Managing third-party risk
By Calissa Aldridge, Executive Director, Markets, Australian Securities and Investments Commission
- Organisations operating in the modern economy rely heavily on outsourcing of their services and products.
- According to a survey, 76 per cent of leading global businesses outsource their IT functions for their technology needs.
- However, while organisations can outsource their services to third-party suppliers, they cannot outsource the associated risk and liability.
Third-party relationships provide cyber criminals with easy access to an organisation’s systems and networks. ASIC has observed a growing number of cyber attacks on Australian organisations stemming from third-party weaknesses. These third parties include vendors, suppliers, partners, contractors or service providers with access to an organisation’s internal or confidential information.
Late last year, ASIC published the results of our 2023 Cyber Pulse Survey. Alarmingly, 44 per cent of participating organisations indicated that they do not manage third-party or supply chain risk.[1]
An organisation can implement robust cyber security measures for its internal networks and IT infrastructure. However, unless these efforts are extended to third parties, the organisation will be exposed to supply chain vulnerabilities, and the detrimental financial, operational and reputational consequences that can follow.
Quantifying the exposure
The SolarWinds cyber incident demonstrates just how devastating a third-party cyber attack can be throughout the supply chain. In 2020, the hacking group responsible for the incident exploited a vulnerability in the SolarWinds platform. The breach gave the threat actor access to 3,000 email accounts across 150 organisations, allowing them to impersonate thousands of users and accounts, including government agencies and multinational corporations. The average cost of the breach for each affected organisation was US$12 million.
To test and strengthen the cyber resilience of Australia’s financial institutions against known threat actors, the Council of Financial Regulators developed the cyber and operational intelligence-led exercises (CORIE) framework. CORIE uses targeted threat intelligence to build goal-focused adversary attack simulation scenarios to assess the cyber resilience of an organisation. Participating organisations include members of the insurance, banking and superannuation sectors, as well as third parties.
Third-party providers that participate in CORIE are systemically important to Australia’s financial system and highly connected across the financial services sector. A material cyber attack on one of these third parties would significantly impact the operation of financial services and markets in Australia. This makes them an attractive target for ransomware threat actors because they are critical to the delivery of other organisations’ core operations.
Among other things, CORIE tests participating organisations’ cyber risk controls, crisis communications and ability to expel threat actors from networks. Recent CORIE attack simulations have highlighted a lack of adequate third-party controls for suppliers with connectivity to their clients’ systems. In some cases, these third parties held administrator-level access to systems and core business infrastructure. In these circumstances, a third-party breach could be detrimental and disruptive.
The recent Latitude Financial cyber attack shows the importance of additional scrutiny of third parties that have access to core systems. For organisations that outsource their IT functions or that have a dependency on third parties in their supply chain, implementing simple controls, such as multifactor authentication (MFA) for external providers, could be the difference between a locked-out account, a password reset or a breach.
Another concerning trend demonstrated by third-party suppliers that participated in the CORIE program is the use of weak passwords. Even with complex password creation requirements, third-party suppliers can find ways to craft weak passwords like ‘Pa$$w0rd123!’.
MFA is one of the most effective techniques available to protect organisations from a cyber incident. Where MFA is not available, the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) recommends the use of passphrases. Use of MFA and passphrases should be implemented as part of an overall cultural shift throughout an organisation, one that is driven by employee education, cyber awareness training and rigorous third-party assessment.
What can be done?
Organisations across Australia have moved quickly to reinforce their internal cyber security following a series of high-profile incidents that began with the Optus cyber attack in 2022. With their internal defences shored up, organisations must now focus on mitigating third-party exposure – the new frontline in cyber risk management. With many of the recent major incidents directly enabled by third parties, the problem is growing.
ASIC is reminding organisations to identify, assess and monitor the risks posed by third-party vendors – from both a technological and contractual perspective. But how can this be applied practically at the organisation-level? Start by asking these simple questions:
How much access do third parties have to my systems?
Using the principle of least privilege to reduce the impact of a third-party breach, third-party access should be strictly limited to what is necessary to perform their functions.
How is third-party access protected?
If third parties need elevated access to manage systems beyond regular user access, ask, ‘how is third-party access protected?’
Threat actors seek elevated access to systems, which can quickly lead to a significant cyber breach if third-party credentials are compromised. Protecting credentials is tricky. Third parties might have multiple clients and credential storage methods, ranging from password managers to spreadsheets. Enabling MFA with close monitoring can reduce the risk of third-party credential exploitation. Most recent incidents in Australia could have been prevented if MFA had been in place for third-party suppliers.
Where is my data?
Knowing what sensitive data an organisation holds and where it is stored is critical to ensuring the correct level of protection is applied. Where third-party providers store, transfer and process data, additional scrutiny is needed.
If your organisation does not have control over the type of protection applied to data stored by the third party, review the impact of data exposure and question whether the organisation can reduce the level of sensitive data held by the third party. Adding contract terms to transfer risk will not absolve an organisation from cyber risk. You must scrutinise, understand and own the risk of exposing data to a third party.
While the fall out of a data breach tends to focus on the financial and reputational consequences for an organisation, it also has real-world impacts for exposed individuals. For example, the Medibank incident led to the publication of private medical information of individuals while several superannuation breaches led to the exposure of investments and retirement incomes. These leaks have created opportunities for scammers to target vulnerable individuals. Once the information is published by threat actors, it is impossible for it to be unseen.
For more information, including questions to ask managed service providers and how to manage your security when engaging a managed service provider, visit the ASD’s ACSC website. The ASIC website also provides information on cyber resilience good practices.
[1] REP 776 Spotlight on cyber: Findings and insights from the cyber pulse survey 2023