Third-party engagement has steadily become an essential part of business operations for many organizations, enlisted for all kinds of products and services across nearly all sectors, regardless of size, geographical location or type of industry. But because systems are so interconnected and third parties often hold sensitive information or have access to a partner’s systems, they can also be the weak link in the cybersecurity chain.
Third-party cyber risk management
Third-party and digital supply chain attacks are on the rise, with third-party partners becoming an attractive target for threat actors for several reasons.
A third party could present a softer target, creating an opportunity for threat actors to move from that network to their primary target. In 2013, for example, hackers breached the payment and personal information of as many as 110 million Target customers after compromising the password of Target’s HVAC vendor.
A third party could provide a vehicle for widely distributing an attack against many potential targets. The recent SolarWinds supply chain hack is a prime example. Hackers, suspected of being from Russia, used a sophisticated attack to insert malware into SolarWinds’ software system, then piggybacked on updates to SolarWinds’ IT management software to spread their malware to quite a few large organizations, including several major federal agencies.
A third party can actually become the primary target if it holds the sensitive data that threat actors want. In early 2020, General Electric (GE) suffered a breach of sensitive personal information on 200,000 current and former employees when attackers broke into the systems of GE’s HR document management vendor, Canon Business P ..