In the wake of the CrowdStrike global outage which impacted various industries worldwide, the critical role of third parties in our increasingly interconnected landscape has never been more evident. CrowdStrike reported that the outage was caused by an update with a bug that affected the Microsoft operating system, and they are actively working to remediate the issue. This incident shut down air travel, credit card payment systems, banks, broadcast services, streetlights, and even 911 emergency services, underscoring how vulnerabilities or issues in third-party software can have widespread repercussions.

Businesses and organisations often rely on third-party vendors for services like cloud storage, payment processing, IT support etc.. While these partnerships can offer numerous benefits, they also introduce additional risks. The security practices of third-party vendors can directly impact the overall cybersecurity posture of their organisations. This article explores the effects of third-party involvement in cybersecurity and provides practical measures to mitigate associated risks.

The Impact of Third Parties on Cybersecurity

• Increased Attack Surface

One of the primary concerns with third-party vendors is the expansion of an organisation’s attack surface. Each vendor integrated into an organisation’s network represents a potential entry point for cybercriminals. In August of 2023, The London Metropolitan Police experienced a breach from an apparent ransomware attack against an IT supplier, Digital ID. Sensitive information of nearly 47,000 law enforcement officers and staff, including undercover and counter-terrorism cops was exposed. This incident underscores how vulnerabilities in third-party systems can lead to a significant impact on an organisation.

• Supply Chain Attacks

Third-party vendors can be targets of supply chain attacks, where attackers infiltrate the vendor’s network to compromise their clients. The SolarWinds attack in 2020 is a notable example. Cybercriminals inserted malicious code into SolarWinds’ software updates, which were distributed to numerous organisations, including government agencies and Fortune 500 companies. This attack highlighted the potential for widespread damage when third-party vendors are compromised.

• Compliance and Legal Risks

Organisations are required to comply with various regulatory standards, such as GDPR, HIPAA, or PCI DSS. Third-party vendors that handle sensitive data on behalf of an organisation must also adhere to these standards. Failure to ensure that vendors comply can result in legal penalties and reputational damage. For instance, British Airways faced a hefty fine under GDPR for a data breach that exposed customer data, partly due to inadequate third-party management.

Mitigating Third-Party Cybersecurity Risks

• Rigorous Vendor Selection and Assessment

Before engaging with a third-party vendor, organisations should conduct thorough due diligence. This includes evaluating the vendor’s security policies, practices, and history. Tools like security questionnaires, audits, and assessments can help determine a vendor’s risk level. Additionally, organisations should prioritise vendors with recognised security certifications, such as ISO/IEC 27001 or SOC 2.

• Continuous Monitoring and Risk Management

Security assessments should not end once a vendor is onboarded. Continuous monitoring of third-party vendors is essential to detect and respond to emerging threats. Implementing a vendor risk management (VRM) program can help track and evaluate the security posture of third parties over time. Technologies such as security information and event management (SIEM) systems and intrusion detection systems (IDS) can provide real-time insights into vendor-related activities.

• Enforcing Strong Contractual Obligations

Contracts with third-party vendors should include stringent cybersecurity requirements. These may encompass data protection measures, compliance with relevant regulations, and incident response protocols. Additionally, organisations should ensure that contracts provide the right to audit the vendor’s security practices and the ability to terminate the relationship in the event of a security breach.

• Implementing Access Controls and Segmentation

This involves limiting the data and systems vendors can access to only what is necessary for their function. Organisations that enforce strict access controls minimise the risk of third-party breaches. Network segmentation can also be employed to isolate vendor access from critical systems and data. For example, using a dedicated virtual private network (VPN) for third-party access can help contain potential breaches.

• Employee Training and Awareness

Employees within an organisation should be educated about the risks associated with third-party vendors. Training programs can help employees recognise potential threats and understand the importance of maintaining strong cybersecurity practices when dealing with third parties. Phishing simulations and regular security drills can further enhance preparedness.

• Incident Response Planning

Having a robust incident response plan that includes third-party scenarios is crucial. Organisations should develop and regularly update their incident response plans to address potential breaches involving third-party vendors. This plan should outline clear communication channels, roles, responsibilities, and recovery procedures.

• Disaster Recovery and Business Continuity Planning

An effective disaster recovery and business continuity plan is essential for mitigating the impact of third-party cybersecurity incidents. These plans ensure that an organisation can quickly recover from disruptions and maintain critical operations. Key components include regular data backups, establishing redundant systems, and creating detailed recovery protocols. Regular testing of these plans is crucial to ensure their effectiveness during an actual incident.

Conclusion

Third-party vendors are integral to the operations of many organisations, providing essential services that enhance efficiency and innovation. However, their involvement also introduces significant cybersecurity risks that must be managed proactively. By implementing rigorous vendor selection processes, continuous monitoring, strong contractual obligations, access controls, employee training, comprehensive incident response planning, and robust disaster recovery and business continuity plans, organisations can effectively mitigate the risks associated with third-party vendors and enhance their overall cybersecurity resilience.

At Fortini Tech, we specialise in Governance, Risk, and Compliance (GRC) solutions tailored for small and medium-sized enterprises (SMEs). Our comprehensive approach ensures that your business is protected against third-party risks and equipped to handle the evolving landscape of cybersecurity threats. We also provide employee training to enhance your organisation’s security awareness and preparedness. Partner with us to strengthen your cybersecurity posture and secure your future.

Contact us today to learn more about how we can help you achieve robust GRC and safeguard your business.

About the Author: Abigael O. Bada is the Founder and CEO of Fortini Tech, a company delivering innovative solutions in cybersecurity, GreenTech, web and app development, and IT training. A Certified Information Systems Auditor (CISA) with a passion for sustainable technology, Abigael combines technical expertise with strategic vision to help businesses navigate the digital landscape securely and sustainably. Her articles offer valuable insights on cybersecurity best practices, emerging tech trends, and eco-friendly IT solutions. Connect with Abigael on LinkedIn to request her services or learn more about Fortini Tech’s comprehensive digital services.