If I asked you how much the threat landscape for third-party attacks is evolving, how would you answer?
Well, if you said too fast, you’re correct.
The number of total third-party breaches may have dipped in 2022, but the attacks were more destructive and impacted almost twice as many victims. As if that wasn’t enough, the average time between an attack and the disclosure date in 2022 was 108 days, a 50% increase from 2021.
But to protect against these attacks and communicate the risk they pose, you have to understand them fully. Operating on only a partial understanding of third-party cyber risk puts your organization in danger of losing revenue, time, customer trust, and brand reputation.
Join us to learn more about:
- What exactly is third-party cyber risk.
- The dangers of overlooking third-party cyber risk.
- Real-world examples of third-party cyber breaches.
- How to think about risk to protect yourself from disaster better.
What is Third-Party Cyber Risk?
Let’s start from square one and first dive into what we mean by “third party” and “cyber risk.”
What is a Third Party?
When we say “third party” in cybersecurity, we’re talking about third-party vendors. A third-party vendor is a company or person that provides a service for another business or the business’s customers.
Think of a convenience store that sells candy. You buy candy from the convenience store, but the store doesn’t make the candy. It gets the candy from another company. The candy company is a third-party vendor for the convenience store.
There are many types of third-party vendors in the business world, from lawyers to finance firms to software developers. For our purposes, we will focus on third-party vendors that could pose a cyber risk.
Why focus on cyber services? In 2022, technical service vendors were the top target of third-party breaches (30% of incidents). If your company uses a third-party vendor with access to your data, you should understand the cyber risk that connection poses.
What is Cyber Risk?
Let’s talk about risk. Say you have an old, flimsy, and utterly bald car tire. What’s the risk of using this tire? Did you say, “Your car could crash?” Wrong! It was never specified that the tire was for driving.
What if the tire is being used as a swing? If someone were to use the swing, the risk would be the tire falling apart and the user getting injured. But if no one uses the tire as a swing, it poses no risk.
Risk is all about context — the specific situation you’re in. The amount of risk per vendor will vary by how much your business relies on the vendor for day-to-day operations, customer experience, finances, etc.
Now, on to cyber risk. Third-party cyber risk is how much a third-party vendor could hurt your company if they experience a cyber breach or attack.
Cyber risk is something every business should be aware of. If your organization uses a third-party cyber vendor, you’re at risk for an attack yourself, no matter how strong your own defenses are.
Vendor Risk, in MY Business?
Third-party cyber attacks happen frequently, and many don’t even get reported. Here are some of the biggest third-party cyber attacks of 2022 (that we know about).
Humana – September 2022
Humana fell victim to a data breach after Choice Health, one of Humana’s third-party vendors used to help sell products, was attacked. The breach compromised customers’ first and last names, Social Security numbers, birthdays, addresses, health insurance information, and more.
Toyota – February 2022
Toyota Motor shut down operations of every plant in Japan after one of its third-party vendors was attacked with a ransomware virus. As the third-party vendor in question is a major supplier of plastic parts, this attack heavily disrupted Toyota’s supply chain.
Boeing – July 2022
A network security incident at one of Boeing Employees’ Credit Union’s (BECU) third-party vendors resulted in a data breach affecting BECU customers. The breach resulted in the release of customer names, addresses, account numbers, credit scores, and Social Security numbers.
Do you know what would happen to your company if one of your vendors is breached? Well, there’s a better way to understand how third-party cyber vendors could affect your organization.
Um, Why Isn’t Everyone Talking About This?
Often, people deprioritize third-party cyber risk in favor of what they consider more pressing concerns, such as profits, employee retention, etc. What they don’t realize is that a poor understanding of cyber risk can impact every aspect of the business.
The dangers of not understanding third-party risk are often overlooked because tech and non-tech executives often have different communication styles. Cybersecurity professionals have a deep knowledge of how a breach could affect their data access and daily operations. However, non-technical executives may think about the business differently. For example, a CFO may be less concerned with daily operations and more concerned with meeting this month’s sales quota.
These differing communication styles can make it difficult for each party to understand the true risk posed by a third party. Lack of time and miscommunication is the leading cause of misunderstanding and underestimating the impact of cyber risk.
How to Accurately Assess Third-Party Risk
Want to know how you can accurately assess the cyber risk of a third-party vendor?
A standard method is sending out questionnaires to your vendors that usually ask questions such as:
- Who is responsible for your cybersecurity practice?
- Can you show us your cybersecurity infrastructure?
- What networks and data from our company can you access?
However, these questionnaires are often long and complex, making it challenging for vendors to complete them. And even if the vendor completes the questionnaire, it can be difficult to gauge whether the questionnaire asked the right questions to accurately assess risk in a rapidly evolving threat landscape in the first place.
So if questionnaires aren’t the best way to assess risk, what is? Check out part two of this blog series, where we explore how to perform an accurate and effective risk assessment and why standard methods don’t cut it.