Your Partners, Your Risks: Curtailing External Cyber Threats from Partner Networks
By Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC
Businesses today form a complex web of interconnected partnerships. While these relationships enable key functions, they also expand the attack surface through which cyber criminals can enter and exploit networks and data. With deeply entangled systems and data sharing, companies take on shared cyber risks. Every connection opens new avenues for compromise, exposing the entire partner ecosystem. As a result, organizations must recognize that security can no longer end at their own doors.
Take the recent Oktas and LastPass breaches, for example. These incidents underscore the sobering reality that third parties, from payment services to moving partners, can often be the weakest link for an organization, exposing crucial customer and employee information. So much so that over 60% of reported data breaches originate from external vendors and suppliers.
A third-party data breach happens when sensitive information is compromised through an outside vendor or business partner. For example, imagine an airline’s frequent flier member account details being stolen because hackers broke into the airline’s customer relationship management system hosted by a cloud provider. Or a bank suffering a breach when an employee at their payment processing partner fell for a phishing email, giving hackers access to customer credit card numbers and account balances. Or a university losing student financial aid information when a vulnerability in their enrollment management software, supplied by an external vendor, was exploited to access social security numbers and income data.
In all cases, the organization itself wasn’t necessarily the target, or the one being directly hacked, but poor security practices or vulnerabilities introduced by partnering organizations led to a costly breach for them.
The rising threat of supply chain attacks
A growing risk for companies today is suffering a data breach not through their own systems, but through a third-party software provider, for example. While organizations invest heavily in securing their own environments, the complex networks of vendors and suppliers that large enterprises rely on can introduce vulnerabilities outside their direct control. Thousands of indirect business partners, each with varying levels of cybersecurity maturity, multiply the potential attack surface. Hackers exploit this by targeting partner employees through phishing emails designed to trick them into handing over login credentials. This then grants access to a partner’s systems and data, which often interconnect with the organization’s internal tools and sensitive information needed for business operations.
Even if your own systems have strong protections, a breach at a partner with weaker security can lead to just as much damage. With so many potential avenues for compromise through the vendor ecosystem, shoring up this risk surface is an increasingly high priority for security teams.
Securing supply chain and partner networks
Securing the modern enterprise requires going beyond the four walls of your own systems. Companies need full visibility into the constellation of vendors, suppliers and partners that make up their ecosystem. Maintaining an updated catalog of all external entities in the network is table stakes, regardless of any preconceived notions of risk. Trust in partnerships remains important, but contingencies for broken trust are equally vital. Robust due diligence should be conducted on higher-risk vendors, with ongoing monitoring through audits and assessments.
Technical controls also play a pivotal role, by restricting access through isolated networks, limited credentials, and strictly enforced least privilege principles. Incident response plans must also contemplate potential supply chain compromise.
Taking a proactive approach across these areas furnishes a strong foundation for managing risk and safeguarding critical company data, even when it resides external to the organization. While eliminating all exposure is an impossible goal, strengthening security around external connections reduces the attack surface and enables faster detection and response when intrusions occur through the vendor ecosystem.
Looking ahead: The future of third-party cyber risk
As digital supply chain networks expand in complexity, organizations will need to take greater responsibility for extended cyber risks. Companies can expect to see more regulatory scrutiny of third-party security practices, vendor cybersecurity becoming a bigger part of procurement decisions, businesses investing in cyber insurance policies specifically covering supply chain attacks, and security technologies evolving to better monitor vendor access and activity.
With the right focus on access controls, monitoring, and vendor security policies, companies can reduce their exposure to supply chain attacks. But remember, data security is a shared responsibility among interconnected partners. It’s time for candid conversations about safeguarding data across organizational boundaries. As cybercriminals increasingly target the handoffs between companies, collaborative and proactive security measures will be critical.
Staying ahead of these threats means companies realize their own cyber resilience as intrinsically tied to that of your extended business network.