Third-party breaches have become an epidemic as cybercriminals target the weakest link. Organizations such as BestBuy, Sears, Delta and even NYU Medical Center are just a few that have felt the impact of cyberattacks through third-party vendors.
The fallout from these breaches can be costly, as the average enterprise pays $1.23 million per incident, up 24 percent from $992,000 in 2017 according to Kaspersky Lab. The same report also notes that SMBs spend $120,000; an increase of 36 percent from last year.
With a spike in cyberattacks directly targeting supply chains across the globe, the problem stems from several issues: all of them involve some type of necessary sharing, from shared credentials to shared infrastructure.
Weakest Link No. 1: Shared Credentials
Look no further than the Target breach to see how terribly things can go wrong when businesses share their credentials with third-party vendors, especially with companies that seem benign: Target’s breach was reportedly through an air conditioning vendor. When a company shares sensitive credentials with a supplier, the door is left wide open to potential attacks. It should also be noted that most companies–even smaller ones–work with anywhere from several to thousands of vendors, increasing the risk exponentially. This situation dictates that companies must ensure that a rigorous vetting process is put in place before sharing credentials.
Weakest Link No. 2: Shared Data
Shared data can be another key weakness. Companies share highly sensitive and private content with vendors, including customer data, which is unavoidable. These vendors may also share data with many more whose cyber security posture is not known. Case in point: The Experian breach ended up exposing millions of Americans’ personal data, but it also exposed 15 million customers’ data who applied for the T-Mobile service. While Experian was the primary target, T-Mobile suffered a huge loss as well.
Weakest Link No. 3: Shared Code or Applications
Ticketmaster made this mistake with Inbenta Technologies, a third-party supplier hosting a Ticketmaster customer support product. As part of this process, Ticketmaster received customized JavaScript code, which a hacker gained access to through Inbenta and then modified the code to be malicious. Every single piece of code or application that a company shares with a supplier means exposure to another potential attack.
Weak Link No. 4: Shared Network
Connecting with other companies can be a boon for business, but this particular type of collaboration is also rife with risk. Imagine a scenario in which WannaCry ransomware is able to run rampant from company to company all around the world. For those IT teams that have no choice but to use these types of connections, it is absolutely essential to downsize the number of vendors that share a connection, create tighter permissions and monitor them on an ongoing basis.
Weakest Link No. 5: Shared Infrastructure
Problems with shared infrastructure can quickly cause a direct blow to businesses by halting continuity. For example, if the vendor supplying retail infrastructure suddenly drops or the service goes down, the company is instantly left without a way to handle transactions. And just like that, customers are forced to head to a competitor. Medical processing services are another example; the service goes down and, without warning, the doctors have a difficult time doing their jobs because their patient information is temporarily inaccessible, as we saw in a recent incident at MEDAntex.
Mitigating Risks with Suppliers
The first step in reducing security risks associated with third-party vendors is to hammer out a digital vendor risk management plan that includes rules, procedures and a rigorous vetting process. The vetting process has to go far beyond a mere questionnaire; it must also include the context and level of risk of business relationships. Automation is key for these processes so that companies are able to scale to manage hundreds and thousands of vendors on a daily basis.
An outside reporting company should be employed to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts. There should also be a way to alert the evaluating organization of infractions, so that they can easily work with vendors to correct and improve their security posture. With these processes in place, the whole digital ecosystem could be improved significantly.
(Matan Or-El is co-founder and CEO at Panorays, a firm that automates third party security management. He started Panorays with the goal of improving the industry’s cyber-resilience. Matan served in the Israeli Air Force as chief architect responsible for mission-critical defense systems. Later, he worked at Imperva leading the infrastructure for all of Imperva’s products portfolio.)