Third-party Risk Management – 2023 Threat Prediction
Third-party risk management is slowly moving up security professionals’ priority lists because of the increasing number of successful attacks via third-party organisations such as suppliers and contractors.
This trend began gathering momentum after the widely publicised breach of U.S. retailer Target in 2013. However, most organisations still do not have a mature third-party risk management strategy in place. More recently, the US government’s Department of Defense, and the Department of the Treasury, were some of the organisations compromised during the 2020 SolarWinds breach. Once again, this raised awareness of supply-chain attacks and how devastating the effects can be.
2023 and beyond
Successful island-hopping attacks will become more prevalent. Current market climates are stretching cyber budgets across all industries, putting increasing strain on cyber defenders. Blackberry’s recent study across over 1500 IT cybersecurity leaders found that 77% of respondents had, in the last 12 months, discovered unknown participants within their software supply chain that they were not previously aware of and that they had not been monitoring for adherence to critical security standards. This trend of increasing supply-chain awareness is very likely to increase in 2023.
Because of this increased awareness, organisations will closely monitor and scrutinise the partners/suppliers that they are choosing to do business with. Gartner predicts that by 2025 60% of organisations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements. This will have a knock-on effect on even non-security focussed organisations as contracts may cease, should their cybersecurity posture not improve. Cybersecurity is increasingly becoming a team sport, with the advent of companies now policing their supply chain.
Our View
Insecure trusted third parties can make an organisation susceptible to supply chain attacks even if it has established strong cybersecurity measures internally. The chain of trust allows threat actors to pivot to other networks and attack surfaces, once they breach a third-parties network or codebase. In many cases, managed service providers (MSPs) are the targets of digital supply chain attacks because they establish deep connections within the networks and cloud environments of their customers, often at the administrator or domain administrator level.
“We predict that threat actors will continue to exploit the enormous potential of supply chain attacks following the footsteps of the SolarWinds incident. The attack on open-source libraries and plugins will be targeted as these are blindly trusted by companies/end users, as seen with the recent Log4j vulnerability. Attacks by nation-state actors will continue to rise, targeting not only government/public sector but also organisations worldwide, to disrupt international trade…”
– Arjun Pednekar, CREST Fellowship and CTO of Cognisys.
Mitigation Advice:
- Continuously assess your supply chain and external contributors for their security risk, governance, and compliance policies. Minimise their access to your network as much as possible.
- Implement honeytokens (also known as honeypots) – these are traps placed at critical areas within the network which could lure the threat actors into exploiting them. However, once accessed these tokens will alert the security teams about a possible attack.
For more information on how to mitigate this threat, get in touch with us at info@cognisys.co.uk.