As social distancing becomes more prevalent during the COVID-19 (Coronavirus) pandemic, many organizations are moving to a virtual workplace. Organizations preparing for a predominantly virtual workplace may begin working with additional third-party vendors in order to maintain business continuity.
But while third-party vendors can help with maintaining the business, they also bring additional risk, which may be overlooked while day-to-day operations are changing rapidly.
In this blog, we will discuss the risks organizations face from relying on third parties during the COVID-19 outbreak.
COVID-19 themed cyber campaigns just days after pandemic began
Mere days after COVID-19 started to spread around the globe, threat actors began taking advantage of the opportunity to target organizations and individuals with COVID-19 themed attacks (see our blog How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation).
March 15 2020: The United States Department of Health & Human Services was targeted in a distributed denial of service (DDoS) attack, likely aimed at undermining the department’s response to the COVID-19 pandemic.
March 12 2020: Security researchers identified a fraudulent website, pretending to promote the system optimization software and utilities from WiseCleaner, distributing a new variant of ransomware called “CoronaVirus”.
January 29 2020: Security researchers reported that the Emotet trojan was being distributed via phishing emails containing fake COVID-19 public health warnings.
While organizations alternate operations to ensure employees’ safety, it is unfortunately an opportune time for threat actors to take advantage of the concern. We are likely to see threat actors targeting third-party vendors to gain access to organizations’ data during this pandemic.
3 Types of third-party risks to watch out for
Third-party data breaches are nothing new.
Headlines are filled with breaches caused by criminals accessing an organization’s data through a third-party vendor. Threat actors often look for the path of least resistance when attempting to infiltrate networks, and targeting third-party vendors allows cybercriminals to remain undetected and possibly target multiple organizations at once. In August 2019 for example, threat actors were able to use a third-party vendor to spread the Sodinokibi (REvil) ransomware to 22 Texas cities.
As organizations rush to prepare themselves for a new workplace standard and the lasting impact of COVID-19, they also need to consider the additional risks associated with their third-party vendors.
Moving to a virtual workplace increases the use of online channels including meetings, communications, and daily operations. Higher online dependency presents increasing cybersecurity risks as the attack surface expands beyond the organizations’ traditional network.
According to a 2018 study by the Ponemon Institute, nearly 60% of companies surveyed have suffered a data breach at the hands of a third-party vendor and only 34% have a comprehensive inventory of all third-party suppliers they work with.
Organizations that do not typically have remote workers may have to take on additional third-party vendors for services such as virtual private network (VPN) and e-meetings.
Third-party risks can include operational risk, transaction, risk, and compliance/regulatory risk. Let’s dive into each of these.
1. Operational risk
Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems, or policies. These types of risks can include employee errors, system failures, fraud or other criminal activity, and any event that disrupts business processes.
It is imperative that third party vendors are scrutinized to ensure the needs of the organization can be met. This should include ensuring the third-party vendor has a business continuity and disaster recovery plan. Ensuring a third-party has a plan to get through the COVID-19 pandemic is vital since their own failure may result in a loss to your organization as well.
2. Transaction risk
Transaction risk is the risk of loss due to problems with the service or delivery. These types of risks include inadequate capacity, technological failure, and human error.
It is crucial during the COVID-19 pandemic that organizations are able to continue operating at a level as close to normal as possible. Third-party vendors that are unable to handle the capacity of an organization’s needs pose a risk by interfering with operations. Third-party vendor’s business continuity plans should also include plans to provide uninterrupted service to organizations during the pandemic.
3. Compliance risk
This type of risk could extend liability to the organization if the third-party experiences security breaches involving customer information in violation of the safeguarding of customer information standards.
While changes in workflow are changing rapidly, it is imperative that organizations ensure all third-party vendors are following applicable laws and regulations.
How to mitigate 3rd party risks to your organization
Although many organizations are working quickly to migrate their employees to remote working, it is more important than ever to ensure third-party risks are considered and evaluated. Here’s a few ways your organization can mitigate these third party risks.
- Take the extra time to analyze a third-party vendor. It could save your organization from assuming unnecessary risks later.
- Maintain or create a pandemic response team. This team can help evaluate risk and make recommendations as needed. This team should also keep a comprehensive inventory of all third-party vendors and include copies of business continuity plans.
- Keep track of incidents that could be affecting your vendors. Our intelligence library contains a multitude of updates on incidents that could affect an organizations’ third-party vendors.
- Include data exposure incidents in continuous monitoring of third-party vendors. Misconfigured databases, devices, and targeted campaigns can lead to an organizations’ data being exposed.
We’ve also put together an extensive blog on how to manage your security ecosystem, Third Party Risk: 4 ways to manage your security ecosystem.
As social distancing becomes more ‘normal’ for more and more people globally, organizations should continue to evaluate third-party vendors to ensure risks are being properly managed.
Want to detect third-party data exposure to your organization instantly? Learn how our SearchLight service can help.