Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

Brian Thomas | October 4, 2019 | tag: Third Party Data Breach

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

According to the AFP news agency, the world’s second largest aerospace and defense company has been targeted by four major cyber-attacks in the past 12 months, one of which resulted in a data breach. The hacks are being linked to a Chinese state-sponsored cyber threat group with a record of stealing intellectual property from aerospace manufacturers.

But what makes this series of attacks stand out among the daily glut of cyber incidents isn’t the motive or the persistent nature of the attacks. Rather, it’s the path by which the hackers attempted to gain access to Airbus’ systems – by targeting its third-party suppliers.

The growing third-party supply chain risk

This form of hacking via vendor networks, in this case Rolls Royce and Expleo, isn’t uncommon. Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.

Unfortunately, even with vigorous security controls in place to continuously monitor for threats, the vast majority of organizations struggle with supply chain risk management and remain vulnerable to third-party hacks and breaches.

A key challenge is that most companies don’t know how to implement third-party risk management (TPRM). The scope of the task is incredibly complex. IT and security teams can quickly become overwhelmed trying to ascertain a vendor or partner’s security posture and potential risk exposure of that business relationship.

Evaluating vendor risk with security ratings

One way to evaluate vendor security is through third-party IT cybersecurity risk questionnaires. These can help organizations identify potential weaknesses among vendors and partners that could result in a breach.

The trouble is, these questionnaires only offer a snapshot of a vendor’s cybersecurity posture. Nothing in business is static. A vendor’s systems may change or be outsourced, their security policies might be re-written, and new threats continually evolve, so the risk presented by a single vendor is constantly shifting.

A more effective way of exposing risk in your supply chain – quickly and without complexity – is to add security ratings to your TPRM program.

While security ratings don’t directly monitor vendor systems, they do show how seriously a vendor takes security by exposing risk vectors such as open or non-secure ports, unpatched systems, malware infections, and publicly-disclosed breaches – all of which indicate serious security liabilities – in minutes or hours, not weeks. And, because vendors are scored with a rating, much like a credit score, it’s easier to communicate the scale and severity of risk to a non-technical audience in the C-Suite, on the Board, or even with the vendor in question.

Make cyber risk a vendor KPI

As the Airbus hacks show, European companies can ill afford to ignore risk in their supply chains. In addition to the reputational risk, GDPR regulators are enforcing steep penalties for corporate cyber breaches making the stakes of a data breach too high.

Continuous monitoring of your organization’s own systems may be enough to hold off a cyber-attack, but it’s also imperative that everyone involved in risk management – the Board, the C-suite, legal counsel, procurement teams, and the security operations center – understand the level of risk across the entire supply chain and select vendors based on their security vigor.

With this in mind, each time you enter a new vendor agreement, prioritize cybersecurity as one of the KPIs you look at and continuously monitor – for the life of that relationship.Third Party Risk Management


Suggested Posts

Cyber-Attack on Indian Nuclear Power Plant Exposes Threat of “Snooping” Malware

On October 20th, 2019, authorities in India confirmed that one of its nuclear power plants had been hacked. The malware attack on the Kudankulam Nuclear Power Plant (KKNPP), first noticed on September 4th, has since been attributed to...


Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial...


Financial services in Asia Pac face regulatory driven scrutiny of cyber risk management

The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.


Get the Weekly Cybersecurity Newsletter.