The Most Important Cyber Risk: It is Not What You Think

Cybersecurity discussions often revolve around well-known threats like ransomware, phishing, or insider attacks. However, an equally significant yet frequently overlooked risk lies in third-party relationships. These relationships, while crucial for operational efficiency, can open doors to attackers. An attack on your critical supplier may cause prolonged outages in your organisation and possible theft or disclosure of your sensitive data that may have a severe negative impact. Recent statistics reveal that nearly half of all organisations experienced breaches through third-party vendors in2022 (source: Cybel Angel, 2023), underscoring the urgency of addressing this blind spot.

The Overlooked Threat of Third-Party Risks

Organisations increasingly rely on external vendors, cloud service providers, and contractors to streamline operations. However, this reliance introduces vulnerabilities. Shockingly, 98% of organisations work with at least one third-party vendor that has suffered a breach, and nearly 29% of overall cyber incidents can be attributed to third-party attack vectors(source: Security Scorecard, 2024).

Examples of third-party compromises include:

1. SolarWinds (2020): A supply chain attack on SolarWinds impacted thousands of  organisations, including government agencies and Fortune 500 companies.
2. MOVEit Data Breach (2023): Exploited vulnerabilities in the MOVEit file transfer software led to the exposure of sensitive data across numerous industries globally.
3. Kaseya Hack (2021): A ransomware attack on Kaseya’s remote management software affected over 1,500 businesses globally, highlighting the cascading effects of third-party breaches.
4. British Airways and BBC Payroll Provider (2023): The payroll provider, Zellis, was compromised, leading to data breaches for major clients, including British Airways and the BBC.

These incidents illustrate the devastating impact ofinadequate third-party security measures, often due to poor oversight andineffective risk management strategies.

Bridging the Gap Using Frameworks

Organisations must prioritise third-party risk management,and frameworks like C-SCRM (Cyber Supply Chain Risk Management) from NIST,alongside ISO/IEC 27036-1 and 27036-2, and VSA Questionnaire, offer valuableguidance. These documents provide structured approaches to securing supplierrelationships:

• NIST C-SCRM outlines a comprehensive strategy for identifying, assessing,  and managing cyber risks across the entire supply chain, addressing vulnerabilities at every stage.
• ISO/IEC 27036 has two parts. Part 1 introduces general principles for supplier  relationship security, helping organisations establish robust frameworks. Part 2 delves deeper into risk identification, assessment, and mitigation,     offering practical tools to protect sensitive data.
• VSA questionnaire available to download from the Vendor Security Alliance website that provides a comprehensive list of questions that you may ask your vendors or third-party service providers.

By adopting these standards or designing a program incorporating the principles of these frameworks, organisations can gain a clearer understanding of what is required to secure supplier ecosystems, improving resilience against third-party threats.

Recommendations to Mitigate Third-Party Risks

To safeguard against these vulnerabilities, organisationsshould consider the following steps:

1. Implement Rigorous Assessments: Move beyond basic questionnaires. Conduct thorough audits of third-party vendors’ security postures and review their incident history. For example, if you are using an MSP, follow ACSC recommendations, such as "Questions to Ask Managed Service Providers," in addition to the questionnaire and ask for evidence.
2. Continuous Monitoring: Use automated tools to track changes in vendor risk profiles and detect potential threats.
3. Risk Classification: Categorise vendors based on their criticality to operations and the sensitivity of the data they access, their importance to the business, and how much effort is required to decouple from the service provider. 
4. Comprehensive Incident Response Plans: Develop and test protocols to ensure swift action in the event of a third-party breach and test the incident response plans with major third parties.
5. Shadow IT Controls: Regularly assess and mitigate risks arising from unauthorised tools or services used within the organisation.

How Spartans Can Help

Navigating the complexities of third-party risk managementrequires expertise. At Spartans, we specialise in helping organisations securetheir supplier ecosystems. Our services include:

• Detailed risk assessments compliant with standards like NIST C-SCRM, ISO/IEC 27001 and supporting requirements such as ISO/IEC 27036.
• Development of customised security frameworks to protect third-party relationships.
• Continuous monitoring solutions to detect and mitigate emerging risks.

Our proven methodologies empower organisations to fortify their defences, ensuring third-party risks are not just managed but proactively mitigated.

A Final Thought

Third-party risks may not always dominate cybersecurity headlines, but their impact can be catastrophic. Organisations must shift their focus from traditional internal security measures to a broader, more inclusive approach that encompasses supplier ecosystems. By partnering with experts like Spartans, organisations can turn this overlooked vulnerability into a robust line of defence.

‍