It is reasonable to assume that businesses of all sizes are making greater investments to protect their internal systems and data. But sometimes those investments are made under the false assumption that vendors up and down the supply chain are making similar investments. What if they are not? They increase an organization’s third-party risk substantially.
A surprising 98% of all business organizations have a relationship with a third-party that has reported being breached within the last year. That is an astounding number. The big question is, why? Why are vendors so vulnerable?
DarkOwl is a leading provider of threat intelligence data and software tools. The company’s third-party risk mitigation strategies include darknet intelligence that supports vendors and customers alike. They offer the following possible explanations:
1. Security Disparities
In all likelihood, a major problem between organizations and their vendors is security disparity. An organization might invest substantial amounts of time and money in beefing up security. Yet a vendor somewhere down the line does not follow suit. It doesn’t take long before that vendor’s security posture is significantly less secure than the organization above it.
This is a common problem when major enterprises do business with multiple small and midsized vendors. Vendors easily become the weakest links in the cybersecurity chain.
2. A Larger Attack Surface
Common sense dictates that every vendor added to the supply chain increases the attack surface. Therefore, third-party risk is commensurate with supply chain volume. This becomes problematic when the weakest vendor in the supply chain is breached. It only takes a single breach to give attackers access to the entire supply chain.
Threat actors know this, which is why they may target smaller vendors as a steppingstone toward eventually breaching larger enterprises. Third-party risk assessments need to always account for this reality.
3. Interconnectivity
Modern business is interconnected across the globe. Interconnectivity creates a highly integrated ecosystem through which third-party vendors provide a range of managed services. We essentially have a complex web of entry points that open the door to lateral attacks across networks.
The more complex the web, the more entry points threat actors have access to. Complex webs make supply chains exceptionally vulnerable. Unfortunately, we have reached the point at which untangling that web is nearly impossible.
4. Poor Third-Party Risk Management
It is incumbent upon enterprises to address third-party risk on an ongoing basis. Unfortunately, poor risk management is par for the course. Enterprises fail to effectively monitor the security postures of their vendors down the line. And in some cases, organizations simply don’t have the resources to invest in robust risk management solutions.
Note that a companion issue here is data access and integration. Vendors needing access to data is unavoidable in most cases. But failing to manage that access opens the door to trouble.
5. An Evolving Threat Landscape
Finally, a constantly evolving threat landscape never makes third-party risk management any easier. As quickly as companies like DarkOwl come up with risk mitigation strategies, cybercriminals are already working on new solutions of their own.
The criminal element is constantly developing new attack vectors and targets. Companies like DarkOwl monitor darknet activities, but threat actors monitor target activities as well. It is a cat-and-mouse game that never ends. The winner of each round tends to be the entity that best keeps up with a rapid pace of technological change.
Third-party risk is a reality of modern business. But organizations don’t have to sit by and allow themselves to be targeted. A proper understanding of the landscape and a willingness to do what is necessary can keep supply chains safe.
