Risk management is an essential component of every organization’s cybersecurity strategy. As the threat landscape grows more complex and digital attack surfaces expand, organizations must make strategic decisions that maximize limited budgets and resources.

When developing a cyber risk mitigation strategy, it is vital to consider all potential sources of risk to the organization. While internal factors can create risk, third parties are also part of an organization’s attack surface.

Defining Your Third-Party Attack Surface

Third-party risk can originate from a number of sources. Two of the most common sources being those originating with an organization’s vendors and suppliers and those inherited from the use of third-party and open-source software.

Vendors and Suppliers

Trusting vendors and suppliers is a core part of an organization’s ability to do business. On average, a company shares sensitive data with 583 third parties as part of core business activities.[1]  However, only 34% of these companies keep a complete record of the organizations with whom they share this data.

However, the exposure of sensitive internal data is not the only risk associated with vendor relationships. In 94% of companies, third-party vendors or suppliers have authorized access to the organization’s network.[2]  In 72% of cases, this access includes administrator-level privileges on internal systems.

Achieving visibility into these third-party relationships is essential to accurately evaluating an organization’s cyber risk. Even if a third-party vendor can be trusted with access to an organization’s network and systems, such access could permit a cybercriminal to utilize a partner’s network as an entry point into the company network; this was the case in the Target breach.  Cybercriminals took advantage of the network access that was given to the company’s HVAC provider and used it to infiltrate Target’s network.[3]

Third-Party and Open Source Code

Even if an organization chooses to deny third-party organizations access to their networks and systems, they must still consider their reliance on third-party code. Every organization uses applications developed outside of their organization, and 96% of applications built by organizations contain open-source code.[4]

Despite this heavy reliance upon external code, many organizations do not include this in their risk model. In fact, 40% of organizations never perform software composition analysis (SCA)–security testing designed to identify the use of open-source code with known vulnerabilities–or claim that they use no open-source code.

Overlooking the use of open-source and third-party code can create significant security risks. Vulnerabilities that exist in this external code can be exploited to gain access to the organization’s network; the Equifax breach is an example. Cybercriminals exploited an unpatched vulnerability in Apache Struts, an open-source web application framework that the organization was using.[5]

How MorganFranklin Can Help

Protecting against third-party risk requires an organization to intentionally identify potential sources of external risk and include them in their risk mitigation strategy.  MorganFranklin can assist with every stage of this strategy, from performing a third-party risk assessment and drafting risk mitigation strategies based upon industry best practices, to deploying and configuring risk reduction solutions such as identity access management (IAM).


[1] http://www.rmmagazine.com/2019/08/01/simplifying-third-party-risk-management/
[2] https://threatpost.com/admin-rights-third-parties-risk/150462/
[3] https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
[4] https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-19.pdf
[5] https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/

Let’s Work Together