Managing Third Party Risk

Christopher Eaton | July 11th, 2024

It is all too common for organizational narratives to go something like this: A contractor for a construction firm requests an electronic payment for work performed, a departure from the process of sending paper checks at steady intervals. The considered request is then referred to the construction firm’s bank, which requires a notarized form to be completed in exchange for release of the payment. This request is then fulfilled and more than $700,000 is deposited into the contractor’s bank account.

Unfortunately, the contractor was actually a threat actor who successfully accessed the legitimate account through a phishing campaign, embedded themselves into email conversations, created an impressive forgery complete with a realistically represented notarized document, and vanished into thin air with three-quarters of a million dollars.

This very real story reported on in Engineering News-Record is a prime example of not only the alarming trend in wire transfer and banking fraud catalyzed from a phishing campaign, but an equally immense problem regarding third-party vendors. In this particular case, a host of third-parties contracted by the construction firm—who is ultimately on the hook for the stolen money—are facing a lawsuit alleging “fraud and breach of contract [having]…failed to ‘exercise due care’ in maintaining and securing its email systems to prevent its use in harming third parties”1.

What is a third party?

A third-party vendor is an external entity contracted by an organization to provide specific services or products. The vendor’s responsibilities include delivering agreed upon services, maintaining quality standards, and adhering to contractual obligations, including confidentiality and data privacy. Third-party vendors play a crucial role in the organization’s operational efficiency.

As organizations become more specialized in what they deliver, it becomes increasingly important for them to work with outside vendors for complementary products or services, like software, payroll, or sub-contracting work. With the onboarding of each additional business partner, the potential vulnerabilities open to the contracting company increase.

Third parties are great partners and resources, necessary to develop and enhance business opportunities. In most cases, these relationships are mutually beneficial; however, there are associated risks. According to data published by the U.S. Securities and Exchange Commission (SEC) from a Security Scorecard study, 98% of companies are associated with a third party that has experienced a breach2.

Why does this happen?

One reason for these risks is the lack of control of data and data flow. Third parties, in a sense, control certain components of partner data and overall accessibility. In other words, you cannot control what you cannot control. If the vendor fails to update their software, succumbs to a security issue, or is breached themselves, the repercussions will trickle down to the contractor. This is seen time3 and time4 and time5 again.

Another risk is that data sharing is inherently perilous. The more data that is shared—sent back and forth because it is housed in disparate locations—the greater the potential for misuse, abuse, or malicious theft. Data mishandling is one core component of human error6 that is attributable to the overwhelming number of data breaches. As more humans and entities are added to the data stream, the level of risk naturally increases.

Given these risks and the significance they play in connection to the global supply chain, neither of which are possible to entirely erase, there are some mitigation strategies organizations can employ to manage risks associated with third parties. In no particular order:

  • Conduct a thorough risk assessment of any vendor that will have access to or handle sensitive data. Such an assessment might include vetting related internal policies, historical efficacy, and adherence to industry or regulatory compliance standards.
  • Work to ensure that all data flowing to and from your business is encrypted. This might require working with the internal IT team or an external security provider (yes, another third-party) to implement and test these processes.
  • Build a robust internal cybersecurity posture, including 24/7 SOC (Security Operation Center) monitoring, the implementation of security policies (requiring MFA and having a strong password policy), incident response planning, and general vulnerability management via risk assessments.
  • Enhance collaboration and communication with the vendor. There is tremendous value in maintaining your agency when contracting with a third party.

A recent report published7 by global business consulting firm Protiviti further highlights both the perception and gravity of the challenges facing organizations regarding third party vendors. In their “Executive Perspectives on Top Risks for 2024 and a Decade Later”, third-party risks are the 4th greatest concern this year and 6th projected for 2034. Cyber threats, which are inextricably linked, rank 3rd this year as first for 2034.

While an immense amount of work can be done to mitigate these challenges—several of which were previously noted—there is no indication such risks are expected to lessen in severity or frequency.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.

Sources

  1. Korman, Richard. Cyber Thieves Phish Away a $735K Payment to a Minnesota Contractor | Engineering News-Record. https://www.enr.com/articles/58378-cyber-thieves-phish-away-a-735k-payment-to-a-minnesota-contractor. Accessed 11 July 2024.
  2. “Cyentia Institute and Security Scorecard Research Report: Close Encounters of the Third (and Fourth) Party Kind.” Security Scorecard, https://securityscorecard.com/research/cyentia-close-encounters-of-the-third-and-fourth-party-kind/. Accessed 11 July 2024.
  3. Bracken, Becky. Home Depot Hammered in Supply Chain Breach. https://www.darkreading.com/cyberattacks-data-breaches/home-depot-hammered-by-supply-chain-data-breach. Accessed 11 July 2024.
  4. Wadhwani, Sumeet. “American Express Third-Party Breach – Spiceworks.” Spiceworks Inc, https://www.spiceworks.com/it-security/data-security/news/american-express-third-party-breach/. Accessed 11 July 2024.
  5. “Caesars Says Cyberattack Stemmed from Third-Party Vendor Compromise.” Decipher, 14 Sept. 2023, https://duo.com/decipher/caesars-says-cyberattack-stemmed-from-third-party-vendor-compromise.
  6. Ackerman, Jr, Robert. “Just Why Are So Many Cyber Breaches Due to Human Error? -.” Security Today, 2 Aug. 2023, https://securitytoday.com/Articles/2022/07/30/Just-Why-Are-So-Many-Cyber-Breaches-Due-to-Human-Error.aspx.

Protiviti. Executive Perspectives on Top Risks for 2024 and a Decade Later. 2024, https://www.protiviti.com/sites/default/files/2024-03/nc-state-protiviti-survey-top-risks_2024-2034.pdf.

Categories

Connect With Us

Featured Articles

building cyber resilience
Building cyber resilience within the evolving global supply chain
27 January 2025
Cybersecurity Checklist
Cybersecurity Checklist for PowerSchool Breach
24 January 2025
fasthttp
fasthttp Used in New Bruteforce Campaign
13 January 2025
Deepfake Fraud
Combating Deepfake Fraud is a Growing Challenge for Organizations
10 January 2025

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.