Why Third Party Risk Matters in Cybersecurity

Do you think that your company’s cybersecurity has superhero strength to rival an evil supervillain from the Marvel Cinematic Universe? Think again. You may have all the tools, technology, process, or even people in place to safeguard every nook and cranny of your organization’s networks, but ultimately, bulletproof security is unattainable. The reason? Third parties.

As companies look to third parties for specialty services, their digital ecosystems expand and intertwine. New and increased connections could give attackers more opportunities to break into an organization. Malware continues to be a popular way to manipulate third parties and gain entry into corporate networks. Let’s look at a few real-world examples of these risks:

• In June 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. Included in the exposed records were names, birthdates, addresses, phone numbers, dates of service, and more ranging from August 2018 to March 2019. Both breaches were caused by a hacker that gained access to American Medical Collection Agency’s system—a third-party that the two companies have in common.
• In June 2017, the Ukrainian tax-filing software company, MEDoc, was breached. Its servers pushed a malicious software update to clients, which caused the NotPetya outbreak. Almost every company with offices in the Ukraine was affected by this malicious update as many rely on MEDoc for tax accounting.
• In 2013, the retailer Target was breached when its HVAC vendor, Fazio Mechanical Services, had an employee’s credentials compromised. Attackers used this account to gain access to Target’s web services dedicated to vendors. It is critical for clients to identify trusted networks and connected third parties and profile the digital threat footprint for each. Our team offers clients this level of visibility and prioritizes external digital risk exposures through our Attacker Reconnaissance Service.

Unfortunately, third-party resources represent exploitable infrastructure typically outside the control of an organization's security team. Since third-party suppliers and vendors are external from your own cybersecurity organization, it is difficult to know whether the materials or systems connecting to yours are compromised. Mitigating these third-party risks today requires more visibility and coordination than ever before. Here’s how to mitigate and protect your network:

Think like the adversary and anticipate motivations and actions.

Try to determine which prized data and property are potential targets. Proactive efforts like threat hunting can help uncover evidence of compromises that are already happening or gaps in your capability to detect such activity.

Gain deeper visibility into your network across your digital and physical supply chains.

Detection and response experts at Booz Allen Managed Threat Services can deploy detection signatures onto your networks, identifying any previously unknown vulnerabilities or unauthorized network access. In addition, cyber analysts can implement continuous monitoring across your systems, vetting subcontractors and their security controls. Deploying sensors and centralized log aggregation can help you gain deep visibility across your enterprise IT networks, operational technology, and industrial control system environments. A consolidated monitoring capability provides visibility into cyber threats faster and helps uncover complex attack chains. 

Remediate infections and continually monitor your digital ecosystem for new vulnerabilities and disruptions. 

Patch impacted systems and upgrade operating systems to prevent infections from entering your networks. Adversaries continually diversify their methods to infiltrate organizations. Invest in capabilities that can detect, prioritize, analyze, and escalate these potential incidents across your digital landscape.

The Bottom Line

Addressing these emerging challenges may require looking at security from a new perspective, since it is not under the purview of traditional information security practices. In the meantime, third parties remain a breeding ground for launching attacks and distributing malware. Increasing visibility into your third-party risks through managed security services can help your enterprise become more resilient and save costs. Learn how your organization can mitigate these risks and implement a cybersecurity plan that considers your entire digital ecosystem.