Third party risk: How modern businesses can gain a secure advantage

Security breaches involving 3rd parties are a top-of-mind item for CISOs and security leaders, as data breaches linked to 3rd parties continue to grow. A recent high profile event included Toyota, where a threat actor exposed large amounts of data, including information on employees, customers and financial data1.Another involved Amgen, a multinational pharmaceutical company. In this incident, Amgen’s partner Sirva Relocation was breached first and then the threat actor traversed its network to gain access to Amgen, gaining access to sensitive consumer data and financial account information2. While the cost of both breaches is not provided, IBM has sobering statistics for 2024. The cost of a breach is now at $4.8M (up 10% from the prior year) while the dwell time for a threat actor to recon and grab data has gone from a week to days or hours3.

How do you defend yourself from third party attacks? First, we need to understand why companies use third parties for critical business needs. There are several reasons. One, they can offer specialized knowledge which exists outside the company or is needed for a short period of time. For example, a company might outsource their threat detection and incident response function to a third party that specializes in this area. Second, using a third party can reduce costs. In the case of things like janitorial services or security guards, the high degree of training and turnover costs can make it less expensive to outsource than to keep internally. Lastly, third parties can increase speed to market, providing contractors with vast experience and access to pre-existing solutions to jump start new product launches.

These reasons offer considerable upside to using third parties, but there are downsides as well — namely, you take on not only your risk challenges but the third party’s also. Here are four steps security leaders and CISOs can use to help reduce the chance of a potential third-party breach:

Get ahead and partner, but make sure you do vendor risk assessments and audits and ensure your cyber insurance includes riders to cover third party risks. Make sure your security team is involved, and offer advice, provide risk scenarios and help guide the company to make the right choices.

Make the connect, starting with zero trust. How do you interconnect your company with a third party? Traditionally this has been conducted across a spectrum from as simple as a” shared drive” to a full WAN-based interconnect, both of which are largely based on legacy technology. Instead, start with the newer zero trust based strategy. Adopt a model that assumes the third-party vendor is not inherently trustworthy. Include continuous authentication to authorize access requests. Reassess access controls and vendor-integrated systems on a regular basis. Log and review all access events in an automated manner. Leverage the new tools available to make the experience easier.

1. SSE and ZTNA - Look to Security Service Edge tooling, particularly Zero Trust Network Access (ZTNA) solutions. ZTNA works on a granular level to provide access between a user and application or data only. This reduces the risk of lateral movement and exposing critical areas of the network. ZTNA can also include “adaptive trust” algorithms which continually verify access and authorization in sub-60 second intervals. Lastly, ZTNA can overcome traditional challenges where two organizations share a similar network address space. When considering ZTNA solutions for 3rd party access, be sure to ask about access methods. Does the vendor support agent-based, agentless and SDWAN based ZTNA? Having all three gives you more tools to interconnect parties safely and securely.

1. Educate – While doing the hard work upfront and partnering with the business and including zero trust and ZTNA can help you reduce your risk profile greatly, there is one more key area to consider: training employees who will interact with the new vendor. Make sure to review best practices in managing third party risk and include reviews on file sharing, awareness on social engineering, rules of the road and so on. Humans are the unpredictable side of the equation. Help them to understand both the value of employing a third party as well as the risks to the company. If you do this right, they become advocates as well as your frontline sensors for potential cyber threats.

Third parties are a critical cog to any successful business, helping companies accelerate growth, control costs, or take advantage of a new market. As a security leader, make sure to guide your company in leveraging third parties safely and securely. If you have questions on how to employ zero trust and SSE to accomplish this, reach out by commenting below. Let’s start a conversation.

1. Toyota confirms third-party data breach impacting customers

2. Amgen Announces Third-party Data Breach Stemming from Incident at Sirva Relocation

3. IBM and the Ponemon Institute: Cost of a Data Breach Report 2024