Why should organizations be prioritizing cyber security when it comes to third party risk? Are there any notable incidents that have recently occurred that support this?

Attackers are increasingly using third parties as channels to spread malware faster and wider by injecting malware directly into the software supply chain. Simultaneously, they are also leveraging third parties as softer, less fortified backdoors into larger companies they wish to attack, who generally have more hardened security than their third parties. Think of the third party as the lightly guarded service entrance to an otherwise well-fortified, well-protected castle.

These attackers are essentially exploiting the trust relationship within supplier-customer relationships. In today’s cyber security realm, the move has been towards a security approach called ‘zero trust’, wherein even traffic on our own networks is not assumed to be from a trusted source. However, too few companies adopt a zero trust—or even a ‘trust but verify’—mentality when it comes to the security hygiene of the third parties that receive, use, or store their sensitive and confidential information.

Third party security risk management programs are developed to address the type of third party threat wherein the attacker exploits the data exchange and data storage technologies of a targeted company’s trusted third parties. A good example of this type of data breach occurred at T-Mobile in 2021. The breach exposed 75 million customers’ accounts. Hackers obtained the T-Mobile customer data, which included social security numbers and other government identifiers, by infiltrating a third-party email vendor to gain access to T-Mobile servers.

A 2020 GE data breach was caused by a successful attack on a third party to the company, Canon Business Process Service, a human resources document management provider. Sensitive data, including the personal health information (PHI) of more than 200,000 GE employees, were exposed in the breach.