Your organization’s attack surface can be a tricky thing to monitor. In our connected world, it seems like your attack surface is always expanding. That’s probably true. Attack surface expansion has exploded, driven by cloud adoption, the use of SaaS (software as a service) tools, and the fact that so many organizations have come to rely on third-party vendors.
Despite this expansion, organizations often lack visibility into this expanded surface. According to a recent report, teams often can’t keep up with attack surface expansion — it takes more than 80 hours for the average organization to update their attack surface inventory. More worryingly, 7 in 10 organizations have been compromised thanks to an unknown, unmanaged, or poorly managed internet-facing asset in the past year.
So how can you get a handle on your attack surface? And what do third parties have to do with it?
The trouble with third-party vendors
If your organization is like most companies, your third parties are a huge part of your business. They’re your vendors, suppliers, contractors, and partners. They provide mission-critical services for you, like cloud services, data storage, and payment processing. They’re part of your extended enterprise, and they make it easier and less expensive for you to do business.
Unfortunately, when you take on a third-party vendor, their risk becomes your risk. Third parties need access to your systems and data to be effective, but you don’t have the control over them as you do over your employees. You can’t require the employees of another company to adhere to your own standards — but if your customers’ data is exposed because of a third party, the breach is still your responsibility. Unfortunately, cybercriminals often target third-party providers to steal their clients’ data and networks — as in the SolarWinds breach at the end of 2020. And while you might know that third parties can be a source of risk, it can be hard to gain visibility into exactly how risky those relationships can be.
Take the traditional method of monitoring third parties — security questionnaires. At worst, questionnaires are a time-consuming administrative exercise that both you and your vendors find exhausting. At best, they’re a static method of monitoring, a single snapshot of your third party at a specific moment in time — perhaps all their software is patched today, but what about next week?
This method of monitoring leaves significant blind spots in your attack surface and opens you up to attackers who are increasingly interested in targeting third-party vendors.
The cost of a third party breach
The involvement of third parties in data breaches has always increased the cost of an attack. According to Ponemon’s 2021 Cost of a Data Breach Report, breaches caused by third-party software vulnerabilities increase the cost of an attack by more than $90,000.
Unfortunately, third-party breaches are becoming more and more frequent. According to InfoSecurity Magazine, 44% of organizations were found to have experienced a security breach in the last year. Of those companies, 74% said that the breach occurred because too much privileged access had been given to third parties.
So how can you effectively monitor your attack surface and limit third-party risk?
Monitor your third parties’ attack surface continuously
According to reports, 67% of organizations have seen their attack surface expand in the last two years. That includes your third parties as well as your own organization.
Rather than relying on questionnaires to monitor your third parties, it’s important to engage in real-time monitoring of your vendors’ attack surfaces. By using intelligence, automated tools that allow you to continuously monitor the security posture of your vendors, you can avoid having to take a vendor’s word for the accuracy of their questionnaire. Instead, you’ll receive a notification whenever a vendor falls out of compliance, and scan for problems the vendor might not know about, like unsecured assets, compromised credentials, or other sensitive information.
As attack surfaces grow and change, it’s critical that you have insight into yours — and that means knowing the attack surface of your third parties as well. Request a demo of SecurityScorecard’s Attack Surface Intelligence tool to better see your attack surface, and when you can see it, you can better protect it.
