Light Dark
October 31, 2022 By Kawther Haciane 3 min read
Risk Management
Security Services

Third-party risks are widespread in the supply chain and can cause substantial damage. Loss of revenue and sensitive information, operational downtime, legal complications, compliance issues and damaged reputations can all arise from a single breach.

If your company lacks a reliable third-party risk management plan, it’s almost impossible to bring in vendors without exposure to risks from cyber threats. This article will explore ways to effectively manage third-party risks so you can confidently bring vendors on board.

First, let’s look at the case of a significant supply chain attack.

Data exposure and vendor risks: A cautionary tale

A perfect example of a significant supply chain attack is the recent Okta breach.

In this case, a hacking group known as Lapsus$ carried out a supply chain attack that targeted Okta’s customers instead of Okta itself. The threat actors had access to a Sitel support engineer with entry into Okta’s resources and actively used that to control a single workstation.

The Okta breach exposed several financial institutions to attacks, including Western Union, Ally and Amalgamated Bank. The breach demonstrates what happens when organizations depend on third-party solution providers without a proper third-party risk management program.

Unfortunately, third-party service providers may be lax in implementing robust cybersecurity frameworks, controls and strategies. Therefore, organizations should explore a third-party risk management program that can assess vendors in the supply chain, communicate about threats and respond quickly to security incidents to minimize supply chain risks.

Why is third-party risk management important?

Now that you’ve seen how much third-party risks can affect your business, let’s explore why managing them is essential.

First, third-party risk management is key to a company’s security. It protects the company from the risks of working with third-party vendors. Failure to assess your business’s supply chain exposes your organization to potential data breaches and supply chain attacks.

Unfortunately, supply chain attacks can financially devastate your business. In fact, according to the 2022 Cost of a Data Breach report by IBM, the average cost of a data breach was $4.35 million globally. But with finely tuned remedies for supply chain attacks, you can drive down these costs while keeping your organization protected.

How do you manage third-party risks in the supply chain?

Third-party vendors pose significant risks to organizations. But what can be done to minimize that risk? Suppose you want to create an effective strategy for improving supply chain security in your organization. In that case, the best starting point is understanding your company’s relationship with your third-party vendors.

The approach will vary depending on each company’s available resources, but there are a few points you can consider to address supply chain risks. These include:

  • Educating your company’s stakeholders about your supply chain process
  • Ensuring you have a reliable method for handling third-party risks
  • Defining your company’s third-party risk tolerance
  • Creating a system for continually assessing and monitoring third-party risks
  • Closely tracking people who have access to crucial data in your company
  • Understanding the most vital assets in your company and identifying their location
  • Ensuring that vendor contracts include cybersecurity requirements
  • Periodically testing an incident response plan.

In summary

While companies can implement a wide range of strategies to manage third-party risks, there’s no guarantee of safety from breaches. Therefore, it’s important to stay vigilant, as third-party risks are now at the forefront of organizational threats.

In addition, your company can source support from the IBM Security team, which helps firms worldwide assess and analyze risks associated with third-party vendors and partners.

IBM Security’s third-party risk management services bring transparency to third-party security and operational activities, providing a scalable way of managing third-party risk and compliance.

Explore our risk management services or schedule a no-cost workshop today to learn more about third-party risk management for your company.

 |  |  |  |  |  | 
Kawther Haciane
Security Advisor and Associate Partner for Strategic Clients in the Middle East

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature