Nearly all large organizations have robust cybersecurity measures, yet many of their third-party suppliers do not—especially those that are small and midsize businesses (SMBs). This presents a significant challenge and leaves large enterprises vulnerable as:
- They lack visibility to identify and characterize third-party risks
- Their supply chains critically rely on a significant number of small to midsize businesses.
- Organizations such as theirs are being exploited via attacks on small to midsize businesses partners
The notion that large organizations are cyber criminals’ primary targets is only partly true. When smaller entities are attacked, they often open a doorway for threat actors to access the data or significantly disrupt the operations of their larger partners. Attackers are exploiting these vulnerabilities, and cybersecurity leaders say third-party risk is now one of their biggest concerns.
“Vendor vulnerabilities are what keeps us up at night. They’re [cyber criminals] not going after the major big players. They’re not going after the AT&Ts and Verizons and things like that. They’re going after the small organizations that become more disruptive to us,” Mike Kane, SVP of Global Security Operations at Global Payments.
Third-party SMBs present cyber risks to enterprises
Many large enterprises have hundreds—if not thousands—of third party partners. Delta Airlines, for example, has approximately 29,000 direct suppliers. Chief information security officers (CISOs) and their teams don’t have direct oversight, control, or management of the third parties they work with to truly understand what the vulnerabilities are.
These same enterprises also often have lean cybersecurity teams—making it difficult for them to continuously monitor thousands of vendors in addition to their day-to-day activities and priorities. But as attacks on SMBs are on the rise, finding a way to effectively manage third-party vulnerabilities is an imperative.
Last year, 61% of cyber attacks were aimed at SMBs, and 75% of SMBs could not operate following a ransomware attack. As of June 2024, reports indicate that 94% of SMBs have experienced at least one cyber attack—a dramatic rise from 64% in 2019. According to the same research, common SMB vulnerabilities include:
- Weak passwords: Reliance on simple, easily guessable passwords
- Outdated software: Failure to regularly update software, creating security holes
- Lack of employee training: Employees not adequately trained to recognize cyber threats
These challenges are compounded by a significant skills and resource gap, as three-quarters of SMBs lack the internal expertise to effectively manage and mitigate security threats—putting large organizational partners at greater risk for significant impacts like operational delays and financial losses.
Large organizations affected by third-party cyber attacks
- Delta Airlines: It suffered a data breach via one of its 29,000 third-party suppliers. The supplier was integrated into the airline’s e-commerce platform, costing Delta hundreds of millions of dollars to remediate.
- Ticketmaster: A 2024 hack on the cloud storage vendor Snowflake led to the leakage of information of over half a billion Ticketmaster customers.
- AT&T: In March 2023, AT&T announced that a third-party vendor’s data breach had compromised its customer proprietary network information (CPNI) of about 9 million wireless customers.
- American Express: Notified its customers in March 2024 of a data breach stemming from unauthorized access to a third-party merchant processor.
- U-Haul: A December 2023 breach occurred when threat actors gained unauthorized access to a reservation tracking system within U-Haul’s network, exposing its customers’ personal information, including names and driver’s license numbers.
- Samsung: A vulnerability in an unnamed third-party app led to a breach of Samsung customer information in November 2023. Nearly 200 gigabytes of confidential data from the company’s systems were leaked, including algorithms for biometric unlock operations and source code for various technologies.
These incidents highlight the financial and reputational impacts of cyber attacks on SMBs and the organizations that partner with them.
How to mitigate third-party risks
To mitigate potential risks, CISOs and their teams must do their due diligence to ensure third-parties’ cybersecurity measures are robust and aligned with their organization’s standards.
“Companies need to think through, particularly if the companies in their supply chain are small or medium-sized businesses: What can they do from a mentorship perspective? What can they do to kind of expand their own security aperture to help those entities?” said Brandon Wales, Executive Director at U.S. Cybersecurity & Infrastructure Security Agency (CISA).
Questions to ask third-party suppliers and vendors
- What is the cybersecurity policy and protocol between you and those you provide services to?
- What are your data privacy and retention policies? Do they need updating?
- Have you experienced any security breaches in the past months, quarters, or year? If so, when did you find out about it? How did you respond?
- What is your process for reporting and communicating a cybersecurity incident to your organization?
- What is your process for managing vulnerabilities, and is it done in-house or is it outsourced?
- Can you provide evidence of regular security audits and assessments?
Mitigating Third-party Risk in the Age of Mass Zero-day Exploitation
Cyber execs from CISA, Global Payments and Salesforce on managing third-party risk and exposure and cyber-physical threats—and the role AI will play
Watch WebinarEmploy cyber risk detection tools
Today’s cyber risks are constant, innumerable and far reaching. No CISO wants to be the one to miss an attack, but prevention is increasingly challenging due to widespread cyber security staff and resource constraints.
With a global shortage of 4 million cyber security professionals, and 75% of organizations lacking the necessary skills to implement effective cyber security measures, it’s clear that manual detection methods are no longer sufficient; they must be augmented by AI.
Only AI-enabled detection tools and technology, like Dataminr Pulse for Cyber Risk, can detect cyber risks with the speed and scale needed for large enterprises to stay ahead of external threats and vulnerabilities. And, to create a more secure and cyber resilient organization.
Dataminr Pulse for Cyber Risk
See how organizations like yours use Dataminr Pulse for Cyber Risk to increase visibility into threats to their third parties and subsidiaries—ensuring they can mitigate risk faster and more effectively.
Learn More