Third-party risk management (TPRM) has been a mainstay in boardroom discussions for decades. Vetting vendors and interrogating supply chain integrity should come second nature to most businesses, either to stay on the right side of regulation or ensure business-wide security. However, it’s only recently that our attention has begun to swing almost exclusively toward digital risk, and this can be a veritable minefield for those unprepared. In this article, we’ll discuss what we mean by digital third-party risk, talk about some of the risk trends we’re seeing emerge in 2021, and outline some of the best practices businesses can employ to improve their risk posture.
The accelerated rise of third-party digital risk
To say the past year or two has been challenging for businesses is an understatement. In something now being referred to as ‘the quickening’, we effectively raced through a decade’s worth of digital change in the space of 90 days. As businesses accelerated their digitalization strategies in order to stay operational and support their staff remotely, they became increasingly dependent on third-party software. As a result, today’s digital supply chain looks less like a chain and more like a web, with several moving parts, endpoints and vulnerabilities that can all go too easily unnoticed.
Since the start of the pandemic, more than 50 percent of businesses worldwide have experienced at least one data breach caused by a third party. And let’s not forget the infamous SolarWinds supply chain attack that took place toward the end of 2020, which impacted organizations as big as Microsoft, Cisco and even the US Department of Homeland Security – all via an ostensibly run-of-the-mill software update. Microsoft president, Brad Smith, referred to the third-party software breach as the “largest and most sophisticated attack ever”. The takeaway is that this risk isn’t going anywhere, and is only likely to increase.
How organizations are exposing themselves
For as long as anyone can remember, inadequate third-party risk assessments have been a known culprit for leaving businesses wide open to attack. As businesses run headlong into digitalization, they’re acquiring more and more third-party tools from software vendors to make their lives easier. Uptake of free, open-source toolsets surged as businesses embraced remote working, for instance. These free tools are particularly dangerous as they leave no financial footprint and are therefore often overlooked in assessments. Such tools might include something as mission-critical as PHP – which an entire web interface can depend on – but because it’s not ‘on the books’ it gets missed during assessments.
However, even if a business gets TPRM right and covers all of its bases, there are still countless other traps it can fall into. Some organizations, for instance, will give unusual permission levels and freedoms to third-party vendors because it’s simply easier. Why make a tailored set of access controls for a seemingly innocuous piece of software when you can simply wave it on through? It’s much easier to give an MSSP full admin rights than work out precisely what elements it needs access to, control-by-control. Too many businesses take this easier road without really thinking about it, leaving themselves vulnerable to all kinds of risks even if their vulnerability benchmarks look good.
As well as vendors themselves, businesses also need to be wary of the software they themselves are producing and where it’s being used. Multiple companies might use the same Exchange or PHP platform, for instance. If a bad actor targets one business using this platform, they’re effectively targeting all businesses that share the software – hence the comparison to a web as opposed to a chain.
What can businesses do to mitigate third-party digital risk?
Risk will always exist in some form, and businesses will always need an up-to-date and fit-for-purpose TPRM strategy that suits their own requirements. As we emerge from the pandemic, we’re unlikely to roll back the progress we’ve made, so reliance on third-party tools, cloud computing and hybrid working are things we’re going to have to accommodate permanently in our risk management strategies. That said, there are some basic – but often overlooked – steps a business can take to mitigate against third-party vendor risk.
● Gradual patching
Any business would be forgiven for simply rushing out patches as soon as they become available, but the smart play is to rank and schedule patches according to their importance and work through them gradually. This, combined with a good backup policy, will mean minimal downtime and maximum control.
● Embrace least privilege
As we mentioned earlier, there are too many incidents of third-party software (particularly free tools) that get waved through with full access privileges for convenience. If an application becomes compromised, you only want it to have access to the absolute minimum number of services it needs to do its job, otherwise you risk turning a small problem into a catastrophic one.
● Always vet your vendors
With so many third-party tools and programs working their way into a company’s day-to-day operations, businesses must ensure they have an assessment and benchmarking strategy that’s fit for purpose. Businesses are often guilty of assigning more focus on attention on their most expensive pieces of software, but a breach can come from any application – even a seemingly innocuous one that serves a trivial purpose. Think of applications in terms of network access and footprint, and rank and assess accordingly.
Even if a business attempts to create an airtight plan for risk management, it’s inevitable that something will slip through eventually. It happens to the best of businesses. The focus then moves to identification and incident response. If a business runs regular benchmarks to help it identify abnormal behavior, and can then apply a set of steps to isolate and neutralize the threat with minimal impact to services, its risk management strategy has still succeeded. The risk landscape is changing, but if businesses can realign their risk posture once the dust from the pandemic has settled, they’ll be even stronger for it.
Aaron Dobie, Adversary Simulation Lead, SureCloud