The Top Third-Party Cybersecurity Risk Priorities of 2024 – and What to Do About Them

It’s time to make third-party risk management a priority for your organization. Learn 7 ways to get your TPRM program off to the right start in 2024.
By:
Dave Shackleford
,
Owner & Principal Consultant, Voodoo Security
January 15, 2024
Share:
2024 01 Blog Top Cybersecurity Priorities

2023 showed that third-party data breaches impacted organizations across all industries. Prevalent’s annual TPRM industry study found that 41% of companies reported a third-party breach, and 71% consider third-party security breaches to be a top concern. Organizations of all types and sizes are taking a more serious look at how they can stay on top of the growing number of third-party cyber risks. The challenge is only growing into 2024.

There is a lot that we as security and risk professionals need to do to improve the state of third-party risk management. Confusion persists about what third-party risk is, what controls to implement, how to assess vendors, how to manage vendors, the impact of regulatory compliance, and so much more. Therefore, it’s not surprising at all that stakeholders across most organizations are confused (yet concerned) about the state of third-party associations. Cybersecurity and risk teams need to develop and implement cohesive, informed plans that help everyone get on the same page in the face of new and growing threats.

In this post, I examine the top third-party cyber risks to watch for in 2024 and suggest a list of 7 priorities to address those risks.

Top Third-Party Cybersecurity Risks to Watch for in 2024

Based on third-party cyber incident trends over the last year, in 2024 we’ll see more of the following types of risks:

  • Software and service failures and supply chain breaches
  • Privileged and account-based attacks
  • Malware infections/spread
  • Unauthorized use/access
  • Denial of Service
  • Breaches and incidents in 3rd and 4th level partners, and vendors

However, I’d like to focus specifically on software supply chain risks as the trend is increasing significantly here.

The software supply chain creates and delivers software from its conception to its eventual end-user. It encompasses all the steps involved in creating and delivering software, from the initial idea to the final product. The supply chain can be divided into three main sections:

  • Development: The steps taken to create a piece of software, including design, coding, testing, and bug fixes.
  • Distribution: The process of getting the software to its end users, including packaging, marketing, and delivery.
  • Consumption: Installation and use of the software once it has been delivered

MOVEit is a classic example of a software supply chain breach. In May 2023, a ransomware gang called Cl0p began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer solution. Since then, more than 2,000 organizations have reported being attacked and Progress Software has issued numerous patches.

Top 7 Third-Party Cyber Risk Management Priorities of 2024

In 2024, security teams must prioritize third-party cyber risk management to get ahead of potential software supply chain attacks. Here are seven places to start:

  1. Conduct a thorough review of procurement team processes for better third-party governance. Seek to answer questions such as:
    • How is vendor review initiated?
    • How are contract terms defined and reviewed?
    • What recourse do you have if a vendor product leads to a breach or vulnerability?
    • How often are vendor reviews performed after the contract?
    • How are third-party reviews documented?
  2. Prioritize risk reviews. Third-party risk reviews should start by defining the controls with which the third party needs to demonstrate compliance. Next, determine the frequency of security reviews. Finally, define a remediation and arbitration process to handle third-party risks.
  3. Leverage risk rankings. Use third-party risk solutions that offer supplier risk ratings or rankings compared to other industry organizations. Monitoring the overall risk ratings of third parties provides information on industry perceptions of security posture.
  4. Improve third-party breach communications. Reach out to the impacted vendor and determine your potential exposure and any contractual service level agreements (SLAs).
  5. Isolate access and systems if a breach occurs. Leverage local host restrictions, network access controls, privilege restrictions, and account removal/locks.
  6. Remediate risks. While controlling the “blast radius” of a third-party breach you should identify and classify impacted data and investigate compliance impacts.
  7. Continuously monitor for third-party breaches. Monitor internal behaviors from software/platforms affected, access to/from vendors and other parties, and reputation and threat intelligence services to determine the impact to your organization.

Third-Party Cybersecurity: Emerging Trends and What to Do in 2024

In this webinar Dave Shackleford, CEO at Voodoo Security and SANS Senior Instructor, shares his insights on the most important steps to prepare your third-party cybersecurity program in 2024.

Third-Party Risk Management: Where to Start in 2024

When talking to cybersecurity and risk management teams, it’s clear that we need some prioritization to get TPRM underway in 2024, but many decision-makers are unclear on where to start and what to prioritize.

To help understand the most important TPRM priorities of 2024, check out the webinar I recorded with Prevalent.

This webinar delivers insights and a roadmap to help you prioritize cybersecurity in your third-party risk management program in 2024. It’s a fast-moving and rapidly changing landscape, but there are some core lessons we’ve learned in the past few years, and some great steps you can take right now to help move third-party risk management in the right direction in 2024 and beyond.

For more on how Prevalent can help you design and implement an agile and comprehensive third-party risk management program in 2024, request a demonstration today.

Tags:
Share:
Dave Shackleford
Dave Shackleford
Owner & Principal Consultant, Voodoo Security

Dave Shackleford is the owner and principal consultant of Voodoo Security and faculty at IANS Research. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. Dave is a SANS Analyst, serves on the Board of Directors at the SANS Technology Institute, and helps lead the Atlanta chapter of the Cloud Security Alliance.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo