Cybersecurity is a huge priority for the federal government, from President Biden's Executive Order 14028 to the National Cyber Strategy, but there's still one major gap in their net: third parties. In fact, nearly 60% of all data breaches are initiated via third-party vendors, which are often undetectable by the usual outward-facing approach to security until they have reached the perimeter of an organization.
The Transportation Security Administration's (TSA) no-fly list hack is the latest example of the massive risk that a third-party leak can have on federal cybersecurity. Data breaches in third parties cast a wide net of effects across the private and public sector alike, which legacy cybersecurity practices can no longer detect. As the Biden administration determines its cyber path, it is imperative that we all take a step back to look at the expanding security perimeter.
The Effects of Third-Party Data Risk Are Far Reaching
With more data being shared every day outside typical security perimeters, a single third-party data leak is enough to cause a devastating breach that can take down anything from the largest company to the most critical federal agency. Visibility is the primary culprit at play with third-party risk. In fact, the average organization shares sensitive data with 583 third parties — a staggering number of possible attack vectors to monitor. For the US government, this means contractors, vendors, other agencies, and more.
The effects of the expanding digital supply chain and weak visibility combine to open a variety of risks. SolarWinds is the most notorious example of a third-party supply chain hack, affecting not only organizations that used the software but also their network of customers and partners. The reach of this impact is especially important to consider for the federal government, where agencies play host to both critical and sensitive data for the nation and its citizens. Protection from a chain reaction of data compromise can only come from regularly updating security practices and technology.
The US government is making consistent strides to undergo a digital transformation — and this must expand to cybersecurity in the face of third-party risks. It cannot rely on legacy cybersecurity standards. Today's threats require always-on system security technologies and practices. Questionnaires, policies, and process reviews are ineffective in the new digital landscape.
Preemptive Cybersecurity Combats Third-Party Risk
To be effective, a third-party risk strategy must be preemptive. It is fairly common practice to review security policies, along with past security incidents and remediations of potential vendors, to predict future risk. However, this is not enough — it is merely reviewing a plan of prevention and attack.
It is, of course, imperative to make informed decisions regarding third-party relationships by researching organizations and their areas of possible exposure before committing to share data with them. Part of this evaluation should be understanding their dedication to visibility and strong security hygiene. Though scanning for malicious behavior is an important step, negligence also plays a major role in security vulnerabilities, and partners should be evaluated on how up to date their practices are.
Implementing contracts for existing partnerships can help address any found weaknesses. Those that fail to comply with security standards can be dealt with by enforcing clawback clauses and integrating supply chain penalties for data leaks of confidential information.
From there, it's important to maintain that preemptive security posture through ongoing monitoring and risk assessment. For part of a larger third-party life cycle management plan, helpful tools include automated risk management platforms, regular real-time risk assessments, and tools (such as external attack surface management, or EASM) for continually discovering, inventorying, classifying, prioritizing, and monitoring sensitive external assets within an IT infrastructure. [Note: The author's company is one of many that offer EASM.]
Most private and public organizations recognize the importance of cybersecurity, yet there are surprisingly still some laggard industries, and this poses a strong threat to federal cybersecurity. As we see more cyber priorities rolling out from the federal government — and better security practices trickling down to vendors through Cybersecurity Maturity Model Certification (CMMC) — we can hope to see more initiatives around these growing issues in the future. With the TSA no-fly leak behind us, third-party data protection should take a top spot in federal cyber priorities.