Most organizations are aware that when they start a relationship with a vendor, partner, or contractor, they effectively take on that third party’s attack surface. Big breaches from Target (2013) to Okta (2022) leave no room for debate that actions undertaken by a third party can lead to serious consequences down the supply chain.
What organizations may be less likely to consider is that bringing on third-party partners also means absorbing the attack surface of their vendor’s vendors, and their vendors — and so forth.
Cascading risk, or Nth party risk, is the new reality in our highly connected, partner-dependent world. Third-party access already presents a significant risk that many organizations are struggling to effectively mitigate; when cascading risk is taken into account, it becomes painfully clear that organizations simply cannot afford to continue granting implicit trust, admin-level permissions, and wide lateral access to their third-party vendors and partners.
For these reasons, all third-party users should be regarded as high-risk users, and their access should be secured and controlled accordingly.
Recent research illustrates the depth and breadth of cascading risk. Here are some key statistics:
Organizations have far more fourth-party relationships than they realize: between 60 and 90 fourth-party relationships for every single third-party relationship, on average.
Third- and fourth-party security incidents have widespread effects. A single compromised vendor affects 4.73 companies on average, and in 2022, 54% of organizations suffered a breach because a third-party vendor was breached.
Security postures worsen with each degree of separation. First parties usually have better risk scores than third parties. Third parties tend to have better security risk scores than fourth parties.
Put in the simplest terms, cascading risk is like a contagion. It can spread through the slightest direct or indirect contact and quickly becomes impossible to control. Plus, the greatest risk doesn’t always come from high-level users. The Target breach began with an HVAC contractor, and Okta was compromised through a customer support contractor.
Securing third-party vendors is hard enough, and the challenge only escalates with each degree of separation. And remember - whether a breach occurs in the vendor ecosystem or the software supply chain, the first-party organization remains liable for any regulatory, financial, and reputational damages.
While organizations can dictate policies and manage devices for in-house employees, they typically can’t enforce the same level of control over vendors. Shipping managed devices or forcing vendors to install agented solutions (such as VPNs) on their own devices is costly and can slow down productivity. When it comes to fourth-party vendors and beyond, the idea of maintaining any sort of control over devices or user behavior becomes implausible.
In most countries, disclosure laws at the state/regional and federal level regard the first-party organization and its end customers, and they usually focus on sensitive customer data like social security numbers and banking information.
However, a majority of laws require vendors to merely disclose the fact of the breach. Sometimes, a third-party vendor who’s experienced an incident can’t or doesn’t even supply enough information for their customers to meet disclosure requirements — and fourth parties fall under even less obligation.
The bigger hole, though, is that vendors are not required to disclose breaches regarding unprotected information, like source code or internal systems, even though these breaches pose an equal threat to first-party organizations.
At the end of the day, even if an organization could secure access beyond third parties, how far would they go? Fifth parties? Sixth parties? Tenth parties?
Extending the perimeter this far clearly isn’t feasible. Even when it comes to creating deny and allow lists, it is impossible to foresee all adverse situations. Meanwhile, vendors often demand significant access to avoid barriers to the job they’ve been hired to do.
Recovering from an illness takes time, but preventing the infection in the first place is a far more effective course of action. This holds true for cascading risk as well.
At any company, but especially at the enterprise level, the vendor ecosystem can become very complex. Organizations should have a standard process for offboarding vendors when the relationship ends, and they should perform regular audits of accounts and access controls, particularly those provisioned for third-party users.
Of course, profiles for ex-vendors, or their former employees, should be decommissioned.
When taking on a new vendor, many companies take the vendor at their word and reputation when it comes to security. Similarly, most contractual obligations are reactive to a breach, not preventative. Third parties are both a bridge and a barrier to fourth parties, and organizations struggle to gain visibility into the vendor’s own vendor network.
Evaluating the security of a vendor will look different from one organization to the next. However, at a minimum, organizations should require potential vendors to complete security questionnaires that assess their security and privacy controls. This questionnaire should ask what fourth-party vendors have access to systems that could potentially contain sensitive information from the organization.
In this questionnaire, organizations would do well to ask how the third-party vendor is protecting themselves from their vendors. Third parties should audit their relationships, run regular vulnerability scans, and maintain a well-run patch management program.
Organizations can’t expand their own perimeters to include fourth parties and beyond, but they can adopt the zero-trust security model as a means of hardening the walls around individual users, systems, and assets. On the whole, zero trust decreases an organization’s reliance on factors and behaviors beyond its control.
By enforcing zero-trust access for all third-party users, organizations gain greater visibility and control over these connections, as well as the ability to tailor more granular permission sets for them. When third-party users are connecting to sensitive internal systems exclusively via secure zero-trust access, the risk posed by fourth and fifth parties naturally declines.
Traditionally, security and the business’s bottom line have conflicted, at least from the perspective of leadership. Third parties have a significant impact on productivity, and when security slows a vendor down, it hurts the ROI of the relationship.
However, with proper vetting and a well-implemented zero-trust strategy, security leaders can secure the company — saving it from the compliance fines, insurance costs, and reputational damage of a breach — while still supporting the business’s financial mission.
To learn more about securing third-party access and overcoming cascading risk, read our recent white paper, “Conquering the 5 Biggest Hurdles of Third-Party Access.”
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.