Third-Party Risk: The Hidden Threat to Your Business

November 13, 2023

Organizations today work with a multitude of vendors to outsource various processes in their operations, from raw data storage to security, accounting, customer support to human resources, among other examples.

Such interconnectivity generates significant benefits by making processes faster and more efficient, employees more productive and the companies themselves more competitive.

However, a company's links with its suppliers also greatly increase its exposure to digital risks. Failures in a vendor's security defenses and practices, or those of its third parties, can put the company's data, systems, and networks at risk, even if the company has relatively robust defenses.

It is difficult to generalize because the figures can vary greatly depending on the region, sector, or type of company, but according to a study by the public entity ICEX Spain Export and Investment, the average Spanish company relied on at least 100 suppliers in 2021. And these numbers will continue to rise as business ecosystems.

At what point do suppliers become targets for cybercrime?

In their constant evolution of targets and tactics, this fact has not gone unnoticed by cybercriminals. Although there are different types of cybercriminals (such as those motivated by revenge or by the simple desire to show that they are capable of doing so; hacktivist profiles, which always have an ideological component behind them; state-sponsored actors; or those who engage in corporate espionage, among others), they all share the same motivation: financial gain.

About 95% of the more than 5,000 confirmed information leaks throughout 2022 were economically motivated. And 62% of them occurred through a third party.

Putting on the cybercriminal's hat for a moment, let's think: why attack a company with apparently solid defenses, when I can attack another company with less robust defenses, which has access to sensitive information that I can then take advantage of, and which will cause a domino effect that will wreak havoc on a multitude of companies worldwide? Less effort and much, much more profit.

A brief history of supply chain attacks

Unfortunately for the good guys in this story, the math is clear. Thus, the number of supply chain attacks has risen sharply in recent years. Although there are many and varied examples, here are just a few of the most prominent ones.

If we go back ten years in time, a very famous attack was suffered by the American department store chain, Target, after the theft of credentials from a supplier of air conditioning systems who was doing work in some of its centers. This incident led to the theft of 40 million credit cards and the personal information of 70 million customers. The numbers may not attract much attention when compared to more recent attacks, but at the time it made a big impact.

A series of high-impact attacks followed in the next few years:

In 2015, T-Mobile suffered collateral damage from the attack on Experian, one of its providers, which resulted in the theft of personal information of 15 million users.
In 2016, Uber suffered the theft of confidential information of 57 million users and drivers, as a result of obtaining credentials in a code repository with which they then accessed a cloud storage provider.
In 2017, Equifax suffered an incident through an unpatched vulnerability in a third-party software application. Attackers managed to steal the personal information of more than 140 million people.
In 2018, it was the Marriott hotel chain that suffered the theft of personal information of more than 500 million guests through an attack on the booking platform it used for its hotels.

⚠️ However, the attack that probably put supply chain attacks back on every company's radar was the one suffered by SolarWinds in 2020. This software company offers SaaS solutions in a variety of areas. Its most widely used product was the victim of an attack by which attackers ended up compromising more than 18,000 organizations worldwide, both public and private, with a strong impact in the U.S. where more than 400 Fortune 500 companies were affected.

And so we come to 2023. Last April, in its weekly threat report, our Threat Intelligence team analyzed the cl0p group, highlighting its ability to cause significant operational and reputational damage by leaking confidential documentation stolen from a multitude of victims worldwide.

It specifically warned about one of the techniques used, which consists of exploiting vulnerabilities in specific products such as the Accellion FTA file transfer system or the GoAnywhere MFT secure file transfer tool, which had an impact on more than 130 organizations worldwide.

Shortly afterwards, in June of the same year, the cl0p group made all the cybersecurity news headlines with its attack on the MOVEit file transfer tool. Despite being a technology whose popularity is limited to the United States, the impact of this attack has been global, affecting more than 2,000 organizations (including British Airways, the BBC and Tesla, among others) and more than 60 million people.

How to protect oneself

Threats to the supply chain will continue to occur. That's why it's important to integrate third-party risk management into the day-to-day operation of companies, drawing on effective practices such as:

Assessing the security posture of third parties. Eighty-three percent of those surveyed by Gartner responded that they discovered risks in their suppliers after onboarding them into their supply chain.

This highlights two things: the relevance of understanding the security risks that a supplier may pose to our business prior to onboarding; and that traditional methods for measuring that risk, such as security questionnaires, while useful, are not the most effective solution and it is better to resort to assessments based on objective data.
Continuous monitoring of the entire supply chain. Once incorporated into our supply chain, it is necessary to maintain risk monitoring throughout the life of the relationship by creating automatic alerts that warn us when new risks are identified or when the supplier's risk profile changes.

This in turn solves another of the weaknesses of traditional methods, which tend to provide a static picture of the risk at the time the analysis is performed.
Third-party supplier monitoring. As we have seen above, it is increasingly common for a supplier to be compromised from a third party. It is therefore crucial that supply chain monitoring also extends to suppliers of our vendors (such as SaaS applications or cloud hosting providers).

This allows us not only to identify risks when they occur, but also to be clear about where the risk of our suppliers' technology stack is concentrated.
Reporting in business terms. Fighting risk in the supply chain is a task that involves a multitude of areas and profiles within the same organization. For this, as in many other areas, communication plays a fundamental role.

Being able to move from a conversation with technical metrics and Cyber Security jargon to one with business terms will facilitate communication with all stakeholders and their alignment to achieve the common goal.

Fight third party risk with Telefónica Tech

Improving the resilience of your supply chain and combating the hidden threat to your business posed by third party risk is possible with Telefónica Tech.

Within our NextDefense Cyber Threat Intelligence service portfolio, we offer the Third-Party Risk service in which we combine the technology of Bitsight, a leader in the field of security ratings, with the professional services of our global DOC, to enable our customers to:

Continuously monitor the security level of their suppliers,
measure the security controls of their suppliers,
mitigate risk in the supply chain,
quantify and communicate risk in a language understandable by all leaders of the various security functions in the organization.

Our Third-Party Risk service also includes the evaluation of potential suppliers before engaging in a business relationship with them. This allows us to identify potential security risks and make informed decisions about whether or not it is safe to work with them.

This comprehensive and proactive approach enables us to help our customers strengthen their supply chain and protect their business from potential external threats. This not only benefits our customers, but also contributes to raising security standards throughout the supply chain.