5 biggest risks of using third-party services providers

As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to contract out work that would otherwise require significant effort and potentially drain in-house resources to those who can do it for you.

The use of third-party services can also come with significant—often unforeseen—risks. Third parties can be a gateway for intrusions, harm a company’s reputation if a service malfunctions, expose it to financial and regulatory issues, and draw the attention of bad actors from around the world. A poorly managed breakup with a vendor can also be perilous, resulting in the loss of access to systems put in place by the third party, loss of custody of data, or loss of data itself.

Companies are paying more attention to cybersecurity risk, according to Gartner analyst Luke Ellery. Gartner’s 2022 Risk Assessments in a Volatile World survey revealed that 73% of respondents involved in enterprise risk programs said they now assess cybersecurity more rigorously compared to 2019.

Reliance on third-party services is increasing

“The focus on third parties is heightened in this context as organizations are increasingly reliant on third parties, such as technology and cloud vendors, which store sensitive data or access critical systems,” Ellery says. “This risk is higher if the third-party’s cybersecurity controls are poor. There is also the risk that the third party’s own suppliers are compromised. If the data or systems are compromised, then the impact could include brand and reputational damage, legal and regulatory fines or penalties, and remediation costs.”

The use of third parties is a broadly accepted necessity for many businesses, says Hanne McBlain, senior director with technology research and advisory firm ISG, but they need to be managed on an ongoing basis. Third-party partnerships come with inherent business risks by moving aspects of control beyond a company’s walls. This takes on a particular urgency considering 98% of global organizations were connected to at least one third-party vendor that has been breached in the past two years, says Caleb Merriman, CISO at Deltek, a provider of software for project-based businesses.

Here are the five main cybersecurity risks third-party services are exposing you to:

Compromised customer and company data from cyberattacks

Indirect cyberattacks—successful breaches coming into companies through third parties—increased to 61% from 44% in the last several years, according to the World Economic Forum’s Global Cybersecurity Outlook 2022. One of the reasons this occurs is that many companies don’t have the proper controls in place to effectively offboard third-party vendors, says Peter Tran, chief information security officer (CISO) at IT and security consulting firm InferSight. “They don’t have the processes in place to control the access management rights and provisioning that these accounts have, which leaves the door open for cyberattackers who look for aged accounts that are still active,” he says.

Data obtained from third-party breaches can be abused by threat actors to perform various malicious activities, including identity theft, fraud, account abuse, and external account takeover attacks, says Ariel Weintraub, CISO at MassMutual. Threat actors frequently use compromised credentials and data sourced from third-party or even fourth-party breaches to gain access to other victims’ environments.

“A third party might be attacked while hosting a company’s data or an attacker targets the third party first and then uses that to reach your IT systems,” says Michael Orozco, a cybersecurity analyst for MorganFranklin. He says that due diligence and ongoing monitoring of vulnerabilities throughout the vendor lifecycle will help reduce that risk.

Implementing a defense-in-depth approach to limit a third party’s access to an organization’s network is critical to preventing adversaries from gaining an escalation of privilege, Weintraub says. As such, companies must fully vet all third-party vendors before allowing them access to their systems to ensure that they’ve implemented the proper security protocols. “Third parties are always a concern when it comes to who has our data; that’s why we are continually assessing new and existing third parties in a matter commensurate with cyber-risk to the company.”

Financial risk from incident costs, lost business

The cost of intrusions can be incredibly expensive and cybersecurity insurance does not always cover breaches if companies aren’t protecting their systems in the right way, says Jay Pasteris, CISO and CIO at the managed services firm GreenPages. “The financial impact is what you’re going to lose, but you’re also going to have reputational damage to the organization,” he says. “You’re going to lose customers. You’re going to lose the confidence of new customers, you’ve lost the confidence of existing customers, therefore, you’re losing a revenue stream…. And it’s a lot of money to replace an existing customer. So that financial impact adds up really fast.”

Reputational damage, loss of customer trust

While a breach may not have occurred within the four walls of a company, a breach at a third-party service involving the client company’s data or its customers, that company may have to make a statement or notify individuals as a result. “Due to this downstream impact, the reputational impacts may far exceed the financial damage,” Weintraub says.

Negative publicity from a service provider’s breach can injure a company’s good name or standing, and unfavorable public perception of a business can begin with issues that originate with a third party in their vendor list. Customer complaints about a service provided by a third party are a good indication there’s a potential problem, Orozco says. “Customers don’t see that your assembly, your product, your services, your ability to interact with them is supported by third parties,” he says. “They only see your name, your brand, and your inability to satisfy the commitment [you’ve made to them].”

Many organizations take proactive measures to ensure that their third parties are effective data custodians. However, when a third party comes with its own vendor supply chain, things get much more complicated, Weintraub says. “As you continue down the line of your vendors and your vendors’ vendors, it can be difficult to have insight into all these entities and the maturity of the third-party risk programs that are protecting sensitive data at the level of rigor that you expect,” she says.

Geopolitical risk

The war in Ukraine has highlighted the need for organizations to monitor political developments very closely and be prepared to act in volatile situations, according to McBlain. Organizations need assurance that all supplier, partner, and joint venture activities in jurisdictions subject to sanctions have ceased. 

“However, the war in Ukraine and the associated sanctions of Russia and Belarus are not the only geopolitical risks to take into consideration,” she says. “Suppliers with operations in countries prone to regime volatility, such as military coups, violent uprisings, and oppression of minorities in a systemic manner, require careful and continuous monitoring.”

Political volatility often comes with a proliferation of nation-state cyber espionage. Organizations need to ensure that their third-party vendors thoroughly vet their contractors for connections to governments known to engage in such acts, Weintraub says. “Third parties may unknowingly hire freelance IT teleworkers that have been dispatched by nation-states to generate revenue for the country’s authoritarian regime or gain access to corporate networks,” she says. “Although they may not engage in any malicious cyber activity while performing their jobs, they may use their privileged access to enable malicious cyber intrusions from inside. This makes detection of malicious activity difficult.”

Regulatory compliance risk

Third-party vendors also expose organizations to compliance risk when they violate governmental laws, industry regulations, or companies’ internal processes. Vendor non-compliance could subject the companies hiring them to massive monetary penalties.

For example, organizations need to check that their third-party vendors are in compliance with the SOC2 auditing standard. SOC2 aims to ensure that third parties protect their customers’ sensitive data from unauthorized access. Organizations must also ensure that third parties comply with privacy and security laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), requirements, he says.

“Compliance is a huge risk,” says Pasteris. “You may be in compliance and have the necessary controls in place, but all of a sudden you add these third parties into the mix and if you’re not evaluating [whether they have controls in place], you could be breaching your compliance stance.”