Third-Parties: Risks & Threats Associated With Them

Third-Party risks are more as the Third-Party breaches continue to dominate and these breaches are expensive to organizations. Third-parties are those companies that you directly work with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors. Third-Parties are  basically any organization, whose employees or systems have access to your systems/ data. However, third-party cyber risk is not limited to these companies. Any external software/ hardware that you use for your business also poses a cyber risk. Sometimes the JavaScript that is added to your website, for analytics, may cause a breach by exposing the information of people who visits your website. Recent hacks like CCleaner in 2017 exposed backdoors to well-known software have confirmed that the definition of third-party should not be limited to only the companies that you directly work with. IoT devices can even be considered as a third-party and can be source of a breach.

According to survey conducted by Deloitte in 2016, 87%of organizations have experienced disruptive incidents with the Third-Parties they have worked with. Another research done by Soha Systems found out that around 63% of breaches are because of Third-Parties.

Sources:

https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html

https://www.normshield.com/2018-guide-to-select-3rd-party-cyber-risk-assessment-tool/

How to Assess Third-party Risks:

Many Companies don’t conduct any assessment of the risk of Third-Parties, or sometimes they use age old questionnaire methodology like sending a lot of questions for Third-Parties to answer. Firstly, the questionnaire-based approach is very time consuming. Though there are so many online tools that simplify the process, but the answers got from questionnaire approach were not that reliable. Even if you continue with the assumption that all the questions answered by Third-Parties are correct to gather results quickly, there might be some cyber risks which are invisible to Third-Parties. These types of invisible risks can be detected by gathering cyber threat intelligence and by risk evaluation which companies like FireShadows can help.

Fortunately, there are platforms like FireShadows that gather third-party cyber risk data and provide a risk score or security rating for companies. The information gathering is done by a method called “passive scan” where non-intrusive methods are used, and company assets remain untouched. It is basically a hacker’s view of the Third-Parties external cyber risk. The OSINT (Open-Source Intelligence) data is collected from many feeds such as reputation services, hacker sites/forums, vulnerability databases, Internet-wide scanners, social media, paste sites, black markets, underground forums, etc. Information gathering should be done for the company of interest and any related third-party company.

Votes: 0
E-mail me when people leave their comments –

Community Head, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (bi-monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

CISO Meetup at BlackHat Las Vegas 2025

  • Description:

    We are excited to welcome you to the CISO Meetup during BlackHat USA 2025 in Las Vegas! Join us for an exclusive networking, meaningful conversations, and community building with top CISOs and cybersecurity leaders from around the globe. 

    Meetup Details:

    Location: Mandalay Bay, Las Vegas …

  • Created by: Biswajit Banerjee
  • Tags: ciso, black hat, black hat 2025, black hat usa

6 City Playbook Round Table Series (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

  • Description:

    Join us for an exclusive 6-city roundtable series across Delhi, Mumbai, Bangalore, Pune, Chennai, and Kolkata. Curated for top cybersecurity leaders, this series will spotlight proven strategies, real-world insights, and impactful playbooks from the industry’s best.

    Network with peers, exchange ideas, and contribute to shaping the Top 100 Security Playbooks of the year.

    Date : Sept 2025 - Oct 2025

    Venue: Delhi, Mumbai, Bangalore, Pune,…

  • Created by: Biswajit Banerjee