de-jargonized, inferable form, not only for the benefit of the security team but also for the executive committee to understand the actual business risks stemming from vendor dependencies. It is simplest to understand risks when they are scored against one another. Leveraging security services that allow businesses to rank/score their nth party vendors’ total risk not only demonstrates their most (and least) risky partners but also prioritizes actions.

Given that today’s average third-party breaches cost twice as much as a regular breach, it is imperative to know and measure risk through an objective and consistent metric. With data breaches becoming more commonplace, customers need to be more alert about how and where their data is stored and who has access to it. In fact, a study by Ping Identity revealed that 78% of consumers would not associate with a business that has been breached before. To make it simple, the ideal flow of third (nth) party assessment would begin with a formal evaluation and written report; however, it needs to be supplemented with security rating services, a real-time evaluation of the documentation and a completed questionnaire, hence ensuring a 360-degree coverage.

Since everyone’s responsibility becomes no ones’ responsibility, enterprises must act accordingly to sleep peacefully. With an uber-connected network within your business, is it really worth it to have an unmonitored web of nth party partners who are (un)knowingly leaking your and your customers’ data creating a “friendly dark web”?

About the author: Vidit Baxi is the Co-Founder and CISO at Safe Security. Baxi is responsible for leading customer success of the company, ensuring Safe Security follows the necessary cybersecurity guidelines and compliances and leads multiple product functions. With over 9 years of experience, he is also key in driving Lucideus' enterprise and product journey forward. Vidit has been featured by Fortune in their 40-under-40 twice and was awarded the Entrepreneur of the Year (2019) by Entrepreneur Magazine.