Strategies for fortifying your defenses against external assaults by third parties
In the increasingly interconnected world of business, third-party vendors have become a vital part of operations for many organizations. However, they also present a significant vector for potential compromise, as highlighted by numerous high-profile cyberattacks.
One such instance occurred in 2013, when cybercriminals gained access to Target's remotely accessible heating, ventilation, and air-conditioning systems, leading to the theft of 40 million credit and debit cards and data on 70 million customers. This underscores the importance of robust third-party risk management strategies, particularly for financial institutions.
Financial institutions, in particular, should implement a risk-prone third-party risk management strategy. Their governing bodies need to ensure that third-party providers conduct equally rigorous security measures. This includes clear governance, responsibility, and compliance structures within the institution, as outlined by the EBA guidelines.
Organizations can mitigate potential exposure by implementing various measures. For instance, requiring two-factor authentication by default across all connections is a practical step, as suggested by Valente. Additionally, reviewing the portfolio of third-party vendors and cutting unnecessary or overlapping tools can help limit risk (Holland).
It's also crucial to shift third-party risk assessments from an IT-centric perspective to a data-centric approach. Companies should consider what type of data third-party vendors have access to, such as financial information, customer records, or intellectual property (Valente).
Moreover, businesses should look for tools that integrate across the entire stack, and avoid investing in point solutions. This holistic approach can help in maintaining a consistent security posture (Holland).
Internal security settings and gaps in security monitoring should be scrutinized frequently. Regular reviews can help identify potential vulnerabilities and mitigate risks (Holland).
Penetration tests and in-depth reviews of software bills of materials are essential for assessing third-party risks. These rigorous and nuanced exercises go beyond a generic checklist in a spreadsheet (Holland).
Supply-chain attacks, such as those at Twilio and Mailchimp, demonstrate how an attack on one vendor can quickly spread to many victims. Therefore, it's essential to ensure that third parties follow equally rigorous security safeguards (Holland).
Despite the prevalence of cyberattacks via third parties, they can be made less prevalent through the implementation of best practices. Most organizations do not apply the same level of diligence to technologies that are not considered IT vendors. However, it's important to remember that seemingly non-critical services, such as janitorial supplies with automatic reordering mechanisms, can also pose risks (Valente).
In conclusion, businesses need to prioritize third-party risk management to protect their operations and customer data. By implementing robust strategies, businesses can reduce the risk of cyberattacks and safeguard their digital assets.
