Third Party Data Breach

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

Brian Thomas | October 4, 2019

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

According to the AFP news agency, the world’s second largest aerospace and defense company has been targeted by four major cyber-attacks in the past 12 months, one of which resulted in a data breach. The hacks are being linked to a Chinese state-sponsored cyber threat group with a record of stealing intellectual property from aerospace manufacturers.

But what makes this series of attacks stand out among the daily glut of cyber incidents isn’t the motive or the persistent nature of the attacks. Rather, it’s the path by which the hackers attempted to gain access to Airbus’ systems – by targeting its third-party suppliers.

The growing third-party supply chain risk

This form of hacking via vendor networks, in this case Rolls Royce and Expleo, isn’t uncommon. Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.

Unfortunately, even with vigorous security controls in place to continuously monitor for threats, the vast majority of organizations struggle with supply chain risk management and remain vulnerable to third-party hacks and breaches.

A key challenge is that most companies don’t know how to implement third-party risk management (TPRM). The scope of the task is incredibly complex. IT and security teams can quickly become overwhelmed trying to ascertain a vendor or partner’s security posture and potential risk exposure of that business relationship.

Evaluating vendor risk with security ratings

One way to evaluate vendor security is through third-party IT cybersecurity risk questionnaires. These can help organizations identify potential weaknesses among vendors and partners that could result in a breach.

The trouble is, these questionnaires only offer a snapshot of a vendor’s cybersecurity posture. Nothing in business is static. A vendor’s systems may change or be outsourced, their security policies might be re-written, and new threats continually evolve, so the risk presented by a single vendor is constantly shifting.

A more effective way of exposing risk in your supply chain – quickly and without complexity – is to add security ratings to your TPRM program.

While security ratings don’t directly monitor vendor systems, they do show how seriously a vendor takes security by exposing risk vectors such as open or non-secure ports, unpatched systems, malware infections, and publicly-disclosed breaches – all of which indicate serious security liabilities – in minutes or hours, not weeks. And, because vendors are scored with a rating, much like a credit score, it’s easier to communicate the scale and severity of risk to a non-technical audience in the C-Suite, on the Board, or even with the vendor in question.

Make cyber risk a vendor KPI

As the Airbus hacks show, European companies can ill afford to ignore risk in their supply chains. In addition to the reputational risk, GDPR regulators are enforcing steep penalties for corporate cyber breaches making the stakes of a data breach too high.

Continuous monitoring of your organization’s own systems may be enough to hold off a cyber-attack, but it’s also imperative that everyone involved in risk management – the Board, the C-suite, legal counsel, procurement teams, and the security operations center – understand the level of risk across the entire supply chain and select vendors based on their security vigor.

With this in mind, each time you enter a new vendor agreement, prioritize cybersecurity as one of the KPIs you look at and continuously monitor – for the life of that relationship.Third Party Risk Management

 

Suggested Posts

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

READ MORE »

How the State of the Union Will Affect American Information Security

In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and...

READ MORE »

2015 Information Security Predictions Round-up

It's the time of year that every media outlet talks about predictions and resolutions. We've compiled a list of the most interesting and/or relevant information security predictions for 2015 and added a few of our own, courtesy of BitSight...

READ MORE »

Subscribe to get security news and updates in your inbox.