'Hack one, breach many' is here to stay: how to secure your third-party risks
The numbers tell a scary story. When polled by Ponemon, 44% of organizations say they’ve experienced a third-party data breach in the last year. In addition, 65% of respondents have not identified the third parties with access to their most sensitive data and 51% stated that their organizations are not assessing the security and privacy practices of the third parties that are granted access to their systems. That complacency has consequences. If a third party causes a breach, the cost is estimated to rise by almost $400,000. That’s a hefty price to pay for not being proactive about high-risk third-parties.
What a third-party breach looks like: Solarwinds edition
The SolarWinds breach of 2020 is a prime example of a third-party breach. SolarWinds is a third party for many organizations, including a lot of federal government agencies. That made them a perfect target because these highly sensitive agencies trust them. If a hacker were able to get into SolarWinds, it would open the door to hundreds of other organizations, which is exactly what happened. Hackers who appear to be associated with nation-state hacking group Cozy Bear, aka advanced persistent threat (APT) group 29, part of the SVR arm of Russian intelligence services, got inside the development operations of SolarWinds and managed to insert malware inside a software update that the company distributed in March. Once installed, the malware “phoned home” to a command-and-control network run by the hacking group, which enabled them to enter the network and take further action. Since the patch came from the company and was digitally signed by SolarWinds, few companies would have known their software was compromised. This kind of hack was much more valuable than hacking any single machine on the network or even a server since the software enables access to attack all the network hosts.
Why are third-parties so risky?
The risk is in the connection. That connection point between a third party and a client’s system is the biggest point of risk because it serves as a tunnel to who knows how many organization’s systems, sensitive data and OT. As the world becomes more digitized and connected, those connection points accelerate. Like in the case of SolarWinds, many are connected to valuable systems that can’t afford (literally and figuratively) to be held for ransom. Think of all the connections a healthcare system or a supply chain organization has. The damage from a third-party hack to any of those industries can quickly turn devastating. In addition, third-parties are full of unknown identities. You can’t create role-based access control when there’s no HR system for third-parties. You don’t know the user accessing your most valuable assets and access points. That lack of visibility extends into the tools those third-parties are using. Are they secure? Have they been updated? What are they exactly? Those questions can be hard to answer, and the less time an organization spends on that visibility, the more at risk they are.
How to keep your systems safe from risky third-parties
Don’t worry; that third-party risk can be mitigated. There are several ways to make sure your organization’s relationship with third-parties is safe and secure. 1. Standardize your access methods. 2. Identify your users and define access policies. 3. Control every aspect of access. 4. Gain visibility into access and access points. In this case, information is power. The more you’re able to hold third-parties to the same rigorous controls and access policies you have for your internal users, the safer your organization is. ‘Hack one, breach many’ is here to stay, so secure your access points before it’s too late. Learn more about securing third-party risks with our webinar series.