Third-Party Attacks Are a Major Cybersecurity Risk – Here’s How to Prevent Them

“The concept of a threat risk assessment, while it sounds like an enormous undertaking for companies, is the kind of thing that we as humans perform every day when we step out the door,” Wiens says. “It shouldn't be seen as something complex that you always need to be thinking about, but an everyday part of life. When conducting business, you need to regularly identify your threats, know your vulnerabilities and calculate the value of your assets.”

Wiens notes that while such assessments can be performed in-house, they are best conducted by a third party, which can then verify a company’s cybersecurity readiness for suppliers, partners and customers, who in turn should always be conducting ongoing assessments of their own.

“With a threat risk assessment you really understand what the company defines as risk,” Wiens says. “It also translates better to every part of the business – factors like vulnerabilities, technical controls, firewalls, endpoints, aren’t understood by the CEO, CFO or CIO as the word ‘risk.’ It's a great way for cybersecurity professionals not only to understand the security landscape, but also their specific business and ensure the direction they take is understood by the people they report to.”

As a Cybersecurity Advisor with CDW Canada, Mitch Kelsey has learned firsthand that too few companies are aware of the cybersecurity risks presented by third parties, as they often assume that, from an infrastructure or services perspective, they and any vendors they work with are safe.

“Organizations that rely on cloud services or other third parties to provide infrastructure or services, by nature, are opening their network to others outside their organization,” Kelsey says. “There are many benefits such as improved agility, but it also requires everybody’s business and security practices to be on the same page, and that's where the challenges lie.”

Both Wiens and Kelsey recommend that organizations and their partners ensure they follow a shared responsibility model, in which each party agrees on their role in the business relationship, including the information they need to know.

“The shared responsibility model was not a big topic of conversation before the cloud,” Wiens says. “But now that so many organizations have third-party cloud providers looking after their information, both sides need to understand who owns the risk.”

For example, Kelsey says, while the majority of public cloud breaches involve user configuration errors, breached organizations often misunderstand where responsibility lies. Under a shared responsibility model, both the vendor and the cloud consumer have a role to play, and it’s important to understand where that delineation is to know what you are accountable for.

“Organizations need to practice due diligence when it comes to the security hygiene of their partners,” Kelsey says. “Not every partner is made equal and their needs are not all equal. It’s important to think about the risks associated with the relationship you’re developing with a partner, whether it involves installing a product in an environment they've made for you or having a service provider show up at your site and receive access to your network.”

Kelsey is quick to clarify that, per its name, a shared responsibility model requires rigorous cybersecurity practices on both sides – something many organizations struggle to implement.

“That’s why healthcare organizations, financial services providers and government agencies increasingly have to demonstrate they've done their due diligence when adopting a new technology,” he says. “They need to understand the impact it's going to have on customer and worker security and privacy, as well as the impact on their IT departments, before making any decisions.”

A key reason the shared responsibility model is so valuable, Kelsey says, is it provides organizations with a foundation for cybersecurity practices: By knowing their rights and responsibilities, organizations can ensure they get the right information from the people they’re doing business with and make sound, risk-based decisions.

“There's a security principle of least privilege,” he says. “What is the minimum information we need to provide someone with so they can do the job we need them to do? And that principle needs to be applied to vendors and partners – what capabilities are they offering? What do they need to offer those capabilities, and how can we make sure that we limit the potential risk to us?”

Most importantly, organizations need to know what information can be accessed by which parties on their network, a question best answered through penetration testing of each party’s network, web applications and APIs, along with social engineering assessments to test how employees respond to common threats such as phishing attacks.

“You need to know what you’re sharing with others so that you can make business decisions based on each party’s access and needs, because it's going to be different depending on what each party is doing for customers, employees and other stakeholders,” Kelsey says. “When we talk to organizations about penetration testing, it sometimes comes up that a piece of infrastructure or software is hosted by a vendor partner, and so part of the question for us becomes whether they want us to independently validate their security standards or get them to demonstrate their standards in the form of a report or certification.”

“Clients are often hesitant to ask for a demonstration because they consider it a breach of privacy, but you should feel confident to ask because they're asking to access sensitive information about your employees or customers,” he continues.

Finally, it’s important that organizations repeatedly conduct audits over time, Kelsey says. After all, vendor partners change over time, and so do the associated risks.

Both Wiens and Kelsey advocate for third-party risk assessments, and for similar reasons.

“I always encourage organizations to start by looking at themselves first,” Wiens says. “But even when you've done it yourself, always get a third party, because communicating a security scan to an organization is better done by a third party. That way you know the feedback you receive is objective.”

While CDW is a third party itself, security-conscious organizations can rest assured that our experts are as rigorous with their own cybersecurity practices as they encourage clients and their employees to be, Kelsey says. More importantly, as an independent party, CDW is in the best position to assess the cybersecurity practices of both an organization and its partners – and recommend improvements.

“Part of our responsibility is identifying the best practices for customers based on their needs and the risk to the assets they’re protecting,” Kelsey says. “So if an organization is coming to us for technology recommendations, we’re going to make sure they have cybersecurity strategies in place that align with those needs as well.”