Third-party software can play an important role in filling in the gaps of proprietary systems and adding needed functionality to the technology program of a business or organization. When purchasing this software, it is tempting to think that they will do all of the security work for you but, time and time again, these products have proven to be lacking when it comes to protecting systems and data. It is important when adopting third-party software that it be included in your overall security evaluation and risk mitigation strategies.
With alarming frequency third-party software is falling prey to sophisticated ransomware attacks. While breaches such as the SolarWinds cyberattack on the Colonial Pipeline make big news, major corporations and government entities are not the only victims of these efforts. Consider the case of the Kaseya ransomware attack of last year. In this incident hackers found a vulnerability, which the company was in the process of repairing, that they then used to attack Kaseya’s customer base of managed service providers (MSP’s). This, in turn, allowed them to target the thousands of small- to medium-sized businesses that used the MSP platforms.
As regulation increasingly drives Know-Your-Customer (KYC) requirements for private businesses and government programs, hackers have greater incentives to access these troves of information. Last year’s breach of India’s No. 2 stock broker, Upstox, compromised over 56 million KYC files when a third-party data warehouse was hijacked. From employee negligence, such as that which compromised the personal information of 72,000 Pennsylvania residents in the state contact tracing program, to losses from inadequately protected email servers, cases such as these are on the rise.
Before onboarding a third-party vendor, it is essential that they be thoroughly assessed to ensure that their policies and controls are sufficient to avoid exposing your business or organization to unnecessary risks. Limiting vendor data access to include only that which is absolutely necessary is an important step in mitigating risk. Cybercriminals are in constant motion in the development of new, more sophisticated techniques. It is imperative to continue to monitor vendors to make sure that they apply proactive approaches to effectively confront the escalating threats. Periodic Vulnerability Assessments and Penetration Testing (VAPT) is a vital part of discovering these security flaws.
Asteros Cybersecurity Services can help you evaluate your third-party vendors and fill in the gaps that leave your small- to medium-sized business or organization vulnerable. Schedule a free, no-strings-attached attack surface audit today to assess potential entry points to your network and learn how Asteros can help eliminate these risks.