Unfortunately, when hackers and cybercriminals can’t go straight to the source and infiltrate their targets’ networks and systems directly, that often isn’t the end of the attack effort. Malicious actors increasingly target organizations’ supply chains’ weakest and most vulnerable points, uncovering entry points through third-party service providers. While organizations are right to prioritize their internal cybersecurity efforts, not designating the same attentiveness to third-party risk management can lead to disastrous results.
Notable Third-Party Cyber Incidents
Reuters reported a notable attack in 2021 that they claimed had “set off a race to hack service providers.” Kaseya, a company that provides software for managed service providers (MSPs), experienced a ransomware attack leveraging a vulnerability in its VSA software. The attackers, associated with the REvil ransomware group, exploited this vulnerability to distribute ransomware to Kaseya’s customers and clients. The attack impacted approximately 1,500 businesses worldwide, including many small businesses that relied on MSPs using Kaseya’s software for IT management.
In one of the farthest-reaching breaches on record, a cybercrime gang abused a zero-day exploit on Progress Software’s popular file transfer service MoveIt Transfer. Even with releasing a patch the same day, the attack affected more than 2,000 organizations and more than 62 million individuals. Nearly 1,700 of the 2,098 known victim organizations were compromised through third parties rather than directly as part of the MoveIt campaign, including private companies, U.S. government agencies, healthcare providers, and more.
In one of 2023’s most notable ransomware attacks, MGM Resorts and Caesars Entertainment had operations disrupted so severely that the attack caused a $100 million hit to the companies’ quarterly results. The incident stemmed partly from social engineering efforts focused on third parties with privileged remote access to the hotel and casino environments.
Third-Party Risk Awareness Is Up, But Breaches Are Still Too Widespread
According to Prevalent’s 2023 Third-Party Risk Management Study, 71% of respondents ranked a data breach or security incident as their chief third-party risk concern due to poor vendor security practices. Awareness appears to have reached an all-time high, with only 4 percent of companies reporting that they didn’t monitor third-party breaches. At the same time, 41 percent of respondents reported experiencing a breach or similar security incident with a tangible impact in the past 12 months.
Third-Party Risk Assessments Reduce Cyber Risk
Effectively managing third-party risk throughout an organization’s extended supply chain and vendor relationships can be difficult, especially for larger organizations with hundreds to thousands of vendors. However, organizations can proactively seek out potential risks and better prepare for incoming cyber incidents by conducting regular third-party risk assessments and vendor evaluations. The following periods are good for performing third-party risk assessments.
- The initial sourcing and selection phase of the third-party provider. Ask questions regarding the provider’s cybersecurity commitments and require third parties to provide statements and proof of security measures, such as their FedRAMP, StateRAMP, or SOC 2 certifications.
- The onboarding period before giving network systems or other sensitive data access. Consider it due diligence and a final onboarding precaution to perform a third-party risk assessment before the third party can access your organization’s assets.
- Performance reviews or ongoing audits. Based on your organization’s risk tolerance, third-party risk assessments should become a regular part of your vendor check-in routines during performance reviews or ongoing audits. Periodically reexamining third-party relationships is a wise practice for confirming adherence to service-level agreements and contract requirements. Regularly assessing a provider’s ongoing compliance and potential for risks helps keep both organizations sharply attuned to emerging or potential threats.
- The offboarding process. Outgoing risk assessments are critical in ensuring that third parties’ privileged access is sufficiently terminated and that all data has been securely returned or disposed of during offboarding. In Prevalent’s recent third-party risk management study, the offboarding and termination stage of the third-party relationship lifecycle includes the lowest percentage of companies tracking (47 percent) and remediating (38 percent) risk, along with the highest percentage (39 percent) of doing nothing at all. Unfortunately, “out of sight, out of mind” doesn’t always apply to expired third-party vendor relationships. If access privileges aren’t completely wiped or sensitive data is not disposed of properly, prior provider relationships can come back to haunt organizations.
- Post incident. Assessing third-party risks after an incident helps determine a breach’s full scope and potential impact. This assessment can help you implement more stringent security measures, revise protocols for third-party engagement, and ensure that similar vulnerabilities are addressed to prevent future incidents.
Establishing a standardized process to consistently monitor, manage, and mitigate potential third-party risks is important. Viewing all existing and potential vendor relationships through structured processes and standardized questionnaires can help organizations make smarter risk-based decisions with all third parties.
Get Help for Managing Risk in RAMPxchange
Navigating the third-party vendor risk lifecycle can be a challenge, especially for growing organizations reliant on external providers’ services to scale and maintain operations. Risk assessments must be efficient with minimal disruptions, making managed service providers or other third-party risk analysis solutions popular options.
The RAMPxchange marketplace gives organizations a trusted source and resource for connecting with highly rated providers and third parties wholly committed to strong, risk-free cybersecurity. Reach out to a RAMPxchange representative today to join and learn more about the potential partners who can help manage your organization’s third-party risks.