In today’s business climate, cybersecurity is more important than ever before. With the rise of cyberattacks, companies must take steps to protect themselves from a potential breach. One of the most underestimated and overlooked risks is a third-party risk.
Third-party risks are those risks that come from outside of your company, from vendors and suppliers to contractors and partners. Essentially, any company that has access to your systems and data is a potential risk.
While it’s impossible to eliminate all third-party risks, there are steps you can take to reduce the chances of a breach.
In recent reports, The Lapsus group, an attack group, first made headlines in December 2021 after a ransomware attack against the Brazilian Ministry of Health, exposing the PHI of millions of people.
It has since targeted multiple large companies including Nvidia, Samsung, Microsoft, Ubisoft, and now – Sykes Enterprises.
Sykes, a business service outsourcing unit owned by the Sitel group, disclosed that one of their employee’s Okta accounts containing customer data was breached in January 2022.
Documents leaked by the Lapsus$ group raised questions about both Sitel’s and Sykes’ security defenses, which highlights a pertinent challenge faced by businesses: third-party cyber risk management.
As cybersecurity mechanisms advance and become better and better, so do the attackers. If you shut one door for them, they try to hack another door.
With cloud computing becoming popular, there are more and more applications connecting, sharing data, and integrating, and giving the hackers another back door entry into our systems.
Now, we cannot eliminate third-party solutions, altogether but we can take measures to keep all applications safe from breaches and cyber attackers.
Here are three steps that can help us become more proactive than reactive to breaches.
When it comes to proactive security, detection is only half the battle – you also need to be able to predict attacks before they happen.
To do this, you need to take a three-pronged approach that focuses on people, processes, and technology.
The first step is to take inventory of all the vendors you work with and categorize them by risk.
For example, you might have high-risk vendors that have access to sensitive data, or low-risk vendors that have less access. You can then prioritize your security efforts based on this information.
The next step is to digital footprint all of your vendors. Scan the entire digital footprint of every third-party vendor in a non-intrusive, outside-in risk assessment. This should include Email Security, DNS Security, Application Security, Network Security, and System Security.
Also, scan for breach exposure for the identification of inadvertent or intentional exposure of potentially sensitive information, and compromised systems to detect systems and applications involved in malicious and/or unusual activity, and check cyber reputation to identify threats that may damage your brand reputation and eventually affect your revenue.
In Okta’s case, their share price dropped by more than 7% when news of the Lapsus$ breach reached the market.
The third and final step is to implement a risk management program that includes vendor questionnaires, security audits, and incident response plans.
This program should be tailored to the specific risks of each vendor. For example, high-risk vendors should undergo more frequent security audits than low-risk vendors.
Vendor questionnaires help you understand what security controls a vendor has in place. Security audits help you verify that these controls are effective. Incident response plans help you know what to do in the event of a breach.
By taking these three steps, you can shift from detecting to predicting breaches, and reduce the chances of a breach happening in the first place.
Third-party breaches are becoming more and more common, but there are steps you can take to prevent them.
By categorizing your vendors, digital footprinting them, and implementing a risk management program, you can predict attacks before they happen and keep your data safe.