Why third-party partners are key to cybersecurity

Why third-party partners are key to cybersecurity

Alistair Neil, EMEA Senior Director of Security at Verizon Business, highlights the critical vulnerabilities that undermine an organisation’s cybersecurity posture, and how third parties can both strengthen defences and be the source of weaknesses.

Alistair Neil, EMEA Senior Director of Security at Verizon Business

It hardly matters that an organisation is equipped with the most advanced threat detection and perimeter security systems in the world if some of its data resides with vendors that have comparatively weak threat detection tools concerning cybersecurity.

Vendors and third-party partners can represent an organisation’s weakest link across the data supply chain. As such, companies must vet vendors to limit those potential points of entry.

The weakest link

Enterprises and other large organisations tend to invest heavily in cybersecurity solutions, but often the vendors they engage are smaller companies that don’t have the resources to maintain equivalent security standards. Small businesses, for instance, often manage their entire operations using mobile phones, with owners and employees alike often on the move throughout the day. But, this increased mobile device usage comes with more risk.

According to the 2024 Verizon Mobile Security Index report, 85% of respondents said risks from mobile device threats have increased in the past year and 25% of mobile users tapped on at least one phishing link every quarter in 2023.

However, it’s not always about size but rather about the sector. Take academia as an example. Academic institutions and other research facilities sometimes house immensely valuable data on-site, like satellite technology research or nuclear research – data that can have national security and military implications. Such institutions may not meet the security standards of government agencies and departments.

Knowing this, threat actors target academic institutions since they are perceived as soft targets when compared to their government counterparts.

The importance of vetting partners

Vendors represent additional data risk, but cutting out partners and vendors isn’t realistic. Ours is a global, interdependent economic environment. It’s not feasible to isolate oneself, just as one wouldn’t go analogue just because digital connectivity gives threat actors additional opportunities to access data. It’s a digital world, after all. But security measures must be taken.

To mitigate third-party risk, companies must vet partners and vendors. A risk assessment may include a number of tactics, including automated external scanning to identify vulnerabilities, deep and dark web research to determine if there are any associations with threat actors, and even sending an auditor on-site to investigate potential weaknesses and irregularities.

Mitigating risk is not limited to vetting partners, however. It also entails looking beyond third-party dynamics and acknowledging the nth-party reality of the modern data ecosystem – as in partners and vendors that utilise cloud services and other vendors and partners of their own. For example, a company may use a CRM provider but that’s not where the exposure ends, as CRM service usually operates on the major cloud providers. That’s not to say one should avoid CRM services or other platforms that rely on the cloud, but rather that a company should strive to gain a comprehensive perspective of their nth-party exposure.

The role of human error

It’s hard to overstate the role the ‘human element’ plays in data breaches. According to the 2024 Data Breach Investigations Report (DBIR), non-malicious human errors – internal mistakes, such as misdelivery, or falling for social engineering tactics, like phishing and pretexting – factors in more than two-thirds (68%) of breaches. Training one’s workforce on cybersecurity best practices, including how to spot the most common social engineering attacks, therefore, is an effective way to help combat cyberattacks. This strategy also applies to vendors and partners.

Including an audit as part of the vendor selection process conveys the importance of cybersecurity to prospective vendors. Prioritising cybersecurity in the selection process can also make vendors more likely to fulfil their contractual obligations. Heightened cybersecurity awareness can likely reduce incidents and breaches related to the human element. In other words, cybersecurity accountability is key, both among a company’s employees and a company’s partners.

Minimising exposure

The goal of cybersecurity is to reduce the risk of data breaches as much as possible. Knowledge is a big part of that process. It’s critical to have a clear understanding of where one’s organisation sits in the data supply chain, and where one’s partners and vendors lie within that supply chain. If an organisation has a full picture of its vulnerabilities as well as the vulnerabilities of the companies it interfaces with, it will be best positioned to thwart incoming cyberattacks.

1. Awareness of the environment

Organisations must have a comprehensive understanding of their digital assets, including hardware, software, networks and data. This involves conducting regular audits to identify vulnerabilities and potential attack vectors. By understanding their environment, organisations can better prioritise their cybersecurity efforts and allocate resources accordingly.

2. Understanding the attack landscape

It is essential for organisations to stay informed about the latest cyberthreats, attack methods and emerging trends. This includes monitoring security advisories, threat intelligence reports and industry news. By understanding the attack landscape, organisations can anticipate potential threats and develop countermeasures to mitigate their impact.

3. Risk assessment

Once organisations have a clear understanding of their environment, the attack landscape and their asset inventory, they can conduct a thorough risk assessment. This involves identifying critical assets and prioritisation, evaluating the likelihood and impact of potential attacks and prioritising risks based on their severity. By conducting a risk assessment, organisations can make informed decisions about where to invest their cybersecurity resources.

4. Vigilance and threat monitoring

Organisations need to be vigilant in monitoring their networks and systems for suspicious activity. This involves implementing security monitoring tools, such as intrusion detection systems (IDS) and security information and event management (SIEM) solutions. By continuously monitoring their environment, organisations can detect and respond to threats in a timely manner.

5. Training and education

Educating executives and employees about social engineering attacks is crucial for preventing successful breaches. This includes raising awareness about common attack methods, such as phishing emails, phone scams and social media impersonation. Organisations should provide regular training sessions to ensure that employees are equipped with the knowledge and skills to identify and report suspicious activities.

By adopting these measures, organisations can significantly enhance their cybersecurity posture and protect themselves from a wide range of threats. It is important to remember that cybersecurity is an ongoing process, and organisations must continuously adapt to the evolving threat landscape.

Browse our latest issue

Intelligent CISO

View Magazine Archive