With the maturation of cloud computing technologies and efficient data transfer via APIs, digital supply chains have become increasingly complex and indispensable. However, the scalability and flexibility afforded by third parties also come with hidden risks.
As demonstrated by several major cyberattacks, such as the SolarWinds and Kaseya supply chain incidents, the breach of a third-party supplier can quickly metastasize, compromising its downstream customers. Organizations often overlook their dependence on the defenses of their suppliers. The PwC 2022 Global Digital Trust Insights Survey showed that only 40% of organizations possess a deep understanding of the data breach risks posed by third parties, with 20% reporting little or no understanding. Furthermore, more than half of the survey’s respondents expect software supply chain and cloud service attacks to increase in 2022, yet nearly two thirds of them had not formally assessed their organization’s exposure to these threats.
In the second half of 2021, supply chain attacks rose by more than 50%. For organizations with otherwise strong security postures, third parties may be a weak link in their defenses, making them a target for cybercriminals. When an organization grants a vendor access to its sensitive data or systems, it’s essentially outsourcing the security of those assets as well. This can entail accepting unknown risks if visibility into that vendor’s security posture is lacking. A dangerous practice.
The U.S. government is taking steps to reduce vulnerabilities in the country’s digital supply chain. The National Institute of Standards and Technology (NIST) is developing a framework for securing the technology supply chain, and the Biden Administration continues to champion zero trust architecture, which increases resilience against third-party and insider threats. While these high-level initiatives may improve the security landscape over time, organizations must ultimately take responsibility for the risk posed by their partners and suppliers.
Here are some ways to better understand and reduce your third-party risk:
- Develop risk questionnaires and security scorecards to make informed evaluations of your suppliers’ security practices.
- Maintain a third-party inventory to measure and track your exposure to third-party risk.
- Require vendor attestation or proof of compliance with security standards, such as NIST SP 800-53 or ISO 27001.
- Request an independent assessment your vendors’ security posture by an experienced cybersecurity partner.
- Establish an ongoing security dialogue with your suppliers. Effective cybersecurity requires continuous monitoring and improvement. Regular communication provides visibility into third-party risks, builds trust and promotes security as a shared priority.
Managing third-party risk can be complex and intimidating. The experts at MBL Technologies are here to help! We can assess your organization’s unique risk profile, including its exposure to third parties, and implement long-term solutions to keep you and your customers safe.