You are here

Advice to CISOs: It’s Time to Revisit Third-Party Risk

In 2019, attackers continued to target third parties, service providers, and supply chain partners with the intention of broadening the scale and impact of their attacks. Notable instances in 2019 included the following:

  • In November 2019, a cyberattack against Milwaukee-based technology provider Virtual Care Provider Inc. kept more than 100 senior living facilities from accessing patient records. The facilities also could not process payments or pay their employees. 
  • In October 2019, postal and e-commerce company Pitney Bowes was affected by a cyberattack and ransomware that disrupted mail services for several of its clients.
  • In September 2019, Airbus reported that attackers seeking commercial secrets attempted to breach four subcontractors in its global supply chain.
  • In August 2019, attackers compromised the payment portals of Click2Gov to steal credit card data from citizens in all 50 states and disrupt payment services. Cities and local governments use these portals for payment of utility bills, traffic tickets, and taxes.

Attackers have come to realize that service providers and business partners offer distinct opportunities to simplify and amplify the spread and potency of their attack campaigns. In the case of managed service providers, their staff may, for the sake of simplicity, use the same passwords or access methods to manage multiple client environments. A denial of service attack against a service provider can impact the business operations of multiple organizations, and a ransomware attack against a service provider can disrupt all of the provider’s clients and amp up efforts to extract a timely ransom payment. For organizations with critical supply chain partners, attackers will look for smaller companies that may not have the resources to invest in sophisticated cyber defenses, regardless of the sensitivity of the data they process or the security requirements in their contracts. 

The trend to compromise service providers and supply chain partners will continue in 2020. CISOs should reconsider third-party risk as quickly as possible. Areas for deeper analysis follow:

  • Apply additional scrutiny regarding the security programs in place at business partners. For providers that process or have potential access to critical data, supplement questionnaires with on-site visits. Exercise the right to audit clauses in contracts.
  • Carefully consider potential discrepancies between a partner’s external audit reports, such as SSAE 18, SOC 2, and ISAE 3402, and what your organization is seeing with the partner’s actual security maturity.
  • Implement and enforce enhanced authentication and network segmentation for third-party access to enterprise networks.
  • Critically review all new requests for third-party relationships from a security perspective and implement frequent periodic reviews based on the sensitivity of the services provided or information processed. 
  • Review breach reporting responsibilities in contracts and consider asking critical business partners to join your incident response tabletop exercises.
  • Thoroughly document all noted shortcomings in third-party security activities during the life of the contract. This information can be used at contract renewal to modify or curtail future activities, or to support pricing discussions.

Now is the time to redouble efforts to assess third-party risk, as these relationships continue to be a vector for cyberattacks. Determine critical partners’ readiness to defend against and recover from ransomware, alert your organization quickly about real and suspected breaches, and gauge their actual security maturity before their weaknesses become yours.