The Most Common Third-Party Security Gaps Businesses Should Focus On in 2023


By Gary Phipps, GRCP, CTPRP, VP Strategy & Business Transformation at CyberGRX

There’s no question that we are marching steadily into an increasingly digital future. Nor should it surprise anyone that the vast majority of businesses are prioritizing digital transformation initiatives. Modernization efforts vary based on each company’s goals. However, most companies utilize third-party partners for cloud services, managed services, and marketing, among many other uses. In fact, it’s fair to say that most companies rely heavily on third parties for operations.

While third-party vendors help companies scale, they also come with a few downsides— particularly regarding security risks related to digital transformation. IBM Security’s Cost of a Data Breach Report 2022 indicates that 83% of companies have had a data breach with an average cost of $4.35 million. The cost of these third-party breaches goes far beyond financial repercussions. They are PR nightmares that can open your company to legal battles over negligence and privacy breaches. 

What’s more, as technology matures, bad actors are also growing more sophisticated in their approach. This ultimately means that your organization must take a proactive approach to your cybersecurity protocols—with a particular focus on third-party vendors.

Recent Trends in Cyber Threats

Understanding critical cybersecurity threats is critical to managing risk. It’s increasingly important to vet and monitor third-party partners to ensure that their security practices aren’t jeopardizing your company, clients, or bottom line.

With that in mind, what are the most significant third-party security gaps companies need to focus on to manage risk? In this article, we outline six critical risks that should be on your radar.

Cloud Breaches

A Ponemon Study revealed 63% of organizations have difficulty ensuring their cloud environment is secure.  And the problem isn’t going away. As a result of increased remote work, more companies are moving their managed services and operations to a cloud environment, working with more third-party integrations and vendors. Now is the time to scrutinize your cloud providers and the security practices they have in place. 

Anytime that your third-party partner’s cloud platform glitches, your organization could be open to security risks. IBM’s numbers show that cloud vulnerabilities account for 15% of data breaches. With so many companies prioritizing digital transformation efforts, we expect these numbers to rise. As a result, your third-party vendor must continually monitor cloud configuration for errors, particularly as they release new updates. You’ll want to ask your third parties about their security protocols related to minimizing those risks, including:

  • Limiting and restricting outbound port access
  • Blocking ICMP messages
  • Limiting storage access

Ransomware

Ransomware attacks grew by almost 93% in 2021, and there are no signs of them slowing down. While zero risk is impossible, you have to know what you’re potentially up against– and that means understanding the security measures your vendors are taking to prevent a ransomware attack. Are patch updates kept current? What proactive training do your vendors offer their employees? What does their overall security posture look like? Additionally, should one of your third parties fall victim to a cyber attacker, you’ll want to have a formal prevention, detection, and response plan in place. Advance preparation will help you mitigate the impact on your business operations.  

Stolen or Compromised Credentials

Unfortunately, human error and lack of knowledge about suspicious attempts to gain information continue to play a role in breaches. Phishing attacks are the most common, and the attackers are getting more sophisticated with their schemes. This past summer, we saw the emergence of hybrid phishing, or a sly combination of email and voice engineering calls targeting employees with fake subscriptions and invoices, and a callback number answered by phishing actors. The goal? Trick employees into giving out sensitive information, or installing remote desktop tools onto their system, giving attackers a back door to a network. While your organization may have cybersecurity best practices baked into your culture, there’s no guarantee your third parties do the same. 

According to the IBM report, nearly 20% of all third-party breaches result from stolen or compromised credentials. Bad actors gain access to credentials through various means, including other data breaches, malware keystroke loggers, and phishing attacks. While there’s no single best way to prevent this type of breach, some of the best practices for reducing risk include:

  • Establishing email security protocols
  • Training your team to identify phishing 
  • Requiring full credential encryption
  • Requiring 2FA for all users and vendors

Unpatched Security Vulnerabilities

Security vulnerabilities fall into two main categories, known and unknown. Maintaining active security protocols helps you ensure that you—and your third-party vendors—stay on top of any known vulnerabilities by rapidly deploying patches.

However, the unknown risks—also known as zero-day vulnerabilities—are problems that no one has yet discovered. That is—until an enterprising security professional or malicious party identifies them. Once you know you have an issue, it’s no longer considered zero-day and should become a top priority for your next update.

The best ways to avoid these include:

  • Preparing for the worst with a well-designed recovery process and backups
  • Enabling prepare, harden, and detect methodology
  • Creating an agile development culture so you can deploy security patches quickly

Inadequate Virtual Security 

This is a big one, particularly in today’s age of modernization. Your entire organization is at risk if your firewalls, VPNs, and other security protocols are open to vulnerabilities. And, of course, this also relates to your third-party vendors’ security. So to mitigate these risks, you’ll want to ask your third parties about:

  • Virtualization-based security protocols
  • A comprehensive security plan
  • A mitigation protocol

Insufficient Data Protection

In addition to live data protection efforts, you must also protect your data storage, whether with a third party or internally. The best way to ensure that your data is safe is to set rigorous standards and frequently audit your internal process and those of your third-party vendors to ensure compliance. Additionally, you must understand that cloud-based data backups may also be at risk in the event of a breach. With this in mind, you should have a hard copy backed up on-site and require your third-party vendors to do so. This allows you to minimize disruption in a worst-case scenario.

The Bottom Line

There are many challenges facing security and risk professionals and sufficiently protecting an organization from cyber attacks. Attack surfaces have expanded; it’s not only about how the security measures your organization implements but the security practices of your vendors, too. Remember, breaches aren’t just a hit to a third party’s security; they also have the potential to disrupt your business as well as damage relationships with your customers. And above all, you want to ensure business continuity as well as maintain and protect customer trust.


Gary has over 20 years of experience providing program design support to program initiatives involving risk management, regulatory compliance and internal control enforcement for clients in various industries including but not limited to finance, government, defense, healthcare and higher education. Prior to joining CyberGRX, Gary advised the Citizen Utility Boards on compliance matters and acted as advisor to many Fortune 50 financial institutions as well as the DOD including the Joint Staff on how to effectively comply with imminent regulatory statutes.

.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.