Third-party vendor risk: protecting your company against cyber threats

As supply chains become more global and complex, managing cybersecurity risk requires extending information security perimeters to include third-party vendors. Careful management of service partnerships and interconnected systems can help prevent costly incidents.

In a world of ever-growing cybersecurity threats, it’s no longer enough to focus on your own company and its defenses and the fraudsters plotting to break through them. You also have to worry about the potential danger posed by third-party vendors in your supply chain. 

According to Verizon’s 2022 Data Breach Investigations Report (DBIR), 62% of system intrusion incidents in the past year came through an organization’s partner.¹

“Compromising the right partner is a force multiplier for cybercriminals,” Verizon notes. In other words, it’s very efficient for them to compromise a supply chain vendor, because once that’s done, all the vendor’s clients are compromised too.

Forms of third-party risk

The danger associated with supply chain cyberattacks is often referred to as “third-party risk,” and there are two primary forms:

• Risk associated with service partnerships. Your company assumes additional cybersecurity risk when you use third parties to support or directly provide a service to your customers. Often such a partnership requires your business to share customer data with the third-party.
  The added risk of working with third-party providers is that you are no longer counting on just your company’s own defenses to protect your customer’s data. You are also relying on the defenses of those third parties.

• Risk associated with your interconnectedness with a supply chain partner or vendor. This is the risk that a third party, having access to your network, could unwittingly serve as an access point for a fraudster to compromise the network or data you have stored there.
  An example of this danger is the highly publicized data breach at retail giant Target Corp. in late 2013 that affected more than 41 million of the company’s customer payment card accounts.
  
  According to published reports, cyberattackers gained access to Target’s computer network through credentials stolen from one of the company’s heating and air conditioning vendors.
  The fraudsters breached the vendor’s network through malware delivered in an email. They stole the virtual private network credentials the vendor was using to remotely connect to Target’s network and used those credentials to gain access to Target’s customer service database.²

Effectively managing supply chain cyber security risk requires companies to extend their information security perimeters. Failure to do so, as Target and others have discovered, can lead to a range of consequences, from customer data breaches to account takeovers. Such events can cause operational disruptions; loss of data, including intellectual property; financial losses; and reputational damage. 

Evaluating a third-party’s policies and practices

To minimize third-party vendor risk, companies need to thoroughly review the information security policies and practices of their vendors before bringing them on and then at regular intervals.

Start by reviewing the vendor’s Service Organization Control 2 (SOC 2) report, an outside auditing firm’s evaluation of its controls. Make sure the vendor has implemented key security principles such as segregation of duties and “least privilege.”

The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it.

Companies should also investigate to see if a vendor has any technical vulnerabilities. For instance, does its software have all the necessary, up-to-date patches? Are its security settings properly set, allowing it to defend against unauthorized access? And is any of the vendor’s technology at the end of its life or no longer supported by the supplier?

You should review higher-risk vendors at least once a year. Also, consider reviewing vendors with access to your company’s most sensitive data and core banking processes on site, where your staff member or a contracted auditor can witness whether the vendor is actually practicing the principles such as segregation of duties and least privilege that are attested to in the SOC 2 report.

Companies can also use third-party information security ratings providers to bolster their evaluations. These providers will review a vendor’s technology controls and provide a report with a score. Be sure to choose a provider that is commonly used by your industry.

Also include in your evaluations a review of the vendor’s financial health and stability. This can tell you if the vendor is well-positioned and a healthy company, and therefore more likely to invest appropriately in information security. 

Avoiding a supply chain attack

Here are four actions you can take to protect your company against supply chain cyberattacks: 

1. Stay informed. Keep abreast of news that might require you to take action to protect your systems and data from a supply chain attack. On June 3, 2022, for instance, software vendor Atlassian introduced software patches to address a critical security flaw affecting its popular Confluence server and data center products. By staying informed, users, including a number of U.S. federal agencies, were able to immediately block all internet traffic to and from the affected products and apply the patches.³

2. Use fewer vendors and evaluate each one more thoroughly. Using few vendors reduces the “attack surface” from your supply chain and thus your overall exposure to cyberattacks. It also makes it more manageable to conduct deeper and more effective security reviews. 

3. Limit and control third-party vendor access. This gets back to ensuring that your vendors practice the principle of least privilege. You only want vendors to have access to data relevant to the functions they provide on your behalf. The more access to data a third-party has, the greater the risk for a cyber incident.  

4. Identify and evaluate the controls of any fourth parties. Does your vendor contract with other parties that might have access to your network or data? For instance, you might have a company hosting your servers that subcontracts out to another company for database management. If that fourth party has connectivity with your systems or could potentially cause a disruption of your third-party vendor’s services, you need to subject that fourth party to a security review as well. 

5. Increase the cybersecurity awareness of your employees. Regardless of where attacks originate, it’s important that you have employees who are alert and educated about potential cyber threats. According to the 2022 Verizon report, between social engineering attacks, human errors and misuse of privilege, “the human element accounts for 82% of analyzed breaches over the past year.”1 Educating and training employees on how to spot and report issues can have a major impact on reducing the risk of a cyber incident. 

Addressing a huge and growing risk

The potential for supply chain cyberattacks is a huge and growing risk for companies. These days, all businesses are connected to the internet, and the threat has only been magnified as we’ve moved from local to global supply chains. 

As a result, it’s critical that all companies work to fully understand the risks they face related to third parties, have a complete list of all companies involved in any of their supply chain activities, and ensure they have the proper controls in place to protect themselves.

At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.