Third-Party Breaches Grow More Destructive  

Today’s cybersecurity landscape is riskier, costlier and more complicated than ever before, with bad actors capitalizing on global disruption and vulnerability with destructive third-party breaches, allowing them to compromise multiple victims in one fell swoop.

Unfortunately, according to a Black Kite report, the magnitude of the problem is growing worse, and cybercriminals are learning new tactics quickly. 

The level of breach impact and destruction essentially doubled last year, with 4.73 affected companies per vendor compared to 2.46 companies per vendor in 2021, a development Bob Maley, CSO at Black Kite, called “extremely concerning.”

“Although the number of breaches decreased slightly from the year before, the magnitude increased significantly–a trend we are likely to see through the new year,” he added.

He explained the problem is hackers are learning to kill more birds with one stone, and although companies are learning how to improve their approaches to third-party cybersecurity, bad actors are learning faster.

“They have no boundaries and the luxury to fail,” he noted. “Most enterprises do not have this luxury.”

The survey also found unauthorized network access was the most common root cause of third-party attacks.

“One of the reasons is due to the remote work model that has become mainstream with the pandemic,” Maley said. “Employees are more at risk working on different networks and devices, and also seem to be more prone to making innocent security mistakes.”

Unauthorized network access happens through phishing, stolen credentials, vulnerabilities in access control or a combination of these–all of which are enabled by working from home. 

“In 2023, companies should stick to periodic cybersecurity training for not only IT departments, but also all employees to refresh basic guidelines and procedures for protection,” he said. 

In addition, the report found breach reporting times are extremely slow and appear to be getting worse: The average breach disclosure time in 2022 was 108 days, an almost 50% increase from 2021.

“With regulations like HIPAA and GDPR, organizations are required to report certain types of personal data breaches to the relevant supervisory authority,” Maley said. “But in many cases, disclosure requirements aren’t strict enough.”

For example, HIPAA’s rule dictates that if a breach affects 500 or more individuals, entities must notify the secretary no later than 60 days following a breach.

If, however, a breach affects fewer than 500 individuals, the covered entity may notify the secretary of such breaches annually. 

Maley said a sector-wide conclusion can be drawn from this picture: Health care has the highest disclosure time period, at 169 days on average. 

He added that another cause for the longer gap is due to bad actors becoming much better at hiding their presence for far longer after the initial compromise.

“Recently we have seen malware that is incredibly obfuscated to the level that passive scanning would miss it,” he said. “With passive scanning missing the malware, the dwell time becomes longer and adds to the window.”

Maley said in a perfect world, regulations would be stricter, and vendors would easily identify and report breaches right away.

“But realistically, businesses need to take it upon themselves to narrow the window,” he explained. “The first step is to build relationships with vendors, encouraging a direct line of communication.”

The next step is to implement a third-party cyberrisk intelligence platform, which can power even the largest enterprise to uncover and quantify hidden threats deep in their digital supply chains.

“The right tech can identify vulnerable vendors in real time, deliver predictive insights and enable leaders to stay to the left of boom,” Maley said. “This level of proactive mitigation can not only narrow disclosure windows, but can prevent catastrophic risk events before they even happen.”

He advised organizations to become as agile as the adversary, a journey that begins with keeping a continuous pulse on the digital ecosystem’s cybersecurity posture.

“Without this level of protection, business continuity and overall resilience is in jeopardy, and your attack surface is much bigger than the stuff you control,” he said. “But while you may not have control over your partners’ cybersecurity programs, you can assess and monitor them for proactive mitigation and bottom-line protection.”

He pointed to the many lessons learned in 2022—that threat actors often ring twice, the need to diversify critical services and credential misuse continuing to be a problem.

“The good news is, defenders are getting better–and the number of breaches via third parties dropped year-over-year,” he said. “The bad news is, while the number of breaches dropped, the impact of the breaches spiked.” 

Maley advises organizations to prepare for the new year by understanding that following best practices in third-party risk management is just not keeping up with the bad actors.

“It is still all about basic blocking and tackling, the quick fixes, and changing how we view third parties to how bad actors see them,” he said. “Thankfully there is technology to help, which is equipping leading organizations with the agility needed to thrive in this climate.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy