Management, compliance & auditing

How to Assess & Manage Third-Party Vendor Security Risks

Susan Morrow
January 10, 2018 by
Susan Morrow

One of the most famous and largest cyberattacks of all time was the Target breach of 2013. The attack exposed the data records of more than 70 million people and payment card data for 41 million customers. The breach cost Target not only financially, but also in terms of reputation and loss of trust. Fallout includes:

  • A 46% drop in operating profit in the year after the breach
  • $18.5 million in lawsuit claims
  • One CEO resignation
  • An ongoing investigation by the FTC

All of the above started with a third-party vendor security gap. The exploited gap in the security of Target came in the guise of a spearphishing email. This email targeted an HVAC vendor in Target’s supply chain, which initiated the attack by stealing login credentials. Once those credentials were in the hands of the cybercriminal, they were used to gain access to Target’s own supply chain web portal. This was the cybercriminal entry point — the third-party supply chain entrance. Once inside the walls of Target, the cybercriminal located a vulnerability and used that to execute malware and exfiltrate customer data.

The Target example is an excellent case showing how our extended supply chains are no longer isolated from the main organization. And Target is not an exception to the rule. In a recent study by IDC, 83% of organizations reported providing secure access to third parties is very difficult. In fact, 74% stated authorized access by third parties to unauthorized resources resulted in major incidents or breaches.

But it isn’t just about leaked credentials. In the case of the Yahoo! hack, which impacted 1.5 billion user accounts, the crux of the problem was traced back to insecure coding practices by an outsourced IT firm. A report on the incident by Imperva sums up the issue of outsourcing and supplier control:

In the Yahoo! incident, the vulnerable application was probably not coded by the Yahoo! team, and not even hosted on Yahoo!’s server farm. This left Yahoo! with full responsibility for securing the application on one hand, and a very limited capability to actually control the code, on the other hand.

Examples of Third-Party Vendor Security Risks

The use of third-party vendors is increasing, according to research by Bomgar. This is good news for the supply chain; adding new talent and bringing new breath to an organization can open up areas of innovation to add a competitive edge. But it also adds new points of risk management. The examples above show where threats have entered an organization through third parties, but let’s look in more detail at the areas of security risk that third-party vendors can introduce:

  • Credential theft: Often third-party vendors, such as consultants and contractors, require privileged access to systems. Third parties are as much a target of spearphishing as other privileged users. Even without access to specific databases or servers, vendor access to IT systems can be used as a way in through the front door.
  • Insider issues: In general, insider threats are increasing across all industries. Research by Haystax found 74% of companies felt vulnerable to insider threats, and that third parties posed the second biggest insider threat after employees with privileged access accounts.
  • Access control (premises): Threats against services are not only made by virtual means. Direct access to computers and other IT resources can present a challenge when dealing with third parties, from consultants to cleaning staff. USB devices such as Rubber Ducky, a tool used for legitimate PEN testing, can be used for nefarious uses, too, such as exfiltrating credentials and data from computers.
  • The endpoint revolution and IoT: The Internet of Things is revolutionizing supply chains. Gartner predicts that by 2020, over half of businesses will incorporate IoT into business processes. IoT brings with it inherent security risks as the endpoints of any given organization become more disparate and visibility becomes blurred.
  • Data risk management: Suppliers add an extra dimension to knowing where the risks of your data lifecycle reside. Coupled with this, compliance requirements often mandate that extended business associates adhere to company security strategy and policy. There are a myriad of areas where data leaks can occur, both from a physical and digital perspective. Keeping close tabs on this in an organization outside your direct control is a challenge.

What Are the Best Practices for Managing Third-Party Vendor Security?

  • Know your vendor:  Knowing who you are dealing with at a basic level is the first best practice in reducing risk around your third-party supply chain. In addition to ensuring you have full details of the individual or organization in your supply chain, you can also keep abreast of their organization through social media and traditional news outlets. This can give you insight into potential risk areas, or attack vectors, that might impact their industry sector.
  • Foster communication: Having a two-way dialog on security issues is something you should foster between your organization and vendor network.
  • Extend security awareness: Security awareness should not just be directed at internal company employees. Because of third-party source hacks, security awareness now needs to be seen as a global issue across supply chains. Extending security awareness training to all business associates is not just a best practice, but an essential part of many regulations. Strategies can be created that allow you to build on communication best practices. For example, having regular bulletins on general security issues in your industry may help to build a base knowledge around areas of concern.
  • Incorporated within security policies: When you create your security policy for your organization, don’t forget to involve and include third-party vendors. Remember to mandate regular, ongoing training to your extended vendors and suppliers.

What Should I Ask Vendors While Assessing Vendor Security Threats?

As mentioned above, communication is a key principle of third-party vendor risk management. Communication starts with asking the right questions. These questions may be specific to a vendor type. For example, if you are working with a software vendor, you need them to complete the right code analysis checks. However, there are more general questions to ask a new vendor coming onboard:

  1. Do you perform security awareness training with your own staff and third-party vendors?
  2. What are your own internal security policies and how do they fit in with the overall expectation of the parent organization?
  3. In your security policies, do you have a clause for notification of issues and breaches affecting the supply chain? If so, what are the methods of communication and under what circumstances are they initiated?
  4. What security technologies do you make use of, e.g., encryption and authentication?
  5. Do you hold certificates of compliance, e.g., ISO27001?
  6. Do you have a disaster recovery plan?
  7. What physical security mechanisms are in place?
  8. What data management systems do you use?

Third-party vendors add great benefit to an organization. They extend the reach of our products and services and help contain costs. But we need to manage the inherent risks that opening our organization to outside parties brings. By setting certain expectations for third-party vendors in terms of security and privacy, we can make sure our own organization's security efforts are kept intact and we do not pay the heavy price that others before us have paid.


Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.