Third party risk management is essential for minimizing the risks that come from external business partners. Attack surface management (ASM) can help security teams reduce the risk third-party software and service providers create.
Your attack surface is not always “yours.” Assets managed or owned by third parties like vendors, contractors, and software providers are as much a part of your attack surface as the software your IT department creates or deploys itself.
Hackers often go after well-defended companies by attacking the less secure network-connected accounts and systems their victims do not own.
From Target in 2013 to Meta in 2021, some of the most significant breaches of the past decade have resulted from compromised third-party software and accounts. As more organizations lean on external service providers, third-party risk has snowballed:
- In a recent Ponemon study, 54% of organizations reported a breach due to a third party in the past year.
- Third-party software can allow old risks to gain a new foothold in corporate networks and are a reason why over 70% of organizations are still vulnerable to the Log4j vulnerability.
Regulators have also taken note of the risk third-parties pose to organizations. The Digital Operational Resilience Act (DORA) will soon make extensive third party risk management a requirement for financial institutions operating in the EU.
How Third Parties Create Attack Surface Risk
Third parties create risk by opening up unknown attack vectors.
A typical organization will host a range of sources of third-party risk, i.e., everything from routine actions like a marketing service provider logging into a content management system or a contractor connecting work-from-home devices to a network to an organization using assets owned or managed directly by third-party vendors.
Since 2020, supply chain attacks have grown at a rate of over 100% a year. In 2023, supply chain attacks and other third-party risks are forecast to become an even bigger problem for two reasons:
- Organizations are using more third-party services than ever. For example, in the financial sector, the market for third-party solutions is predicted to grow by over 8% per year from 2023 onward.
- Access control for third parties is still a struggle for most organizations. 70% of organizations stated they experienced a third-party breach after giving too much access to a third party.
Threat actors are also zeroing in on potential weak points in software development processes to introduce new sources of third-party risk. There were 100 times more malicious packages uploaded to the NPM software repository in Q3 2022 than in 2021.
Although third party risk management is something more organizations want or need to do, only some have the resources or capabilities to actually do so. In one study, over half (52%) of organizations reported needing more resources to carry out third party risk management effectively.
Suppliers are also not taking the risk they create seriously enough. Less than 34% of companies are confident that their suppliers would let them know if they suffered a data breach that impacted them.
Establishing a Third Party Risk Management Program Is An Urgent Challenge
Third-party risk reduction is one of the next decade’s most critical security challenges. Whether organizations meet this challenge will depend largely on their ability to put in place an effective third party risk management program.
Organizations that purchase software or contract service providers need to invest more in their third party risk management strategies to mitigate the current flood of third-party risk.
CISOs need to start regarding third parties as part of their organization’s own attack surface. They also need to take steps to vet and restructure contracts with third parties appropriately.
However, removing third-party risk altogether is effectively impossible. There are too many attack vectors created by third-party software and accounts. An almost endless chain of mostly unknown “nth parties” also put end users at risk.
Proof of this fact is that even the most mature security teams in the world have fallen victim as a result of a third party being compromised:
- Toyota Japan had to shut down manufacturing plants in February 2022 after a supplier with access to its manufacturing IT systems was hit with a ransomware attack.
- Uber suffered a series of data breaches in 2022 after databases belonging to two of its software suppliers were breached.
To reduce the impact third parties have on their attack surface, organizations need to proactively reduce the blast radius third-party assets create.
Using ASM for Third Party Risk Management
Attack surface management (ASM) allows security teams to take immediate steps toward reducing third-party attack surface risk.
Third-party risk management hinges on security teams knowing where potentially vulnerable assets are and being able to test potential sources of vulnerability as well as remove/isolate them from the rest of their network.
Even the most mature security teams typically lack the authority to test the systems behind third-party assets.
Fortunately, they can find and test the assets they connect to.
Attack surface management tools like Randori Recon allow security teams to:
-
Find out what third-party assets are connected to their networks.
-
Test the internal systems they connect to.
This capability gives security teams a realistic and immediate method of reducing third-party risk.
Although the unknown risks created by third-party assets being connected to their network remain, ASM gives teams a way to remove pathways between these assets and potentially vulnerable internal systems.
Practice Third-Party Risk Management With the Randori Recon ASM Platform Today
Practicing ASM means that when a threat actor finds and exploits a vulnerability, they are left high and dry without a further course of action. ASM helps security teams go on the offensive against third-party risk and remove pathways for lateral movement.
Schedule a demo here to learn more about how ASM can help your organization with third party risk management.
