Does five million dollars sound like a high price tag for a data breach? If you aren't keeping an eye on third-party network access, there's a 25% chance you'll have to pay that bill.
In the age of digitization, manufacturers increasingly have to grant data access to third-party vendors, most notably suppliers. Every third party with access represents a potential avenue for cyberattack. Managing third-party cybersecurity can be overwhelming and a drain on internal resources for companies, but ignoring the issue means rolling the dice as the number of third-party cyberattacks rose in 2022.
That's according to the new report on third-party remote access risk from the privacy, data protection and information security policy research center Ponemon Institute. According to the report in FY2022, 49% of respondents experienced a data breach or cyberattack caused by a third party, directly or indirectly. That number is up from 44% in FY2021.
Lack of oversight or governance was cited by 60% of respondents as their most significant barrier to achieving a strong cybersecurity posture, with 51% citing insufficient visibility of people and business processes as the second-largest challenge. That's in regard to cybersecurity generally. Third-party network access further complicates the challenge.
You Can't Restrict Access You Don't Know About
For example, 51% of the respondents don't have comprehensive inventories of third parties with access to their data networks. Another 55% of respondents can't identify all third parties with access to their most sensitive data.
In other words, these companies don't know all the potential avenues of cyberattack they need to defend against or the potential severity of damage if and when bad actors achieve a breach through third-party networks.
"A common challenge we see when industrial organizations try to inventory third-party access to their data is in defining scope of the inventory. It may sound simple, but third-party data access varies by levels of data sensitivity and confidentiality, as well as by both the profiles of users and providers of that data," Samuel Icasiano, managing director at Deloitte's cyber and strategic risk practice, tells IndustryWeek. "Understanding all the third parties an organization exchanges data with is difficult, given data can be exchanged in many different ways (e.g., automated data feeds, emails, manual USB drives, data exchanges)."
"Not all third parties go through procurement, so there may be no record of the relationships," Alla Valente, senior analyst at Forrester, tells IndustryWeek. "We see shadow procurement in areas like data and marketing technologies, and subscriptions that can be purchased on a corporate card. The other [reason] is that certain types or categories of third parties may be excluded from inventory, such as PR agencies, external legal counsel, outsourced accounting firms, gig workers, etc. They are often excluded from the third-party inventory."
Too Much Access Equals Too Much Risk
Companies take steps to address these issues. Over 60% reported measures to protect access for high-value data assets, 63% enhanced their use of restricted control areas and 60% took steps to make sure level of access is appropriate for job function.
However, if you throw third-party access into the mix, numbers get worse. Only 43% of respondents report the ability to provide third parties with enough access to perform their designated responsibilities and nothing more; only 38% know what network access third parties have, period; and only 45% can identify specifically which third parties have access to the most sensitive data.
"We tend to think of access as the sole responsibility of security or risk teams, but they’re not the ones that own the business relationship," Valente says. "Thorough risk assessment, automated identity and access management are important. But so is insight into contract start and end date."
"If the terms of the contract (what they’re providing), or the level of risk changes during the course of the relationship," Valente continues, "that could require reevaluation of the level of access or the termination of access permissions altogether."
"Complicating things further is the need to consider which pieces of data can be interpreted differently by both the users and providers of it," Icasiano says. "For example, one piece of sensitive data from the factory floor accessible by certain third parties with context could potentially pose a greater organizational risk than a full set of sensitive data from the factory floor accessible by certain third parties without context.
"To establish third-party ‘least-privileged’ access, business stakeholders need to closely consider many facets, including the sensitivity classification of data involved, what device or asset profile will be used to access the data, what service will be accessed, what transaction is being executed and which business stakeholder is responsible for ongoing third-party relationship and access management decisioning," Icasiano continues.
"Assess potential vendors prior to a contract and continue to assess these vendors no less than annually," says Tim Marley, vice president of audit, risk and compliance and field CISO at cybersecurity firm Cerberus Sentinel. "Take a reasonable approach to your vendors based on their relationship to your systems and data. For those critical third parties, take a deeper dive. Consider not only confidentiality, but also availability. Keep in mind that your third party's viability as an ongoing organization may have a direct impact on your abilities as well."
Things improved slightly when it comes to restricting third-party access to function-appropriate levels, however. In FY2022, 70% of respondents reported a third-party breach or cyberattack owing to giving third parties more privileged access than they needed, down from 74% in FY2021.
Why Not Zero Trust?
The zero-trust cybersecurity model, relentlessly requiring fresh credential verification and trusting no devices by default, seems tailor-made to handle third-party cybersecurity concerns. However, according to the Ponemon Institute report, organizations largely do not implement zero-trust policies.
Some organizations don't even monitor third-party access to sensitive and confidential information at all. Instead, 59% of these respondents said they relied on the business reputation of the third party, 58% had faith in contractual terms to assume third-party access to that information was safe and 56% stated the third party is subject to data-protection regulations anyway.
Even if they wanted to check or verify third-party access to sensitive information, 58% of respondents lack the internal resources to do so. Only 46% of respondents have confidence in the third party's ability to secure information. And 61% of all survey respondents, whether they monitor this access or not, have any confidence that a third party would notify them in the event of a data breach.
As much as zero-trust policies might make sense considering how little faith companies report in third-party data security, Icasiano says they represent a fundamental shift in how organizations historically manage third-party access. These policies are just low on companies' priority list, says Valente.
"There’s a strong desire to implement zero-trust policies—but when you struggle to even get full visibility of what your internal employees or former employees have access to, third-party vendors may seem like a lower priority," says Justin McCarthy, co-founder and CTO of cybersecurity firm strongDM.
Get Ahead of Third-Party Cybersecurity
The Ponemon Institute report also contains some good news: 59% of respondents say their cybersecurity policy has changed over the past two years with restricting network access, enhanced physical controls and ensuring appropriate level of access for job function as the three most common policy updates. These numbers are for cybersecurity generally and not third-party specific, however.
"Developing new, innovative approaches to third-party risk management, including continuous monitoring of those risks, can help to reduce the risk of third-party related data incidents," Icasiano says. "Some of the innovation we are seeing includes developing metrics and indicators related to the likelihood of a third-party cyber incident. This enables first parties to proactively prepare and engage with third parties to mitigate such risk, including the mishandling of sensitive data."
"Some organizations take things a step farther, by leveraging modern identity access management solutions to model baseline activity of users over time and develop an idea of what ‘normal’ activity is," Icasiano continues. "Such identity-access management tools can also enable organizations to remove third-party access that is not used frequently, or that should end at a certain point in time.
"The key to easily managing third-party access while protecting against insider threats is a proactive security approach. Proactive security platforms can help to detect threats based on risk using automated, machine learning-driven analysis, also known as behavioral analytics," says Tyler Farrar, CISO at cybersecurity firm Exabeam. "With a baseline of normal behavior for all users and assets who interact with a network, including third parties, security teams are empowered to respond more quickly and decisively, increasing the accuracy of mitigating a security incident and not interrupting day-to-day business operations.”
