Do Cyber Risks Lurk in Your Business Ecosystem?

Digitally connected supply chains and partner ecosystems have brought immense value to modern businesses. However, the same digital connectivity that makes business ecosystems hum more efficiently also introduces a growing form of cyber risk: third-party cyber risk, to be exact.

If you aren’t already scrutinizing the security postures of third parties in your ecosystem (e.g., partners, vendors, suppliers), now is the time to start. Ponemon research found that, among organizations reporting a data breach within a 12-month period, 74% expressed that the breach had occurred because they had granted “too much privileged access” to third parties in their ecosystem¹.

What Happens in a Third-Party Data Breach?

Hackers are always thinking about new ways to enter their targets’ IT environments, always seeking out entryways that are poorly secured. In a third-party attack, threat actors penetrate the network of one party in a business ecosystem and then leverage that access to gain entry into the network of another—usually larger—business in that ecosystem.

In this way, threat actors take advantage of the weakest link in the ecosystem’s security, using that advantage to attack a more desirable target. If your business’ lax security makes you the weakest link, you place those in your ecosystem at risk. Similarly, if other parties in your ecosystem have lax security, they place your business at risk—even if your own cybersecurity is excellent.

Managing Cyber Risk in Your Business Ecosystem

To effectively manage cyber risk in our digital world, you need to evaluate not only your own cybersecurity posture but third parties’ as well. Unfortunately, 51% of businesses report that they do not evaluate third-party cyber risk². If your business needs to step up its third-party cyber risk assessment, the experts recommend hitting the following areas:

Avoid making assumptions about those in your business ecosystem.

Don’t assume shared attitudes toward security: Just because your company takes security seriously, try not to assume that third parties in your ecosystem share your concerns. Many businesses still fail to take cybersecurity as seriously as they should.
Don’t make assumptions about baseline security: Rather than assume third parties have solid security, go the extra step and verify that they do.

Communicate your security expectations to third parties.

Provide instructions on acceptable use of your data: As above, avoid assuming that third parties share your respect for data security. Some businesses just aren’t as careful as they should be. Convey your expectations to them in writing.
Specify security practices you require: Similarly, put together a list of required security practices (see below for examples) and provide this list in writing to third parties in your ecosystem.

Conduct risk assessment to verify third party’s security practices. Experts recommend the following:

Multifactor authentication (MFA): This requires at least two forms of identity verification for login, which effectively stymies unauthorized logins using compromised credentials.
Email/DNS protection: This helps to defend against spammers, phishing, spoofing, and other types of malicious communications.
Managed detection & response (MDR): MDR services allow a business to delegate management of specific security practices to a qualified provider.
Penetration testing: This is an authorized, simulated attack on a company’s IT systems, which helps it to identify existing vulnerabilities.
Least-privilege access: Upholding a key principle of zero-trust security, least-privilege access grants users only the level of network access they require, and no more.
Patch management: This practice ensures that any identified vulnerabilities in software are addressed in a timely manner.
Security awareness training: This gives employees the information they need to identify and respond appropriately to potential threats.
Network segmentation: This divides a network into separate sub-networks, allowing third parties to secure entire segments from users who have no need for access.
Backups with multiple, tested copies: This is a well-known and vital safeguard against data loss.
Security policies: Third parties should have clearly defined policies relating to data privacy and security, as well as security procedures for departing employees.
Password requirements: Password complexity and changing requirements strengthen a network against password-related attacks like brute force, password spraying, and credentials theft.
Incident response plan: This demonstrates that a third party is prepared for an organized and effective response should a cyber event occur.
Cyber insurance: Such policies help to cover costs related to cyber incidents and indicate that a third party is paying attention to cyber risk management.

NexusTek supports businesses to develop third-party cyber risk management policies through Virtual CIO (vCIO) consultation and to build strong cyber defenses that protect others in their ecosystem.

Would you like to speak to a cybersecurity expert about managing third-party cyber risk?

References:

Coble, S. (2021, May 4). Third parties caused data breaches at 51% of organizations. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/third-parties-breaches-at-51-of/
Security. (2021, May 7). 51% of organizations have experienced a data breach caused by a third party. https://www.securitymagazine.com/articles/95143-of-organizations-have-experienced-a-data-breach-caused-by-a-third-party

The Key to a Secure and Efficient Hybrid Workforce

The State of AI for Businesses: Top Strategies and Risk Concerns

Cyber Risk & Your Supply Chain: Managing the Growing Threat