Data breaches and cyberattacks via third-parties and supply chain partners are on the rise. Alarmingly, there has been a 300% increase in data breaches via third-parties, representing a staggering 25% share of all data breaches. Just last week, two well-known companies suffered breaches because of third-parties. Most notably, ridesharing giant Uber lost some of its source code, IT asset management reports, data destruction reports, login names and email addresses of nearly 77,000 employees as a result of an attack on one of its suppliers. Vulnerability in third-party software (both open-source and commercial software) has already become one of the top initial attack vectors used by cyber criminals. Industry experts are already predicting attacks on the software supply chain will rise in 2023.
Why attackers target third parties
While some supply-chain attacks are highly-targeted against a particular organization, others are random, leading attackers to discover secondary targets after a breach has occurred and supplier relationships identified. What’s more, cybercriminals know smaller organizations may not have the same level of protection in comparison to large enterprises, making them more susceptible to exploitation. Threat actors find a number of ways to breach organizations via third-parties: they leverage trusted supply chain partners to launch sophisticated phishing and social engineering attacks (DoorDash), they steal shared credentials from third-parties to infiltrate larger enterprises (LastPass), they can compromise third-party software updates (SolarWinds) or inject malicious code into vulnerable applications and software (Magecart).
Third-party breaches are expensive
Third-party breaches are more expensive to mitigate than regular incidents -- according to IBM, the average cost of a supply chain compromise runs $4.46 million, and that’s 2.5% more than the average cost of a data breach. Supply chain attacks and breaches are also difficult to detect -- the average organization takes 303 days to identify and contain a supply chain compromise, 26 days longer than the average data breach time (of 277 days) to identify and contain a non-supply chain attack. Furthermore, 61% of organizations are not confident their partners would notify them if they experienced a breach involving their sensitive and confidential information.
How can organizations mitigate risk?
As organizations transition to technology-enabled architectures and trends like remote working become the norm, the reliance on third-party software and services will only multiply. Moreover, with regulators tightening their grip around third-party security, enterprises are increasingly becoming accountable for the security of their own supply chain partners. Here are four best practices organizations can leverage to reduce the risk of third-party breaches:
- Identify, classify, and prioritize all supply chain partners.
Create a comprehensive list of all third-parties. Classify vendors based on the type of services being offered, the data and systems they have access to, the location where they operate from and other risk parameters. Once all suppliers are identified and classified, prioritize them based on risk.
- Assess security posture of high-risk vendors.
Perform a thorough due diligence on high-risk vendors. Evaluate credit ratings, existing cybersecurity policies, practices, and compliance with standards like ISO 27001, HIPAA, and PCI-DSS. Evaluate what cybersecurity controls they have in place, whether they have any history of cybersecurity incidents, and whether they have comprehensive incident management response processes in place. Request a software bill of materials (SBOM) from the most critical software suppliers to gain a clear understanding of the composition of software being supplied.
- Close gaps on identified risks.
Once the team completes its evaluation of high-risk vendors, plan on how the company wants to tackle each vendor individually. Start by updating contracts and highlight control requirements clearly so that vendors understand, agree, and adhere to the specified mandates. Besides mandating controls such as endpoint security, encryption, and multi-factor authentication (MFA), organizations must also mandate supply chain partners to regularly conduct security awareness training for their employees because 82% of breaches are traced back to human-related causes.
- Use tools to manage and monitor third-party risks.
The majority of organizations have more than 1,000 suppliers and managing such a vast ecosystem of suppliers can become complicated and cumbersome. That’s why organizations should invest in automated tools a.k.a., governance, risk and compliance (GRC) platforms that make it easier to manage contracts, onboarding, classification, and offboarding of vendors as well as to help carry out risk assessments and risk monitoring in a systematic, automated and organized manner.
Gartner predicts that by 2025, almost half of organizations worldwide will experience attacks on their software supply chains, which will be a three-fold increase from 2021. Organizations must adopt a systematic approach to monitor and manage third-party risks to not only reduce the risk of breaches, but to also build a culture of security, trust, transparency and responsibility across their entire ecosystem of suppliers and third-parties.
Stu Sjouwerman, founder and CEO, KnowBe4