Third-party risk (or nth-party risk) is a hot topic in cybersecurity. While it can mean many things, at its core third-party risk describes a situation in which an organization that does a good job of protecting its own network and data, within its environment, works with other organizations that do not do such a good job and those organizations (third-parties or nth-parties), through their weaker security practices, put the first party’s network and data at risk.
This past week we learned that the North Koreans stole the United States’ war plans for battle with North Korea. How did they do this? By cyber attack — not on the United States, which likely had the plans fairly well secured — but by cyberattack against the United States’ “partner” in this endeavor, the South Koreans, with whom the US had shared its plans. Read more about the attack here: ‘Ridiculous Mistake’ Let North Korea Steal Secret U.S. War Plans
This is a classic example of cybersecurity third-party risk and one every business should understand — just ask Target about it’s HVAC vendor, Fazio Mechanical. If you’re interested in learning more about these concepts, take a look at a recent checklist I created: Managing Third-Party Risk in Cybersecurity