ENCRYGMA : " Third-Party Cyber Risk Can Be Lethal for your Organization. TRUST NOBODY! ".
Updated: Jul 5
LEAVE NO TRACE
The weak link in your enterprise security may actually be your partners and suppliers. Supply chain attacks, also called value-chain or third-party attacks, occur when someone infiltrates your system through an outside entity that has access to your systems and data.
A combination of supply chain complexity, increased cloud storage, new data privacy regulations, remote work, and rising cyberattacks have created the perfect storm for third-party cyber risk—and the numbers bear this out.
56 percent of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information is increasing.
In response, regulators are increasingly looking at third-party risks. Last year, New York State financial regulators began requiring financial firms with a presence in New York to ensure that their suppliers’ cybersecurity protections were up to par. Next year, Europe will do the same, with its GDPR, which applies to any company that collects personal information from Europeans and comes with steep fines for non-compliance—up to 4 percent of total global revenues.
To protect your company and avoid any penalties, you will need to closely vet the security of the companies you do business with, within 2021, align your security standards, and actively monitor third-party access.
According to a recent Gartner report, the median organization contracts with 5,000 third parties. In addition, 72% of compliance leaders expect that number to increase by 2022.
The ramifications of these numbers are consequential because working with third parties increases an organization’s attack surface, which leaves it more vulnerable to cyberattacks through third parties. Bottom line? The more third parties you work with, the greater the cyber risk.
COVID-19 has resulted in increased cyberattacks.
Cyberattacks have increased significantly in the wake of coronavirus. According to Zscaler, in March alone, there was a 30,000% increase in COVID-19 related attacks and malware.
Many of these attacks exploited the “new normal” of businesses working from home, with far less security in place than at the office. In fact, 51% of companies experienced more phishing attacks due to employees working remotely (Barracuda).
Small supply chain partners have been particularly vulnerable to such attacks because they often lack the necessary security know-how and human resources.
Third-party vulnerabilities are being exploited.
According to a recent Gartner report, the majority of data breaches and cyberattacks exploit third-party cyber gaps. The report found that in 2019, 44% of companies experienced a significant data breach through a third-party vendor. (Source: “Procurement on the Front Lines: New Trends in Data Privacy and Cybersecurity Risks,” May 26, 2020.)
Similarly, Deloitte reported that 83% of organizations experienced a third-party incident in the past three years, with 11% causing a severe impact on customer service, financial position, reputation, or regulatory compliance.
These statistics illustrate why it’s so important to have a comprehensive third-party security management process in place that pinpoints cyber gaps and helps close them.
All types of organizations are vulnerable to third-party cyberattacks.
You might think that financial institutions are, by definition, the most secure and hence the least likely to suffer a cyberattack. However, according to Carbon Black, 33% of surveyed financial institutions said they’ve encountered island hopping, an attack where supply chains and partners are commandeered to target the primary financial institution.
This is only one example. Organizations of all sizes and from all industries are susceptible to third-party cyberattacks.
Third-party cyber incidents are more expensive and frequent.
Your organization has a lot to lose from a data breach—and it’s not just customer trust. According to the aforementioned Gartner report, having a third party involved in cyber incidents has the effect of making them both more expensive and more frequent. In fact, the report concluded that a data breach is $700,000 more expensive when a third party is involved.
Data privacy regulations are increasing and are being enforced.
One Gartner report recently pointed out that the last 12 months have seen more changes in privacy than the entire century before it. With regulations like GDPR, CCPA, the New York Shield Act, and many more, organizations are struggling to keep up and to make sure that their third parties comply as well.
These regulations are being enforced, and the penalties can be substantial. According to Help Net Security, 340 GDPR fines have been issued totaling over £150 million since May 2018—and that’s just one regulation.