The Invisible Danger: Why 3rd Party Management is a Critical Component of Your Cyber Resilience Strategy

Think of your organization as an impenetrable fortress. Every wall is fortified, every gate is guarded, and every door has the latest security locks. But what if the threat comes not from a frontal assault, but from a trusted ally who unknowingly carries a threat within your walls through their daily access and services? This is the threat of third-party cyber risk.

In today's interconnected world, businesses rely on a network of external partners and suppliers. While these relationships are essential to growth and efficiency, they also introduce hidden vulnerabilities. Recent incidents, such as the suspected third-party breach at Discovery Insure, highlight the urgent need for vigilant third-party management practices.

The Silent Assailants: How Third-Party Breaches Happen

Third-party vendors are like trusted couriers that keep the wheels of your business turning. But if those couriers are compromised, they can inadvertently expose you to the risk of a breach. As the father of systems thinking theory, Dr. Russell Ackoff, would support, "A system as a whole contains two or more parts, each of which can affect the properties or behavior of the whole." Third-party breaches occur when attackers exploit vulnerabilities in external vendors or partners that an organization relies on for various services. These vendors often have access to sensitive information or critical systems within the organization, providing an additional point of entry for cybercriminals. Attackers may use sophisticated techniques such as social engineering, phishing, or exploiting known software vulnerabilities to gain access to the vendor's systems. Once inside, they can move laterally to infiltrate the target organization's network. The Discovery Insure incident is a prime example, where attackers used personal information from previous data breaches to bypass verification processes, demonstrating how historical data breaches can have long-term cybersecurity implications.

The Discovery Incident: Recent intrusion related to 3rd party management

Discovery Insure in South Africa recently faced a sophisticated scam targeting high-profile customers such as Magda Wierzycka, CEO of Sygnia. This "whaling" attack leveraged personal information from previous data breaches, bypassing traditional security measures and exposing sensitive data. Such incidents underscore that even the most robust internal security measures can be undermined by vulnerabilities in third-party relationships.

Other examples of major financial institutions breached by third parties in the past year include:

1. PayPal – 34,942 Social Security Numbers: In early January 2023, PayPal reported that approximately 34,942 users' accounts were compromised due to a credential stuffing attack. Credential stuffing involves attackers using previously leaked usernames and passwords from other breaches to access user accounts. The breach exposed sensitive information, including full names, Social Security numbers, dates of birth, postal addresses, and individual tax identification numbers.
2. TD Bank – 15,549 Social Security Numbers: In May 2023, TD Bank experienced a data breach affecting 15,549 customers, exposing their Social Security numbers. This breach was part of a larger trend of financial institutions being targeted for their valuable customer data. The breach was attributed to vulnerabilities in third-party systems that TD Bank relied on.
3. Capital One – 16,779 Customer Account Details: On April 26, 2023, Capital One reported a breach affecting 16,779 customer accounts. The exposed information included account details, highlighting the risk posed by third-party service providers. The breach was a result of insufficient security measures at a third-party vendor, which allowed attackers to gain unauthorized access.
4. Bank of America – 495,000 Customer Accounts: In one of the largest breaches of the year, Bank of America disclosed that 495,000 customer accounts were compromised on March 28, 2023. This breach was linked to a third-party service provider who had inadequate security practices.
5. NCB Management Services – 1,087,842 Customer Accounts: On May 19, 2023, NCB Management Services, a debt collection agency, reported a massive data breach impacting over 1 million customer accounts. The breach resulted from vulnerabilities in the third-party services NCB used, leading to the exposure of personal information and account details.

These breaches collectively highlight the significant risks associated with third-party vendors and the need for robust management strategies to safeguard against such vulnerabilities.

Strategic Thinking: Transforming Third-Party Risk Management

1. Think Beyond Compliance, being an industry leader in cyber resilience practices will position you as a partner of choice: Simply meeting regulatory requirements is no longer enough and shouldn't be the driver. The strategic intent should be to implement best practices, tailored to your business processes, and treat Cyber as a business imperative for customer centricity. You will then be compliant by default if you drive this strategically. This starts with embedding an effective, tailored assessment framework that incorporates best practice standards coupled with industry specific requirements.
2. Comprehensive framework and approach to its evaluation: We need to move away from outdated audit methodologies. Third party risk management can't be driven by Excel spreadsheets and "going through the motions" type questions that create the illusion of active risk management. There needs to be a proactive and strategic approach to the assessment. This includes a comprehensive onboarding process for new suppliers, regular rigorous audits, and continuous monitoring of third party activities with proactive management of outstanding issues arising from these assessments and further active consequence management if they fail to meet your stated standards at any point in time. Coupled with technology that can intuitively assess a third party's risk exposure (relying less on human answers to questions posed), but a scoring system that backs up the assessment with defined artifacts that represent true cyber posture.
3. Collaborative defense with proactive protection and response capabilities: Access to shared threat intelligence, coupled with well-defined incident response plans for various scenarios, enables a unified defense strategy that can collectively mitigate risk and isolate known exposures. Shared threat intelligence involves the collection, analysis, and dissemination of information about potential and existing threats. This data is gathered from a variety of sources, including internal systems, third-party vendors, and public and private security communities. By sharing this information, organizations can gain insight into emerging threats, attack vectors, and adversary tactics, techniques, and procedures.

The effectiveness of collaborative defense depends heavily on timely and accurate execution. Rapid detection and response are critical to minimizing the impact of a security incident. The key to this capability is having the right tools, processes, and people in place to act quickly and efficiently.

Creative Solutions for Enhanced Cyber Resilience

1. Gamify and simulate security breaches: Engage your employees and partners through gamified security scenarios. Simulate various attack scenarios, both through theory-based training and by hiring red team capabilities to look for actual exploits. This not only makes training fun, but also increases vigilance, proactively identifies actual vulnerabilities, and can minimize the impact of a breach.
2. Leverage AI and machine learning: Use advanced technologies to detect anomalies and predict potential breaches. AI can analyze patterns and flag suspicious activity that may be missed by human oversight. SIROC Enterprise Solutions, for example, can support proactive, customized third-party capabilities by automating assessments, cascading actual artifacts from multiple sources, analyzing them against our best-practice-based framework, and then providing multiple visual scorecards that can help determine what needs to be prioritized, quarantined, removed from the ecosystem, or executed.
3. Zero-Trust Architecture and Practices: Adopting a zero-trust security model requires rethinking traditional security frameworks. Instead of assuming that everything on an organization's network can be trusted, a zero-trust model operates on a "never trust, always verify" principle. This means that every access request, whether from inside or outside the network, must be authenticated, authorized, and continuously validated before access is granted.

Onboarding New Third-Party Vendors

1. Thorough Vetting Process: When onboarding new third-party vendors, conduct a comprehensive vetting process. This should include background checks, security assessments, and reviews of their cybersecurity policies and incident history. Make sure you score all third parties based on their assessed cyber posture, which in turn determines the minimum requirements for access, ongoing engagement, processes, and procedures to be followed.
2. Security Questionnaire: Require vendors to complete a detailed security questionnaire that covers issues such as privacy practices, encryption standards, network security, and breach response protocols. This will help you assess their security posture and preparedness. However, this should be backed up with hard, tangible artifacts that demonstrate their answers to these questions.
3. Contractual Obligations: Ensure that contracts with new vendors include fair but stringent cybersecurity requirements and clearly defined responsibilities. Outline the consequences of non-compliance and set expectations for regular security reviews, coupled with their commitment and SLA to mitigate risks. The key is to drive the right behaviors needed to holistically protect our organization and our customers' interests.

Ongoing Assessments and Monitoring

1. Regular Audits: Conduct regular audits of your third-party vendors to ensure that they are complying with your security standards. This can include both scheduled assessments and surprise inspections to verify their ongoing compliance. Track their progress in closing identified gaps in their cyber posture with set timelines, and ensure they are contractually obligated to do so.
2. Continuous Monitoring: Implement constant monitoring systems to track third-party activity in real-time. This helps you identify potential threats and respond quickly to suspicious behavior. Through intelligent technology, external data aggregation, and strategic partnerships, you can receive early warning information to ensure that you can prioritize actions to avoid, detect, and prevent an intrusion.
3. Periodic Reviews: Schedule regular reviews of the vendor's security posture and performance. Use these reviews to update contracts, address any issues, and ensure that their security measures evolve with new threats. Third-party risk management can't be a static process, and initiating regular reviews will ensure continuous improvement, relevance to evolving risks, and overall maintenance of your cyber resilience.

Conclusion

In a world where digital interactions define the business landscape, the strength of your cybersecurity strategy is only as robust as the weakest link in your third-party ecosystem. Your organization’s security is inextricably linked to the practices of your partners and vendors. By investing in comprehensive third-party management, you’re not just safeguarding your data; you’re fortifying a network of trust that spans beyond your immediate control. The question is not if you can afford to invest in these measures, but rather, can you afford not to?

Building a resilient cyber defense requires foresight, collaboration, and an unwavering commitment to continuous improvement. It's about creating a culture where security is everyone's responsibility, and where every access point is scrutinized with the same rigor. As we navigate the complexities of digital transformation, let's make sure our strategies are as dynamic and adaptive as the threats we face. After all, in the realm of cybersecurity, true resilience comes from unity, vigilance, and a relentless pursuit of excellence.

About SIROC

SIROC Group is home to several innovative companies across Europe that provide advanced technology solutions, advisory services and strategic execution enablement to many customers across the globe. Our expertise spans across a range of areas including AI-driven Cybersecurity, Secure Application Development, Cloud Infrastructure Management, Workflow Automation and Advanced Data Analytics.

With a strong focus on effective execution, innovation and a commitment to quality, SIROC Group is at the forefront of industry trends and standard practices, and we welcome the opportunity to work with businesses looking to leverage the latest technology to drive growth, transformation and achieve their strategic objectives.