The AT&T data breach will teach many people many lessons, and not just about the importance of safeguarding telecommunications data. For those paying attention, the newly disclosed 2022 AT&T breach is a reminder that cyber security is a supply chain problem, too. Always timely, cyber security breaches and data losses, including those associated with third parties, remain a constant issue across industries today.
In July 2024, AT&T revealed that call and text message records from mid-to-late 2022 of tens of millions of AT&T cellphone customers and many non- customers were exposed due to an illegal download on a third-party cloud platform. Although the content of calls and messages was not exposed, the impact of the breach is significant, highlighting the need for mature third-party risk management (TPRM) processes.
A recent SecurityScorecard report showed third-party information security weaknesses remain a significant concern. The study indicates that 98% of organizations have connections with third parties that have been breached within the last two years. Third-party vulnerabilities have led to nearly 30% of breaches.
Effective TPRM, the foundation of cyber resilience, requires a holistic and collective responsibility shared by Chief Information Officers (CISOs), tech teams, procurement, supply chain, legal and compliance departments. Solely relying on risk ratings and monitoring tools for each risk domain leaves enterprises vulnerable, risking alert fatigue as false positives and warnings skyrocket and threats are missed, go unnoticed and remain unmitigated.
The Ripple Effect of Third-Party Risk
Cyber threats such as intellectual property (IP) theft, distributed denial of service (DDoS), malware, and ransomware pose an increasing and persistent cybersecurity risk to organizations and their third-party ecosystems.
Bad actors exploit a company’s vulnerabilities by targeting third parties, expecting and finding less robust security protocols, and gaining access to sensitive company information, data and customer records.
According to Black Kite, in 2023, there were more reported third-party breaches (81) than in 2022 (63), but with a smaller cascading impact (251 impacted companies, compared to 298 in 2022). Third-party breach mitigation strategies seem to be at least somewhat effective, but hackers aren’t giving up in their pursuit to find and breach any security weaknesses. As third-party relationships expand, there may literally be hundreds or thousands of third parties associated with a major brand; any one of them may present an opportunity for a bad actor. In fact, the pace is picking up, putting even more pressure on organizations to assess and improve upon the maturity of their current risk management practices and extend those practices across their third-party ecosystems.
Good TPRM practices can be complex, with risk stemming from a variety of areas such as regulatory requirements, ESG reporting, and geopolitics. The impact of disruptions – whether they be material supply disruptions, regulatory data breaches, or financial losses – ripple through every segment of the business, with harmful effects on reputation, customer attrition, business continuity, and financial outcomes.
By compromising vulnerable points in an organization’s supply chain, cybercriminals gain access to a wealth of critical information that can hinder the operations of the entire enterprise.
Ultimately, third-party risk threatens the entirety of your business: the core of your brand, your business outcomes, and your long-term viability.
And enterprise risk is rising.
Forrester’s 2022 data shows that 43% of global enterprise risk management (ERM) decision-makers confirmed that enterprise risk has increased over the past 12 months, with 34% of those who experienced increased enterprise risk attributing the rise to increased reliance on third parties.
The TPRM Journey: A Holistic Approach to Cyber Resilience
Worldwide regulations continue to unfold and organizations are increasingly being held accountable for unethical or unsustainable business practices of their third parties, including data privacy, cyber security, anti-bribery and corruption and ESG.
Furthermore, Gartner research shows that 60% of organizations work with more than 1,000 third parties – the very parties increasing enterprise risk.
These expansive ecosystems challenge TPRM teams to mature their processes and develop efficient workflows that can handle complexity while implementing best practices that prevent risk from leaking into the enterprise. Leveraging a TPRM program, teams can streamline and automate even the most complicated processes and achieve faster cycle times and more consistent outcomes.
The Role of Cybersecurity Ratings
Risk ratings are a handy tool, making the collection of security data more effective by offering an instant score of a third party’s information security posture and supporting TPRM programs with continuous monitoring.
Although cybersecurity risk ratings provide value, an “outside-in” view based on externally available data points has limited value. As with any tool, it’s important to understand how they’re best utilized, and what they are and aren’t capable of providing.
Cybersecurity risk ratings may be representative of a firm’s in-the-moment information security posture and may provide some representation of defenses against a security incident or breach. But they do not provide forever secure assurances and do not assess third-party threats in other areas of risk, such as financial, operational, privacy, reputation, or business continuity. Cybersecurity ratings also typically won’t evaluate risks aligned to due diligence requirements that extend beyond standard industry frameworks such as NIST, PCI or ISO 27001.
In a time when so many risks are crossing arbitrary barriers, it is important to evaluate holistic risk factors to calculate accurate risk evaluations. After all, a single third party may represent multiple risks to your organization, including compliance, sustainable supply chains, and cybersecurity risks. The assessment of the third party must include information security risk assessments and include a broader range of risk domains to evaluate as well.
This is why a cybersecurity risk rating is part of an effort to enhance and strengthen TPRM processes and evaluations, not replace them. Rather than using cybersecurity point solutions as their only TPRM assessment tool, more risk-mature organizations incorporate ratings with the help of TPRM tools that add business context and make ratings actionable.
Maturing Your TPRM
Here are a few third-party risk management best practices that business leaders can put into place now to ensure a more complete approach to their TPRM programs. Taking these steps helps to ensure their organizations can build collaborative risk-centric ecosystems that uncover threats, mitigate risk and avoid liabilities across multiple risk categories.
- Education: Education is a good way to kick off the relationship, setting the stage for success. Run security awareness programs for your teams and your third parties and loudly spread reminders on good cyber hygiene.
- Risk Evaluation: Perform a thorough review of your third party’s corporate policies and procedures, their control mechanisms, and all supporting documentation to ensure they meet your security expectations. Work collaboratively to close any gaps before you move on to doing business together.
- Set security expectations: Ensure you clearly spell out your security needs in contracts, including compliance with all relevant laws and standards.
- Incident responses: It’s critical that your partners have a solid plan of action for when things go wrong, including establishing roles and responsibilities and response SLAs to ensure shared risk.
- Access control: Exposing the personal information of tens of millions of customers can lead to significant financial losses, legal and regulatory fines, extensive brand damage, and more. Provide no more access than absolutely needed, and as relationships change, so should access. And remember: Monitor. Monitor. Monitor.
- Periodic reassessments: Things change, and not always for the better. Periodic reassessments ensure you catch them when they do. Keep an eye on your third-party security practices by performing regular audits and certification checks. Cadence and intensity of audits should be based on the risk the third-party poses, and the relevance and potential impact to your business.
The success of these types of attacks often hinges on the trust between parties in the supply chain, emphasizing the imperativeness of third-party relationship management and the need to foster a risk-aware culture across the supply chain.
A holistic approach to TPRM enables teams to streamline and automate even the most complicated processes so they can prevent third-party risk from leaking into the enterprise.
So, the question is, do you know where your leaks are?