Third party risk is the process of managing risks introduced by suppliers and third parties, often specifically to sensitive data and customer information.
Most organizations interact with hundreds, if not thousands, of third party vendors and suppliers. Many of these relationships are necessary and clearly beneficial to the business: they help to increase revenue, improve customer loyalty, and access expertise and resources outside your immediate business. These relationships, however, rely on putting trust in that supplier.
Ransomware and The Supply Chain
You don’t have to think too hard to reel off a range of massive supply chain compromises. In the past year, we’ve dealt with the fall-out of breaches to SolarWinds, Kaseya and Accellion. My colleague Sean Nikkel wrote an excellent blog on what we can learn from these huge supply chain attacks.
Ransomware has had a bigger impact on supply chain risk that goes beyond these news headlines. After one of its third party suppliers became the victim of a ransomware attack, Canada Post has informed 44 of its large commercial customers that their customer’s data has been left exposed online. This is not an isolated event: we have detected thousands of ransomware victims with their data exposed across dark web leak sites, and much of this leaked data includes data belonging to other victims.
Performing Risk Assessments
Sharing sensitive company data outside the network comes with risks, which extends to third (and fourth) parties. This does not mean you cannot do this, but the decision to do so should be based on a reasoned assessment of the additional risk it brings to the business.
We have written before about the top priorities for these third party risk assessments and the four areas practitioners should focus on:
- Security practices
- Privacy policies
- Data retention policies
I won’t rehash our previous advice, but for more details on these, check out Top Priorities for 3rd party risk assessments.
One clear and obvious limitation of these third party risk assessments is that, by their nature, they are point-in-time. Some organizations turn to risk rating services that rank vendors via security rating services. While these services offer an incredibly useful view into the potential risk of a supplier, it does not tell the whole story.
For example, what happens when a contractor exposes credentials on GitHub?m How do I know if a supplier goes home and backs up sensitive data on a misconfigured online file store? What if my emails are exposed in a ransomware attack against someone I have done business with? These are the unique challenges facing security teams today.
To gain visibility of where data is exposed, we have written a guide – Data Leakage Detection Solutions Guide – that outlines some of the best practices and free tooling to gain this sort of visibility.
How SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) Helps
SearchLight is not another vendor risk rating service–there are plenty of those doing a tremendous job. Instead, SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) focuses on detecting where your data is exposed, no matter who has exposed it or where it is online.
SearchLight continuously monitors the open, deep, and dark web, including closed and technical sources, for third party data breaches relevant to your organization, including billions of files exposed via misconfigured S3 buckets, FTP, RSync and SMB.
When this is combined with ransomware tracking and threat intelligence on major supply chain compromises, users benefit from the best visibility into risks coming from suppliers.