We are increasingly seeing companies rely on a network of third-party vendors to offer organizational value and competitive advantage. This outsourcing of core functions is in a bid to derive efficiencies. Unfortunately, in doing so, organizations are potentially exposing themselves to high-profile risks. This represents an extended enterprise risk referred to as 4th party risk.
To best understand 4th party risk, first be cognizant of who a 4th party is in a supply chain. Simply put, a 4th party is your vendors’ vendor. Oftentimes, your business will not have any direct contact with these subcontractors that the 3rd party vendor you have hired works with, yet your information security team is still meant to be responsible for the 4th party’s risk management.
Granted 3rd party vendors have been coming under increasing pressure to fortify their security. Oftentimes, however, this doesn’t trickle down to the vendors that they work with. Cybercriminals recognize this as a vulnerability they could potentially exploit to get access into the supply chain and, consequently, your IT infrastructure.
An Example of 4th Party Risk
The recent cyber headlines like the SolarWinds and Kaseya VSA attacks exemplify what happens with mismanaged 4th party risk.
A breakdown of the SolarWinds supply chain attack shows how threat actors successfully introduced malware into SolarWinds’ signed CI/CD platform. This would go on to affect specific versions of the SolarWinds Orion Software platform. When customers downloaded updates of this popular suite, they introduced malware into their system. Then, the attackers used as a backdoor to infiltrate the IT ecosystem to potentially steal information. This case represents a 4th party risk within the supply chain. Further, this saw 18000 SolarWinds customers get affected, including government agencies and private enterprises.
The attack on leading IT and security management software provider Kaseya further exposes the risk 4th parties working with your MSP of choice can expose your business to. The attack was particularly concerning, seeing as Kaseya’s VSA, by nature, has high privilege access to the business’ system. This reach represents massive implications that could potentially threaten business continuity.
Now that you have the knowledge of what is 4th party risk and examples of some of the high-profile attacks witnessed in the recent past, it is prudent to delve into the risks posed to your business by MSPs who subcontract 3rd party tools.
What Are the Impacts of 4th Party Risk?
As highlighted, your business is set to inherit all the risk within its supply chain ecosystem this is despite being more directly connected to the 3rd parties than their vendors. This means that when this 4th party suffers a data breach by virtue of having a connection with the entity, your business is at risk. Some of the impacts of this 4th party risk include:
A 2021 Verizon Data Breach Investigations Report shows growth in ransomware attacks. This troublesome trend is important, seeing as we have identified 4th parties as being the weakest security link within the supply chain ecosystem. Cybercriminals are using 4th parties as a gateway into the system to not only simply encrypt systems but to also threaten the publication of data if ransom is not paid.
This is concerning, seeing as ransomware is quite costly. The same Verizon report showed that, on average, companies were expected to pay upwards of $1.2 million to be granted access into their systems and data. What’s even worse is that paying the ransom doesn’t automatically mean that you are safe. Sophisticated hackers have copied the data prior to triggering the encryption only to use it as leverage for ransom.
Intellectual Property Theft
The truth is your business’s intellectual property is exponentially more valuable than the physical assets acquired. It wouldn’t be too far-fetched to state that it is, in fact, the lifeblood of your organization. As such, you can simply not have this caught in the cross-hairs by various forms of cyberattacks linked to 4th party risk.
Solutions such as Kaseya have unrestricted access to information and data within your IT infrastructure, which means that you are subject to intellectual property theft in the event of a breach. This theft might be in spite of investment into the security of your intellectual property both physically and digitally. With a simple phishing exercise, an unauthorized party can access information and data.
Loss of Federal Contracts
The Federal Government has grown increasingly weary of cybersecurity risks. This comes in the wake of high-profile information security and ransomware attacks, including the SolarWinds and Kaseya VSA attacks. Besides, it could be argued that America’s cybersecurity has undoubtedly suffered serious deterioration in the recent past.
This creates a need for more radical and bold changes as it pertains to ensuring data security. President Biden, in May of 2021, signed the Executive Order 14028. This executive order modernizes the government’s approach to cybersecurity. It particularly affects businesses that supply IT products and services to the US government.
In retrospect, this executive order enhances the software supply chain security. This puts pressure on your business in the event you bag a federal contract. Then, you must accelerate incident deterrence, prevention, and response efforts. Overall, 4th party risks put your business at risk of losing a federal contract. Indeed, you are then unable to meet the Federal Government requirements as it pertains to cybersecurity.
Denial of Cybersecurity Insurance Claims
Cybersecurity insurance is an absolute must-have for any business operating in today’s cyber ecosystem. Unfortunately, your business has to deal with the concerns of having to lose twice. Specifically, your business has to ensure that it wards of 4th party risk while fighting against a cyber-insurance claim declination. Besides, you also have to grapple with the reality that the insurer looks for loopholes that ensure they don’t pay the claim.
4th party risk exposes you to this particular eventuality. Following the cyber event, the insurer will require you to provide evidence that you did all that was possible to avoid the escalation of the problem. This can prove to be a challenge seeing as, for starters, you have no contact with the 4th party and will likely not have a proper grasp on the cybersecurity measures they have in place.
Insurers have increasingly proven that they require companies to attest to their security and the security of the contractors that have access to their systems. When you cannot prove that you ensured reasonable protection through security practices and systems maintenance procedures, the insurance company will claim “failure to follow”. This is grounds for denial of a claim.
Additionally, consider that during your claim filing, you seek to prove damages in the form of lost income and asset restoration. Seeing as it is almost impossible to correctly quantify the extent of damage, you are likely to either have your claim denied or have a payout that doesn’t sufficiently capture the lost income or the cost of the cyber extortion and ransomware.
How to Manage 4th Party Risk
It would seem that regardless of security, you are still subject to cyber threats within the supply chain. The inherent risk is further exacerbated by the lack of clear guidelines and uniform processes for 4th party risk management. What’s more, the lack of direct contact between your business and the 4th party means that you likely do not know the cybersecurity risk management practices that the said party has in place.
Fortunately, there still are measures you can put in place to mitigate these risks.
3rd Party Risk
The first would be to start with third-party risk management (TPRM) program. Simply put, your TPRM program focuses on identifying and reducing risks related to 3rd party vendors, like MSPs. Often, they subcontract to other vendors as well, fondly referred to as the 4th party in this piece.
The TPRM program offers you modern and dynamic 3rd party risk management solutions. A proposal wouldn’t be that difficult. Indeed, it simply involves the creation of a list of all the vendors that have access to your IT environment. This list should also feature vendors that process your data for you.
Going into the management of 4th party risk, it is prudent to point out that not all vendors are risk, and not all risks are equal. This requires that you conduct risk assessment, scoring, and classification to determine the breadth and level of access for each of the vendors with access to your IT environment and intellectual property.
As highlighted, this business model results in your business having little to no contact with the 4th party. However, to bypass the 4th party risk, take on a more proactive role as it pertains to your interaction with your vendors’ 3rd party supplier.
In light of this need, consider creating a vendor risk questionnaire. This questionnaire captures any potential weaknesses among the 4th party vendors. Have this questionnaire align with the risk management policies you have in place as well as HIPAA, CMMC, ISO 27001, and other compliance requirements. Finally, make it compulsory for all vendors with identified risks to complete the vendor risk questionnaire.
Learn More About Mitigating 4th Party Risk
Overall, reducing the amount of third and fourth parties in your risk profile reduces these risks in the first place. What’s more, it reduces costs and complexities, further streamlining and securing your supply chain ecosystem.
That’s where Agile IT steps in. We are committed to eliminating risk from management software like Kaseya and SolarWinds. Further, we ensure that you have a manageable IT management overhead. Our team focuses on the Microsoft cloud and has implemented Microsoft environments in line with stringent cybersecurity. To find out how we can help you remove and mitigate 3rd party and 4th party risks in your organization, schedule a consultation now.