This commonplace practice is not without cyber risks. A 2022 Ponemon Institute survey of over 1,000 IT professionals found that almost 60% of companies experienced a data leak directly caused by one of their service providers over the past 12 months.

The recent attack on the Rennes University Hospital in France illustrates this risk: the hospital had to cut all its connections with the outside world on June 21 following the detection of an attack carried out using a VPN account created so that a software publisher could carry out remote maintenance of its application.

This is the known as Third-Party risk which is rapidly increasing because subcontracting works in cascades: the subcontractors themselves use other companies for certain tasks thereby propagating the cyber risk down the entire chain.

The same Ponemon Institute study found that 54% of companies experienced a data leak caused by an attack on a Tier 1 subcontractor, and 38% by an attack on a Tier 2 or lower subcontractor.

Service providers have become increasingly popular hacker targets. This change in targets is easy to explain: as you go down the subcontractor pyramid, the companies get smaller and don’t always have a CISO, and sometimes don’t even have a CIO.

As a result, their protection resources are extremely limited. Attackers have no trouble finding open vulnerabilities in their messaging systems or on their servers.

The most striking example is that of a major arms manufacturer whose information system is highly protected, but who relies on thousands of partners for its industrial processes. Naval Group’s Group Cybersecurity Governance Manager raised this issue at the 2023 FIC, pointing out that the French naval armament giant relies on very small SMEs and now has to manage their cyber risk.

The risk associated with Third-Parties is clearly that of confidential data being stolen by attackers. Entrusting data to third parties is common when several companies work on the same project. Attackers will access the data at the least well protected partner.

In 2019, the Citycomp service provider had 516 Gb of data stolen, i.e. 300,000 files containing data from its customers, including Volkswagen, Airbus, Oracle, SAP and Unicredit. At the same time, several DSCs (Digital Services Companies) that were Airbus suppliers were the victims of cyber attacks. It was obvious who the attacker’s real target was.

In addition to direct data theft, attackers can infiltrate service providers to carry out rebound attacks. They will use the rights granted to the provider on a file server, or an API to carry out the attack on its true target. A simple, legitimate service provider email address can be enough for them to send a ” spear phishing ” email, a phishing attack specially designed for a specific target.

The attackers’ purpose may also be to simply destabilize the company’s supply chain by injecting incorrect data into its systems. Attackers may also want to destroy as many files as possible, or just damage the target’s public image by blocking its systems and forcing it to publicly communicate about the attack.

The attack on the Solarwinds publisher in 2020 is a textbook case of the danger of an attack on an IT supply chain subcontractor. The attackers managed to install a virus in the update system of its remote IT installation monitoring software, Orion. That software is used by thousands of companies worldwide. At the time, the publisher reported that 18,000 customers had been impacted by the attack, including 425 Fortune 500 companies and numerous public organizations including the US government. Once the malware had been installed by an Orion update, the IT systems of all those organizations were virtually accessible to the attackers.

Dealing with service provider risks isn’t easy. Major companies can have several thousand subcontractors worldwide, and their IT departments have no direct control over their security practices.

The first lever for action is contractual. Companies can include a number of obligations in the contracts they sign with their suppliers. The European Commission proposes standard clauses to be included in contracts for the protection of personal data. This reminds subcontractors of their obligations and ensures their compliance with the GDPR.

CIOs need to include very pragmatic cyber clauses in their contracts, such as simply mentioning the name of the person and their substitute to be called urgently if a cyber attack occurs.

Technical constraints can be defined by contract, such as:

Companies can also require their partners to grant them the power to audit their systems if the partners are particularly critical to their processes.

A contractual approach is a prerequisite, but a signature on a contract won’t keep attackers away. Companies can’t content themselves with this lever:  they need to have a clearer idea of the cyber maturity of their partners.

The most common approach is to ask the purchasing department to send a security questionnaire before listing a new supplier.

These questionnaires often have dozens of questions. Their purpose is to give CISOs an idea of the protection measures in place:

The downside? These questionnaires are sometimes highly detailed, and suppliers may tend to overestimate their security level to win a new contract. Moreover, as this practice has become widespread, companies are sent dozens of this type of questionnaire every year, and the time spent drawing up the answers very much depends on the size of the issuer of the questionnaire.

It’s impossible to send cyber teams to hundreds or even thousands of service providers to check their security architecture.

Only a few critical service providers can be visited each year. Now, if we assume that attackers will exploit the weakest link to reach their targets, major clients need to bolster their audit strategy with an SME part.

A full market dedicated to meeting this need has emerged over recent years: the Third-Party Cyber Security Risk Assessment market. Their model is a replication of the corporate financial rating system in the cybersecurity sector. Every supplier is given a security rating. Some service providers carry out a purely technical assessment of each company’s security by scanning the data available on the web.

This automated approach is a means of covering a large number of companies, but is limited to the tip of theiceberg; it only assesses the face of IT systems visible from the Internet, and not their internal hardware and processes.

These service providers can also take charge of sending security questionnaires to all their customers’ third parties.

They compile all the answers, analyze the results and produce a global and detailed report. Some provide consultants who check the consistency and veracity of the answers by calling each respondent.

Regardless of the chosen solution, or rather the combination of chosen solutions, today it’s impossible to ignore this third-party risk. Major companies will increasingly be selecting their suppliers based on their cyber maturity, and those without state-of-the-art protection and encryption will find themselves denied access to many potential customers.