Gerasim Hovhannisyan, CEO and Co-founder of EasyDMARC, discusses why so many third-party data breaches are hitting the headlines and how organisations can best protect themselves.
In today’s digital economy, businesses are more interconnected than ever before. Complex networks of vendors, contractors, and supply chain partners all have access to internal systems and sensitive data. While this interconnection and reliance enables key business functions, it also dramatically expands an organisation’s vulnerability to cyberattacks, with more avenues for malicious parties to target data.
Recent high-profile breaches like SolarWinds and MOVEit have shown that third parties can be the weak link that exposes customer and employee information. According to Verison research, over 60% of reported data breaches originate from external vendors and suppliers. As supply chain cyber threats proliferate, companies need proactive strategies to lock down vendor access and reduce third-party risk.
What constitutes a third-party breach?
A third-party data breach occurs when an organisation’s sensitive information is compromised through an outside vendor or business partner.
Some examples of third-party breaches:
- A retailer’s customer payment data is stolen when hackers break into a point-of-sale software vendor’s system
- A healthcare provider suffers a breach when an IT contractor’s credentials are compromised, granting access to patient records
- A marketing firm’s customer lists are exposed in a data leak at an email distribution partner.
Crucially, in each case, the organisation itself was not directly hacked. However, poor security practices or an attack on their partner still led to a costly breach.
The rising threat of supply chain attacks
Recent high-profile cyberattacks have drawn attention to the risks posed by third-party suppliers and vendors. While organisations focus on securing their own systems, a data breach through a partner or contractor can be just as damaging.
Third-party cyber risks are growing, with several factors driving this trend:
Complex vendor networks: Large organisations can have thousands of indirect business partners, multiplying exposure.
Targeted phishing: Hackers trick partner employees into allowing them into their systems.
Weaker security: Smaller vendors often lack resources for robust cybersecurity programs.
Interconnected systems: Partners frequently have access to internal tools and data needed to provide services.
Securing the supply chain
Managing third-party cyber risk starts with knowing your external connections. Organisations should catalogue all vendors, suppliers, and partners with system access. The following steps will also help mitigate risk and protect data from cybercriminals.
Vendor due diligence
Conduct thorough due diligence on higher-risk vendors. Review their security policies, procedures, and controls. Require evidence of key precautions like encryption, multi-factor authentication, and timely patching. Ask about any past cyber incidents that may indicate vulnerabilities. Formalise security expectations and compliance requirements in partner contracts to reduce breach risks.
Ongoing monitoring
Monitor partners over time through audits and assessments. Watch for security lapses that could expose systems and data.
Access controls
Limit partner access through segregated networks, restricted credentials, and the principle of least privilege. Control what they can see and do within your environment.
Incident response planning
Have an IR plan that covers supply chain attacks. Know how your organisation will detect, investigate, and recover from a vendor-related breach.
The future of third-party cyber risk
Data breaches via partners and vendors are likely to be an ongoing struggle. As digital supply chains expand in complexity, organisations will have to take greater responsibility for extended cyber risks.
In the next few years, we can expect to see:
- More regulatory scrutiny of third-party security practices, especially in heavily regulated sectors like finance and healthcare
- Vendor cybersecurity becoming a more significant part of procurement decisions and contract negotiations
- Businesses taking cyber insurance policies that cover supply chain attacks
- Security technologies evolving to monitor vendor access and activity better.
The expanding digital ecosystems of modern business make third-party cyber risks a growing concern. With the right focus on access controls, monitoring, and vendor security policies, companies can reduce their exposure to supply chain attacks. However, data security is ultimately a shared responsibility among interconnected partners.
Organisations need to have candid conversations with vendors and suppliers about safeguarding data across organisational boundaries. As cybercriminals increasingly target the handoffs between companies, collaborative and proactive security measures will be critical. Staying ahead of third-party threats requires seeing your own cyber resilience as intrinsically tied to that of your extended business network.