Fourth-party Cybersecurity Risk
This is a pretty concise article on the importance of fourth-party risk.
Third-party cybersecurity risk is gaining increasing importance throughout the world and for good reason! A couple of good (bad) examples of unmanaged third-party risks are:
- Target’s 2013 credit card breach (they were compromised through an HVAC vendor) resulted in zero Target credit card purchases the next year, and Target still does not offer a credit card (as many stores do, such as Home Depot)
- Facebook’s data leak issues (Cambridge Analytica, Cultura Colectiva, etc.)
When companies effectively conduct due diligence of and manage risks presented by third-parties, they can greatly improve their security posture. Typically, this is done through questionnaires, pen tests and, increasingly, automated tools like RiskRecon [full disclosure: I’m a former employee of RiskRecon].
However, these third-parties also have third-parties (i.e., fourth parties to your company), and these entities have their own risks. A successful breach of a fourth-party could lead to your organization being breached.
Illustrative Example
For example, let’s say you run a personal DNA business. In short, you collect peoples’ DNA and then tell them about their family history, genetic traits, etc; however, you don’t have the ability to actually process their DNA & turn it into the usable code, but Fake-DNA-Analysis-Company (FDAC) does! So, you outsource this processing to FDAC, and they send an email to your customers letting them know that their DNA has been processed and will soon be analyzed by you.
FDAC purchases their needed equipment from Not-A-Real-Equipment-Supplier (NARES) and uses a third-party tool, Email-Generator-Example-Company (EGEC) to send out emails. Thankfully, though, you’ve conducted your due diligence and have found that FDAC has good security policies in place, so you’re not too concerned about them being breached.
But what happens if NARES’s equipment has a software vulnerability that hackers use to inject malware into the usable DNA code? That code could then land in your systems and compromise your networks.
Or what would happen should EGEC’s code is compromised, and emails containing malware are sent out to your customers?
Alternatively, what if one of your competitors compromises EGEC and is able to maneuver their way into finding confidential data shared between you and FDAC?
Of course, these are all just examples, but they do illustrate the point: even if your third-party has good security, what about their vendors? Does your third-party care about their vendors?
Conclusion
Just as third-parties have been coming under increasing pressure to improve their security posture, fourth-parties will likely come under similar pressure in the future. As third-parties improve their security, attackers will likely shift their focus another layer away.
How, exactly, this will play out may take various forms, depending on an organization’s size & industry. But one thing seems for certain — when trying to work with clients, it’s likely that in the future, they’ll require you to do a thorough evaluation of your third-parties, and your clients may even require that they be allowed to evaluate them.
Now, I doubt that all but the most sophisticated attackers (i.e., nation-states) are attempting fourth-party hacks right now. Why? Because it’s usually easier to compromise one company than two (i.e., it’s easier to compromise your third-party).
Regardless, focusing on more companies’ cybersecurity posture would be good news for the world’s security posture. Another point (or entity) attackers have to go through decreases the chance that they’ll succeed in compromising an organization (while it’s publicized that most attacks happen solely because ‘encryption’ or ‘multi-factor authentication’ wasn’t enabled, that’s not an accurate depiction of hacks; modern, successful cyber attacks are complicated & involve exploiting multiple vulnerabilities, human weaknesses, and some luck).
Of course, I don’t expect fourth-party risk to become a priority for organizations anytime soon — increased focus is needed on third-parties at the moment. But once third-party cybersecurity risk management has matured, I believe fourth-party risk will become a hot topic.
Andrew Sanford works in cybersecurity & privacy and has published academic articles on cybersecurity & fraud. He is the founder of SecureFamilies.org and IntroToSecurity.com
