Managing third-party risk with cyber security

Third-party vulnerability in the changing cyber risk landscape 

The cyber risk landscape changes constantly. More recently, some of the most concerning changes experienced in the landscape are concentrated on third-party services. While third-party services are valuable partners for businesses, they naturally operate outside of core operations and corporate network defences, and therefore present a potential weak link in any organisation’s cyber security armour. 

When we asked our panel of over 400 middle market businesses about their experience of cyber security over the past year, 25% of them had experienced a service provider suffering a data breach or cyber attack in the last year that had impacted their business financially, reputationally or operationally. This was up from only 17% when we asked in 2022. 

While a third-party attack might not be a direct attack on an organisation, it is important that businesses understand the liability they face if a third-party provider they have employed is subject to a successful cyber attack. This is especially significant as the trend of targeting third-parties is increasing.

Why are third party providers such appealing targets for cyber security attacks? 

Of the businesses on our panel that had experienced a cyber-attack in the last year, 78% of them experienced attacks as a result of a supplier or third-party being targeted by a threat actor. And 36% of those fell victim to data exfiltration due to a supplier being compromised. So why are third-parties such an attractive target?

Aggregate targeting

Part of a threat actors focus on third-party providers can be attributed to the very attractive aggregate benefit resulting from a successful breach. On top of the potential ‘weak underbelly’ that a third-party supplier presents in an organisation’s cyber security chain, many of these providers also process or hold a considerable amount of clients’ data, therefore offering a fruitful economy of scale for cyber criminals’ work effort. 

For example, pension sector third-party providers host a huge amount of extremely sensitive client data. A threat actor successfully able to infiltrate such a provider will both gain access to data on a large scale and cause a ripple effect of disruption for all the organisations using that provider. The gains and damage of targeting these kinds of businesses are considerable and impactful. 

Access to systems 

For threat actors with the objective of deploying malware, successfully infiltrating a third-party’s systems offers a similar economy of scale. This is a particular concern for software providers. The ability to infiltrate these aggregate environments in a ‘stowaway’ capacity offers access to multiple other systems and infrastructure. 

If a threat actor can manipulate a software provider and hide malicious code within a software update that is distributed to multiple customers, that malware could then be able to gain access to client’s infrastructure on a large scale. 

Staying on top of culpability 

Although third-party attacks are not considered a direct attack on the contracting organisation, liability rarely only sits with the provider. As the organisation has employed the provider to do the work on its behalf there is a lasting liability and impact following a successful cyber attack, including under the UK GDPR framework if personal data is breached during the attack.

Laying out contractual terms during negotiations is the first step in establishing liability. Organisations must ensure robust due diligence processes are in place as part of onboarding and include cyber security provisions in the contractual terms. It is also crucial that agreements outline how cyber events will be reported between both parties. Many organisations do not have an incident response playbook incorporating details about third-parties and how they will respond, however, this should be a key consideration as third-party providers are key in ensuring effectiveness of a response or post attack investigation. 

Growing relevance of certifications - Cyber Essentials and ISO 27001

Certifications, such as Cyber Essentials and ISO 27001, can offer some efficiencies during due diligence when entering a new relationship with a vendor. 

The due diligence process of onboarding new third-parties can be lengthy. The amount of information necessary to establish that the provider has effective controls and processes in place to safeguard the service provision can be considerable. Providers are regularly expected to respond to a large volume of questionaries typically impacting their resource capacity, meaning contracting processes can be long and arduous. 

Gaining an independently verified cyber security accreditation can help reduce the burden. It communicates to potential clients and customers that the minimum standards required by those certifications have been met, offering both assurance and efficiency in a tender process. 80% of our panel said that achieving security accreditation in 2024 is a key concern for their business to demonstrate they provide an appropriate level of security to protect information entrusted to them. 

These certifications help to set the minimum standards, especially within industries that are less regulated. For many organisations, third-parties that hold a cyber accreditation is seen to be an advantage in a tender decision-making process. 

Conclusion

As the technology landscape evolves, many businesses have adopted an outsourced model, this includes IT and cyber security provisions. This shift in behaviour does not go unnoticed by threat actors, who see third parties as an attractive target and weak link in the security chain. While outsourcing brings with it value and addresses business needs, it also increase the risk of data security issues and regulatory compliance breaches.

Cyber attacks against third-party providers are increasing, and with the increased use of AI in cyber-attacks, we expect this to grow further with execution at an industrial scale, using carefully coordinated, sophisticated and far-reaching techniques becoming easier for threat actors. To counteract this, it’s vital that organisations have confidence, not just in their own systems, but also in those of their third-party providers.