Why Third-Party Partners Are Key to Cybersecurity
by Alistair Neil, Director of International Security Solutions, Verizon Enterprise Solutions
It hardly matters that an organisation is equipped with the most advanced threat detection and perimeter security systems in the world if some of its data resides with vendors that have comparatively weak threat detection tools with regard to cybersecurity. Vendors and third-party partners can represent an organisation’s weakest link across the data supply chain. As such, companies must vet vendors to limit those potential points of entry.
The Weakest Link
Enterprises and other large organisations tend to invest heavily in cybersecurity solutions, but often the vendors they engage in are smaller companies that don’t have the resources to maintain equivalent security standards. Those vendors sometimes end up unwitting (what word is this supposed to be) back doors to larger organisations with valuable data.
It’s not always about size but rather about the sector. Take academia as an example. Academic institutions and other research facilities sometimes house immensely valuable data on-site, like satellite technology research or nuclear research – data that can have national security and military implications. Such institutions may not meet the security standards of government agencies and departments. Knowing this, threat actors target academic institutions since they are perceived as soft targets when compared to their government counterparts.
The Importance of Vetting Partners
Vendors represent additional data risk, but cutting out partners and vendors isn’t realistic. Ours is a global, interdependent economic environment. It’s not feasible to isolate oneself, just as one wouldn’t go analogue just because digital connectivity gives threat actors additional opportunities to access data. It’s a digital world, after all. But security measures must be taken.
To mitigate third-party risk, companies must vet partners and vendors. A risk assessment may include a number of tactics, including automated external scanning to identify vulnerabilities, deep and dark web research to determine if there are any associations with threat actors, and even sending an auditor on-site to investigate potential weaknesses and irregularities.
Mitigating risk is not limited to vetting partners, however. It also entails looking beyond third-party dynamics and acknowledging the nth-party reality of the modern data ecosystem – as in partners and vendors that utilise cloud services and other vendors and partners of their own. For example, a company may use a CRM provider but that’s not where the exposure ends, as CRM service usually operates on the major cloud providers. That’s not to say one should avoid CRM services or other platforms that rely on cloud services, but rather that a company should strive to gain a comprehensive perspective of their nth-party exposure.
The Role of Human Error
It’s hard to overstate the role the “human element” plays in data breaches. According to the 2024 Data Breach Investigations Report (DBIR), non-malicious human errors – internal mistakes, such as misdelivery, or falling for social engineering tactics, like phishing and pretexting – factors in more than two-thirds (68%) of breaches. Training one’s workforce on cybersecurity best practices, including how to spot the most common social engineering attacks, therefore, is an effective way to help combat cyberattacks. This strategy also applies to vendors and partners.
Including an audit as part of the vendor selection process conveys the importance of cybersecurity to prospective vendors. Prioritising cybersecurity in the selection process can also make vendors more likely to fulfil their contractual obligations. Heightened cybersecurity awareness can likely reduce incidents and breaches related to the human element. In other words, cybersecurity accountability is key, both among a company’s employees and a company’s partners.
Minimising Exposure
The goal of cybersecurity is to reduce the risk of data breaches as much as possible. Knowledge is a big part of that process. It’s critical to have a clear understanding of where one’s organisation sits in the data supply chain, and where one’s partners and vendors lie within that supply chain. If an organisation has a full picture of its vulnerabilities as well as the vulnerabilities of the companies it interfaces with, it will be best positioned to thwart incoming cyberattacks.
