Welcome to the deep dive where we extract the crucial insights you need. Today we're tackling something maybe a bit overlooked, third party risk. Did you know over half of businesses don't even do basic third party risk management seriously, and even fewer have like a really solid cybersecurity program for their vendors. That number, it's genuinely alarming when you think about it.
Really is. It's what we call third party cybersecurity risk, or sometimes you hear supply chain security. You're not talking about direct hits on your own network necessarily. Often it's these silent threats kind of sneaking in through partners you actually trust. It's a fundamental shift really in how we need to approach digital defense.
Absolutely, so our mission today give you a shortcut help you understand this pretty complex landscape. We'll cut through the jargon, shine a light on those hidden dangers, and show you exactly why looking at your vendors security isn't just nice to have, it's absolutely essential. Get ready for some insights that might really change how you think about security. Ok rte in why have these third parties become while the new front line? This risk isn't exactly new is it,
But the scale of neglect seems huge. I saw this twenty eighteen Ponemon study said only forty percent do any cybersecurity checks on vendors, and sixty percent either nothing or just random ad hoc stuff. That's basically leaving the back door unlocked, isn't it.
That's a perfect way to put it. Yeah, And the result we see them in some really big headline grabbing breaches. Think about the Solar Winds attack twenty twenty. There wasn't a direct hit on you know, the thousands of places affected, including US government agencies. No, it was a state actor inserting malware, the Sunburst trojan into routine software updates for Solo Winds Orion product.
The update everyone trusted exactly. Microsoft's president Brad Smith called it an act of recklessness, classic supply chain attack, exploiting trust. It showed incredible patients sophistication.
And it's not always these, you know, super sophisticated state actors either. Sometimes the way in is much simpler, right, but the damage is just as bad. Like the Target breach, remember that twenty thirteen, twenty fourteen. They didn't hack target directly first. Nope, they stole credentials from an HVAC vendor fazzio mechanical. Such a small thing, seemingly.
But it led to massive financial damage, huge reputational hit for target. It just shows how a little crack and a partner security can become a giant problem for you.
Yeah, it really does, and.
It highlights that attackers often take the path of least resistance. That's frequently through a third party who might not be as buttoned up, which brings us to a key point. A lot of existing security programs they're just about checking a box, meeting some regulation.
Ah, the checkbox trap, So just going through the motions not actually reducing risk pretty much, it becomes an obligation, not an active defense strategy. True security, real security has to be active, ongoing. It's got to go beyond just compliance, you mean genuine threat hunting, looking not just inside but outside at your suppliers too. If you're only doing what regulators mandate, well you're probably gonna get hit faster than someone who sees regulations as just the starting line.
That's a really powerful point. The starting line, not the finish line. So if we want to move beyond that checkbox mentality, who are we actually up against. What do these adversary these bad actors actually do well.
At its heart, cybercrime is just using tech computers the Internet for illegal stuff. The who can vary a lot, though most common cyber criminals think electronic thieves, usually after money, like in the home depot breach back in twenty fourteen grabbing payment guard data.
Right, the financial motive, But then there are the others. The nation state hackers apt's advance persistent threats, those some more serious they often are.
These are state sponsored groups or sometimes really large organized cybercrime syndicates. They have serious resources patients. They aim for scalthy, large scale attacks, often political or economic goals driving them Solar winds prime example of what they can do. The big difference is usually their motivation and just how deep their pockets are.
Okay, so these actors, sophisticated or not, are out there. How do they typically get in? What are the common doors they knock on?
Fishing is still massive, huge, those deceptive emails trying to trick you or your vendors employees into giving up info or clicking a bad link. And what's really dangerous is spearfishing, super targeted emails aimed its specific people, often ones with high level access like system admins exactly, or whale fishing, which goes after the big fish. The c Suite CEOs Verizon's twenty nineteen report said something like thirty two percent of all data breaches started with fishing.
Wow, nearly a third, and once they're potentially in or even just to cause chaos. We hear so much about ransomware.
Oh yeah, ransomware locks up your data, encrypts it, then demands money to get it back. Remember want to Cry hit over two hundred and fifty thousand systems one hundred and fifty countries. The cost is staggering, expected to hit twenty billion dollars globally in twenty twenty one. And guess how it often gets delivered?
I mean guess fishing emails?
Got it often through those very same fishing emails. As a common tactic is a man in the middle attack or mid M. That's where an attacker basically ease drops on communication between two parties, steals data wallets in transit. Often happens over insecure Wi Fi.
Okay, it sounds like a minefield, but is there a typical playbook? A general sequence? These attacks tend to follow.
There usually is yeah understanding it helps. Most breaches kind of follow five general steps. First, research, reconnaissance attacker scope out the target. This can take months. Then intrusion. They get that first foothold inside the network, maybe via phishing, maybe an unattached vulnerability, a foot in the door. Exactly once they're in, it's lateral movement. They start moving around exploring a network, looking for valuable stuff, more systems to compromise.
Next comes privileged escalation. They try to get more access rights, go from a regular user account to something powerful like a domain admin.
To get the keys to the kingdom right.
And finally, exfiltration. They steal the data they came for and then try to cover their tracks so you don't notice immediately. It's methodical.
Target breach fits that perfectly. Research finds the HVAC vendor, Intrusion uses their credentials. Lateral movement finds the payment systems. Expiltration steals the card data step by step.
A painful but textbook example.
Okay, so we've seen the dangers, the actors, their methods. Let's switch gears. How do we build a strong defense? What are the absolute fundamentals we need to think about? Especially when evaluating third parties.
It's interesting the core ideas haven't really changed. It always comes back to the CIA triad. Confidentiality, integrity, availability, not just jargon. These are the pillars for every security decision. When you look at a vendor, you have to ask confidentiality, are they storing our data securely? Integrity? Will they ensure our data stays accurate unaltered? Availability? Can they guarantee we can get to our data when we need it? Your vendor assessment should really hinge on these questions.
That makes sense, and with everyone working remotely. Now I keep hearing this phrase, identity is the new perimeter. What does that act mean? In practice?
It's a huge shift. The old model was like a castle wall protect the network edge, but now people can act from everywhere use cloud services. That old castle and mote thing doesn't quite cut it right.
The perimeters blurred.
Totally blurred. So now managing who is accessing what becomes the main security control identity. This makes multi factor authentication MFA absolutely critical, that extra layer beyond just a password and privileged Access Management PM. For those really powerful accounts, think about it. A domain admin account might sell for over three thousand dollars on the dark web, a regular user maybe fifteen.
Dollars, a big difference.
Huge. So MFA and PAM they're your best defense against stolen credentials getting misused because who is logging in is often more important now than where they're logging in from.
Okay, so identity and access are key. What other basic control should we be looking for from our vendors?
Patch management is absolutely vital keeping software and systems updated. It fixes the holes, the vulnerabilities that attack are constantly trying to exploit. It's like fixing leaks in your roof.
Regularly basic maintenance, but critical critical.
And things like an intrusion detection system IDs that monitors network traffic looking for weird behavior or known attack patterns. Think of it like a security camera with an alarm. It won't stop the attack itself, maybe, but it gives you that crucial early warning. Hey, something's wrong, right.
The alarm bell? Now I hear this a lot. Oh we're fine. We have a firewall. Is that really enough?
Oh? Absolutely not. Firewall is like the moat and the guard at the castle gate. Essential. Yes, stops unwanted traffic getting in, but once someone is inside, or if a threat comes in through email, which a basic firewall won't inspect deeply. It's not enough. That's why you talk about defense and depth. Multiple layers, independent layers. If one fails, hopefully another one catches it.
Multiple layers make sense. So with all this complexity, how do organizations actually structure their approach? This sounds like where cybersecurity frameworks come into play.
Exactly. Framework give you a roadmap, a structured way to manage and reduce risk. The NIST Cybersecurity Framework NIST CSF is a big one, especially in the US. Came out of a presidential order. It focuses on five core functions. Identify your risks, protect your assets, detect incidents, respond when they happen, and recover afterwards. It's built around the idea that breaches will happen, so you need to be prepared to handle them and bounce back quickly. It's a proactive approach.
And they are international ones too, right yes, Like ISO two seven seven zero one two seven zero zero two ISO two seven zero zero one sets the standard for an information security management system and two to seven seven zero two provides the specific.
Controls if a vendor adheres to one of these frameworks. It's a good sign of their security maturity. Plus it gives you a common language to talk about security with them, which is really valuable.
Okay, let's really unpack this whole vendor life cycle thing. It's definitely not just a one off check, is it.
It's more like a journey, absolutely a continuous journey, and it starts right at the beginning in the intake phase. This is your first impression and maybe the most critical point. You've got to ask the key questions here. What kind of datas are we sharing, how sensitive is it, how much, where's it going to live, country, risk, cloud, location, and crucially who are their vendors the fourth parties because their security impacts you too.
And this is where you lay down the law right your non negotiables exactly.
Your organization needs clear must have security requirements, things like data must be encrypted at rest and in transit or MFA is mandatory for any privileged access to our systems, no exceptions. And those SoC two type two reports you hear about, they're common for IT vendors. What's really important isn't just the report existing. It's a Type two means an auditor has verified that the controls describe not only exist,
but actually worked effectively over a period of time. That turns it from a claim into real evidence.
Okay, so they're onboarded. The report looks good. How do you make sure things stay good? How do you keep vigilant.
That's ongoing due diligence. It's about staying engaged. Need a risk based approach. You can't scrutinize every vendor down to the last detail. It's not practical. So focus your efforts where the risk is highest. High risk vendors, they get the deep dives, the more frequent reviews.
Makes sense. But what about those giants, the too big to care vendors, the ones you absolutely rely on that they just won't meet all your specific requirements.
Yeah, that's a tough one. Sometimes, frankly, your only real option is risk transfer. You require them to have solid cyberliability insurance. You document the risk, you accept it, and you have the insurance as of backstop. Not ideal, but sometimes it's the reality.
And what about the people vendor employees? Their training must be super important, especially with phishing being so prevalent.
Oh, absolutely critical. A vendor needs strong security awareness and training for their staff, especially around phishing. We keep coming back to it because it works. Look at the ge breach in twenty twenty. It happened because Canon, a ge vendor had a leak through an employee email account. Compromise just a simple email ish you at a third party cause problems for gg Wow.
Okay, so annual reviews are standard, but like you said, a lot can change in three hundred and sixty four days. How do you bridge that gap?
That's the role of continuous monitoring CM. There are automated vendors security rating tools out there now. They can scan vendor networks externally, look for things like open ports, check if they're patching pomply, even find exposed credentials online. It gives you a near real time pulse check between those deeper.
Assessments filling the gaps, and for the really critical vendors, you can probably go even deeper with monitoring.
Yes, that's enhanced CM. For your most vital partners, you might monitor more specific things, more often software vulnerabilities. They might have fourth party connections, data location changes how they're connected to you, and you need a plan for when things go wrong. A third Party Incident Management TPIM playbook. What do you do when a vendor tells you they've been breached discovery, investigation, reporting, closing the loop. Uber learned
this the hard way. They delayed reporting at twenty sixteen breach and face serious consequences. Prompt notification is key right now.
The end of the line offboarding, the vendor relationship ends. This feels like something that could easily get forgotten.
It often does, but it's so important. When a vendor leaves, you need absolute certainty that any data you shared with them is gone, you reversibly destroyed. That means proper data sanitization, not just hitting delete. Depending on the media, hard drives, flash drives, even paper, it means clearing, purging, or physical destruction. And you need proof, not just a piece of paper saying they did it. Get digital certificates of destruction CODs, verifiable.
Proof like what happened with Morgan Stanley.
Exactly find sixty million dollars in twenty twenty. Why they mess up decomisioning old equipment customer data was still on there just shows them ass of failure and oversight during offboarding.
Okay, let's pivot slightly. Cloud security. Everyone's moving to the cloud. Is it inherently riskier for third parties or just different.
I'd say mostly different. Cloud offers huge benefits obviously, but it does change the calculus for your vendors. The key is understanding the NYST service models. SAUCE software is the service, pays platform is infrastructure. They define who's responsible for what. With SAUCE, for example, the vendor manages almost everything, so
their security practices for the underlying infrastructure are paramount. With IAS, the customer, your vendor in this case has more control but also more responsibility.
So it all comes down to that shared responsibility model again, knowing where their job ends and yours begins or where your vendor's job.
Ends precisely, and it can get tricky. The Capital One breach in twenty nineteen was a big wake up call. AWS provides the secure infrastructure, but they basically said Capital One misconfigured their own Web application Firewall waf FOUCH. Yeah. It shows that even with a secure cloud provider, how
your vendor configures and uses the services as critical. You can use tools like the AWS Trusted Advisor Report TART or as your Advisor to help assess how well they're managing their cloud environment.
Okay, let's talk legal shields contracts. How do you actually bake security into the legal agreement? Sounds like the lawyers need specific constructions from the security folks.
They absolutely do. Contracts are a crucial tool for managing vendor risk, but only if the security requirements are clear and strong. Cybersecurity teams need to tell legal what's essential. What are the non negotiables? Things like you must encrypt our data, you must use MFA for privileged accounts connecting to us. We must have the right to audit or assess your controls.
Get it in writing upfront and incident notification too.
That seems vital critical. The contract has to spell out what counts as a brooch that needs reporting and demand prompt notification. You should aim for twenty four to forty
eight hours, you can't wait weeks. And for offshore vendors you often meet extra clauses, things like requiring work only from a specific secure designated workspace or Offshore Development Center ODC, maybe mandating encrypted connections virtual desktops that can't access the general Internet or allow copy paste, plus rigorous background checks on their personnel handling your data.
What about really old contracts? Can they become a liability if the threat landscape has changed.
A huge liability. Look at the Heritage Valley Held versus Nuance case from twenty twenty. The core issue was dismissed, but the court specifically pointed out they were operating under a contract over ten years old, made with a company Nuance had bought ages ago. It just screams review and update your contracts regularly. Security threats evolve constantly. Your contracts need to keep pace. Old language might not protect you anymore.
Right, last big area the actual software and connections, the real attack surface. Seems like buyer beware is the mantra for third party software.
It really has to be. Third party software is a massive attack vector. We saw it with heart bleed and open SSL. We saw it with Solar Winds. You need to push vendors to have a documented secure software development life cycle as SDLC. Security needs to be built in from the requirement stage through design, coding, testing, deployment and maintenance.
On at the end, and testing is key.
There absolutely different kinds static analysis looking at the code itself for flaws before it runs. Dynamic analysis running the software and watching how it behaves, looking for vulnerabilities in action, and fuzz testing basically throwing garbage invalid inputs at the software to see if it breaks in unexpected, potentially exploitable ways. Get to stress test it.
Good to know and understanding common flaws helps definitely.
The OASPA Top ten is a great resource. It lists the most critical web applications security risks, things like broken authentication, security misconfigurations. Your vendor should know it and test against it. And don't forget open source software OSS. So many products rely on it. It's great, but needs careful vetting, heart lead hit open SSL a library used everywhere. Tools called software composition Analysis or SCA can help find and manage risks in the open source component's vendors use.
Okay, last piece, how these third parties actually connect to your network? That seems like a direct line in If not managed right.
It is and this is where the zero trust ZT model is so important. The core idea never trust, always verify, assume nothing is safe by default. Every user, every device, every application, especially vendor connections needs to be verified before getting access, and even then only give the minimum access needed. It drastically limits an attacker's ability to move laterally if a vendor connection is compromised. Never trust, always verify. Got it?
What about all those connected things IoT devices, smart cameras, sensors. They seem like a potential nightmare. They can be. IoT is a huge, growing risk area. Often manufacturers rush them to market and security is an afterthought. Hard coded passwords, no way to update them, Basic stuff gets missed, creating easy targets. Exactly, so, your organization needs minimum standards for any IoT devices connecting to your network, even through vendors,
no hard coded passwords allowed. Access must be configurable. Ideally they have a hardware Trusted Platform Module TPM for security, and critically, they must be patchable. Can update it, you can't secure it.
Wow. Okay, we have covered a lot of ground from that shocking statistic about how few companies are even doing the basics all the way to the nitty gritty of secure software development and zero trust from Solar Winds to making sure data gets destroyed properly during off boarding. It's crystal clear that security isn't just contained within your own walls anymore. It's a shared responsibility.
It really is. It's a complex web, but understanding the pieces like we've discussed is absolutely essential. The sources we drew on really paint a picture of high stakes. This isn't just about dodging fines. It's about keeping the whole enterprise running and safe.
So here's something to chew on. Think about solar winds again. Those attackers, likely in apt, spent months, maybe longer, doing research planning just to plant malware on one specific server, a build server at a well known tech company. What does that level of patients, that sophistication tell us about
the adversaries out there today? And maybe more importantly, what does it imply about your organization's ability to find something malicious that might have been hiding dormant inside a trusted third party system for who knows how long yours may be. That's the chilling question, isn't it. How deep does your visibility actually go? Are you equipped to find something that's deliberately trying to stay hidden, possibly for a very long time,
within your extended ecosystem? Right? This really isn't just about compliance checkboxes or avoiding bad headlines. It's fundamental to protecting your entire organization. So the question to ask yourself ask
your team is are we really doing enough? Are we moving beyond just compliance and truly partnering with our vendors treating this as an active, ongoing practice of hunting for threats together, because in this interconnected world, you're only as strong as your weakest link, and quite often that link isn't inside your own company, it's with a third party. Keep learning, keep asking the tough questions, and definitely stay curious.