Third-party risk (or nth-party risk) is a hot topic in cybersecurity. While it can mean many things, at its core third-party risk describes a situation in which an organization that does a good job of protecting its own network and data, within its environment, works with other organizations that do not do such a good job and those organizations (third-parties or nth-parties), through their weaker security practices, put the first party’s network and data at risk.
This past week we learned that hackers had access to the network of a relatively small company that is a contractor for the Australian Signals Directorate for almost a year. The hackers were able to exfiltrate roughly 30GB of data including data about sensitive United States military assets such as “restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.” Read more about the attack here: Hackers steal restricted information on F-35 fighter, JDAM, P-8 and C-130
This is a classic example of cybersecurity third-party risk and one every business should understand — just ask Target about it’s HVAC vendor, Fazio Mechanical. If you’re interested in learning more about these concepts, take a look at a recent checklist I created: Managing Third-Party Risk in Cybersecurity
For yesterday’s example of third-party risk see Third-Party Risk in Cybersecurity Exemplified by North Korea’s Stealing of US War Plans.