Threatonomics

How To Think About Third-Party Cyber Risk Management During A Recession

by Laura Hiserodt , Staff Writer
Published July 19, 2023

third-party cyber risk management

More than 21,000 employees were laid off in the technology sector in the first three weeks of 2023. This is up from a staggering 107,000 jobs cut mostly in the latter half of 2022 and signals danger for the larger ‘white-collar’ job market.

As companies beyond the technology sector follow suit to increase profitability by leveraging staff reductions, they will inevitably turn to third-party vendors to help manage their IT business operations. However, as breaches from Solarwinds to Home Depot have proved, third-party IT vendors almost always increase the risk of an incident by increasing an organization’s attack surface.

In fact, Resilience’s 2022 claims data show that vendor breaches accounted for 28% of the critical point of failure in incidents experienced by insureds. This was the largest cause of claims ahead of phishing and privileged access management and highlights the interconnectivity of computer systems and data privacy risk at a time when organizations are also cutting staff who would normally manage and vet these vendors.

Managing the Hidden Risks of Third-Party Vendors: Protect Your Business From Cyber Threats and Liability

Third-party IT vendors are critical to almost every business. SaaS solutions provide everything from sales and marketing software to payroll and even security operations. According to Deloitte, “Over the past five years, the use of third-party vendors has increased exponentially. And many companies even outsource core functions to derive efficiencies and savings.” This lesson is doubly true during a recession.

While these vendors are critical to many different types of business operations, Resilience’s Security Team has found that many claims arise from third-party vendors. Logically, this also makes sense as vendors expose your organization to increased cyber risk due to a lack of visibility into their data security controls. The fallout from a breach in a vendor’s systems holding your data can trace back to your business and ultimately cause the data you’ve shared with them to be compromised. This can lead to liability for your organization or even an entry into your systems for criminals like ransomware gangs.

Data from a 2021 Ponemon report showed that 54% of organizations who reported a data breach found the cause to have come from a third-party vendor. More concerningly, the report also noted that only 34% of organizations were confident that their vendors would notify them of a breach.

Even third-party vendors with a history of strong cybersecurity controls can fall victim to specific targeting by adversaries because of their clients; this is called a “supply-chain attack.” The infamous 2020 attack against SolarWinds Orion, a third-party IT monitoring software employed worldwide, brought headline-grabbing attention to the severity of “supply-chain attacks.”

Not only was SolarWinds affected by the breach, but thousands of its clients, including the US government, had their data accessed by an APT (advanced persistent threat) adversary. Resilience’s security team has also seen malicious APT actors leveraging last year’s infamous Log4Shell vulnerability as a pathway into the IT vendor supply chain, with disastrous consequences for their customers.

It’s time to think differently about cybersecurity

This potential increase in third-party vendor risk over a recession requires security leaders to think differently about their cybersecurity posture. Companies must learn to analyze cyber risk as they onboard new vendors and identify new threats they are exposing by sharing data. Keeping up with the risk from vendors and your organization’s vulnerabilities is a massive task for any staff member, company department, or organization to tackle. That’s why it’s important to transition from cybersecurity to a cyber resilience mindset.

What’s a cyber resilience mindset?

A cyber resilience mindset focuses on determining the risks that matter most to an organization by anticipating and responding to the real-time threat landscape. The strategy centers around minimizing the severity of a cyberattack by connecting an organization’s technical cybersecurity visibility, its security hygiene practices, and cyber insurance coverage.

Applying cyber resilience thinking to 3rd-party vendor management

  • Cybersecurity visibility: Identify technical connections that share data with vendors and ensure they can’t act as a vector for an attack. The SolarWinds attack used a critical system patch to deliver malware to Solarwind’s customers. While this attack is tough to stop, implementing a process that verifies data coming from vendors and limits data going out can help reduce your risk of a “supply chain” attack.
  • Security hygiene: Ask all the vendors you have identified as critical for the results of their most recent penetration testing and audits. They should be able to walk through their data handling policies and how they work to protect your data like it’s their own actively. Vendors may sometimes have more robust data security controls than your own organization. Use these results to learn about your own cyber hygiene priorities.
  • Risk transfer: You have transferred productivity (or security) to a third-party vendor; consider transferring some financial risk through tools like insurance. Rather than think about insurance as a tool for a “worst case scenario,” think about the financial outlay it buys you to free up resources for other projects. If your ransomware policy comes with incident response services, consider whether this frees up funding to invest back into your own team.

Leveraging Holistic Cyber Risk Management with Resilience

At Resilience, we have found that organizations that manage their cyber risk holistically are significantly better prepared for cyber incidents, leading to lower costs from claims and more return on investment from their security controls.

As global economic trends evolve how businesses operate, the cyber landscape will grow in complexity and increase the risk to organizations. Building a network of cyber-resilient vendors and holistically managing your own risk will allow your organization to take a digital hit without impacting its material ability to deliver value and help you evade threats altogether. That’s the goal of Resilience.

Resilience offers insurance through its licensed and appointed insurance agency, and security services through its expert security team.

Insurance products are produced by Ocrea Risk Services, LLC (NPN 19169260) and are underwritten by Homeland Insurance Company of New York or Homeland Insurance Company of Delaware, each subsidiaries of Intact Insurance Group USA LLC with their principal place of business at 605 Highway 169 N, Plymouth, Minnesota 55441. Security services are provided by Arceo Labs, Inc. d/b/a Resilience.

You might also like

Are You Board Ready? Five Takeaways from Our Panel at RSA

RSA is in the rearview mirror, but we’re still thinking about all the great things we learned by mingling with our peers. We were honored to host an engaged group of attendees as founder Raj Shah moderated a panel discussion entitled “Are you board ready.” Resilience advisor Richard Siersen, Stanley Black & Decker CISO Lucia […]

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed […]

Breach and Attack Simulations: A Proactive Approach to Loss Prevention 

Today’s CISOs and risk managers need to see around corners to proactively reduce risks before they turn into losses. Increasingly, CISOs also answer directly to the board of directors. No matter how tight you think your controls are or how big your budget is, I promise you things are happening in your environment that you […]

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]