Si West, Director, Customer Engagement, at the US-based cyber risk company Resilience, discusses how companies can protect themselves from third-party cyber risk.
The acceleration of digital transformation means that most companies today will be reliant to an array of third-party vendors to go to market. Companies require file sharing, payment systems, and industry specific SaaS software vendor to link up their own systems to those of outside organisations.
Unfortunately, these connections with vendors can dramatically increase the surface area for cyberattacks. Resilience’s H2 2023 claims report revealed that third-party vendors had become the leading source of loss for companies, following the MOVEit hack, and its H1 2024 report found that vendor-related breaches account for 40 per cent of all claims in the first half of 2024. It is clear that in the age of digital transformation, a business’s cyber risk profile is only as strong as its weakest vendor.
Of course, it is not realistic to expect organisations to sever these digital connections – but the situation calls for a recalibration of existing resources to meet this threat. Organisations can take a number of steps to strengthen this chink in their cyber defences and achieve cyber resilience.
A focus on vendors
Organisations should shift resources towards analysing third-party vendors and the threat they may pose to security. This should mean greater scrutiny of outside vendors from a security standpoint. Cybercriminals can exploit weaknesses in a vendor’s own cybersecurity, giving them access to clients connected to the system. In May last year, hackers used flaws in the file sharing service MOVEit to gain access to one of the company’s clients, HR provider Zellion. This enabled them to steal stored data from Zellion’s customers, including the BBC, British Airways and Boots.
When selecting vendors, companies should bear in mind this chain effect. Businesses should make sure to interface only with credible vendors who have robust controls of their own in place to protect their clients’ data and systems should something go awry. Further, given the frequency of attacks, companies should engage with vendors who have access to cyber insurance to offset the cost of an attack for their customers.
Provisions that mandate businesses to verify the cybersecurity of their suppliers and make sure that third-party service providers ad-here to the same standards as the primary business have been put in place with the EU NIS2 Directive and the UK’s Cyber Security and Resilience Bill. All businesses will eventually need to think about who they might deal with in their supply chains and assess whether or not they are affected, even tangentially, by the new and more stringent cyber security regulations.
Finally, security and risk leaders and company boards should prioritise these vendors in incident response planning, and structure an approach to handle potential breaches and minimise their impact. Such preparation can help companies determine the potential impact of vendor breaches on business operations, and outline communication protocols with key stakeholders in the event of a breach.
Data-driven complexities
With the rise in cyberattacks through third-party vendors, the whole security landscape has changed. The complexity of digital supply chains makes it difficult to estimate where an attack will come from. This necessitates an increased emphasis on not just incident response plans, but threat simulation. Companies can use simulations, such as the integrated Breach & Attack Simulation Resilience offers as part of its insurance package, to test which vendors a hacker might try to infiltrate their systems via, allowing them to patch vulnerabilities before bad actors can exploit them. In a new threat landscape where attacks could come from any angle, tools like these are a powerful way to identify weak points. Simulations are a key process in building a cyber risk profile, supporting security and risk leaders to better determine their risk posture and tolerance.
Companies should use security tooling to assess their risk environment in their organization and proactively monitor for external threats outside their perimeter. Resilience adopts a position of continuous monitoring. Although monitoring without a response adds little or no value to an organisation. Perimeter defences, monitoring and incident response should be aligned to have the best chance of minimising losses. Further, cyber risk quantification can help businesses translate the value of security controls into monetary terms, estimating the financial impact of a cyberattack and the return on investment of security and insurance investments. By account-ing for the threat from third-party vendors in risk quantification, firms can develop a more nuanced understanding of their own risk profile: one that looks at its place in the digital supply chain. This will help company boards make better decisions regarding their investments in se-curity, insurance, and contingency planning.
More than anything else, the rise of third-party attacks proves that total cybersecurity is an illu-sion, and companies should not waste resources trying to pursue it. For businesses operating in 2024, some kind of cyberattack is, unfortunately, highly likely.
Rather than trying to protect against all attacks, organisations should focus on assessing and limiting material losses. Building a cyber risk profile and developing an incident response plan are both proactive methods to manage and reduce the impact of a breach, determining a company’s risk tolerance and allowing them to invest in a cybersecurity and insurance solution appropriate to their needs, rather than simply trying to block every attack. Digital connectivity is indispensable for modern businesses and organisations in 2024, even in the face of the security challenges inter-connectivity poses. What the rise of third-party attacks do demand, though, is more scrutiny over the vendors that a business interfaces with, along with a broader integration of proactive, comprehensive cyber resilience strategies.
