third-party cyber risk management
Threatonomics

Fortifying Defenses: Effective Third-Party Risk Management in Cybersecurity

by Si West , Director, Customer Engagement
Published

As cybercriminals continue to evolve their strategies and target vulnerabilities in digital systems, businesses face an increasing need for robust third-party risk management. The first half of 2023 has been no exception, memorialized as a period marked by significant shifts in cybercriminal strategies. Notably, these evolving tactics have aimed at an often-overlooked aspect of cybersecurity–the third-party attack surface.

As headlines have been dominated by reports of high-profile cyber attacks on major organizations, one common denominator has emerged– many of these incidents were made possible by exploiting vulnerabilities residing within third-party vendors. Large organizations on average maintain 173 vendors within their supply chain, creating a massive attack surface with huge potential for security gaps. This growing threat has thrust the need for robust third-party risk management strategies to the forefront of discussion.

Comprehensive third-party risk management is crucial to safeguarding businesses and protecting sensitive data from cyber threats– a key component of Cyber Resilience.

Adapting to New Cyber Threats

The Resilience 2023 Mid-Year Cyber Claims Report reveals a strategic shift among cybercriminals toward exploiting vulnerabilities in third-party vendors. This trend has had a broader impact on organizations, leading to domino-style data breaches that devastate multiple businesses.

Insights from the Resilience 2023 Mid-Year Cyber Claims Report

Recovery Improvements: Those who experienced ransomware to the point that a payment was demanded were still technically hit. The fact that only 15% had to pay tells me that the other 75% likely had good recovery strategies in place which allowed them to forgo a ransom payment.

Shift Towards Larger Targets: The report indicates a strategic move by cybercriminals towards targeting larger organizations, a tactic known as “big-game hunting,” evidenced by increased ransom demands.

Vulnerability of Third-Party Vendors: The MOVEit attacks underscore the risks posed by third-party vendors, now identified as the leading vulnerability point in cybersecurity incidents.

Emergence of Encryption-less Extortion: A pivot towards encryption-less extortion tactics, where cybercriminals steal sensitive data and demand a ransom by threatening to release or sell the information without encrypting it, has been observed, complicating the detection and response to cyber threats.

Broad Industry Targeting: Cybercriminals have broadened their targets beyond traditional sectors, with manufacturing and education notably impacted in recent attacks.

Elevating Cybersecurity Through Strategic Third-Party Risk Management

Protecting your organization’s data, infrastructure, and other assets now requires extending security measures to include the attack-surface of each third-party vendor. Here’s how organizations can strengthen their defenses with thorough protocol development, security monitoring, and rigorous vendor assessments.

Protocol Development and Enforcement: Establishing clear, detailed protocols for your vendors to follow is critical for any effective third-party risk management program. These protocols outline security and insurance requirements and expectations for third-party vendors. Creating these protocols is just the start; the real impact comes from regularly auditing and enforcing these policies. Incorporating these standards into contracts makes compliance mandatory, improving the security compliance of the vendor network.

Comprehensive Vendor Assessment: A key element in third-party risk management is regularly performing thorough security assessments of vendors. These assessments examine the vendors’ cybersecurity framework, incident response capabilities, compliance with industry standards, and coverage. Organizations can use security frameworks, such as the NIST CSF or ISO 27001, to establish a vendor risk assessment process that uncover possible weaknesses within vendor networks. Having open discussions with vendors about assessment results and working together to address security issues is essential to sustain a solid cybersecurity posture against threats from any potential gaps within the supply chain.

Enhanced Security Controls: Proactive security measures up and down the supply chain are essential to counter dynamic threats that could trigger a sprawling incident. Implementing advanced security protocols and continuously monitoring third-parties can prevent potential threats. Tools like automated security scanning and real-time threat detection are crucial, allowing quick identification and response to vulnerabilities. Establishing procedures for immediate action when security breaches are detected strengthens an organization’s defense against cyber threats.

Integrating Risk Management into Cybersecurity Strategy

Integrating third-party risk management (TPRM) into a broader cybersecurity strategy is essential for creating a holistic defense framework that closes security gaps and understands its full value-at-risk. To integrate TPRM objectives with overall cybersecurity goals and strengthen the organization’s security posture, security leaders must actively seek out these gaps to address vendor risks.

Third-party risk governance and frameworks ensure that third-party engagements are managed under strict security standards to mitigate the damage of external entities’ data breaches and cyber threats. Organizations can maintain oversight over their vendor’s cybersecurity practices by implementing a unified strategy with each vendor. Working closely and maintaining strong relationships with your third-party enhances visibility into risks, facilitates better decision-making, and ensures a cohesive response to threats. By embedding TPRM into the cybersecurity strategy, organizations can ensure that security measures are consistently applied across all external partnerships, minimizing vulnerabilities and enhancing resilience against threats in the supply chain.

Anticipating Future Challenges 

Organizations must prioritize adaptability and agility to effectively anticipate and counter future cybersecurity challenges. This requires maintaining up-to-date knowledge of emerging trends and leveraging advanced threat intelligence.

The evolving tactics of cybercriminals in 2023 underscores the necessity of proactive strategies and continual evaluation of risk management capabilities. This involves staying abreast of industry developments, sharing intelligence internally and with trusted partners, and implementing measures to quickly address identified risks.

Embracing advanced technologies and fostering collaboration with industry peers helps organizations bolster their ability to detect and respond to emerging threats. By acquiring knowledge, utilizing advanced threat intelligence, and implementing robust cybersecurity measures, organizations can effectively anticipate and counter future challenges, strengthening their overall resilience. Strengthen your cybersecurity with our expert demo – see how our solutions protect your operations.

About the Author
Si West , Director, Customer Engagement

You might also like

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]

How MFA can be hacked

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access […]

What is the ROC?

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences.  However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key […]

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]