How third- and fourth-party vendor-provided plug-ins can be a weak spot for security

Where does the cybersecurity buck stop? Some experts point to third- or even fourth-party vendor plugins as a possible culprit for gaps in organizational security.

Those seeking to eliminate vulnerabilities in their cybersecurity infrastructure may want to seek assurance that the plug-ins provided by outside vendors are mitigating risk appropriately. This includes “fourth-party” vendors that provide data and tools used by subcontractors and others.

Erik Bloch, VP of security at Illumio, told IT Brew that “everybody’s leveraging third parties today” for critical data, but not everyone has visibility into what those vendors are doing.

“We’re seeing more and more of this where [attackers are] going after third parties,” Bloch said. “They don’t have to go after you if they know your data is stored somewhere else, right?”

How many parties? Third parties brought in by enterprises are common enough, but fourth-party vendors are another consideration for cybersecurity pros. While an enterprise may talk directly to a third-party vendor, they may never cross paths with a fourth-party vendor working in some capacity for the latter.

Trouble with plug-ins. Experts like Brian Soby, CTO and co-founder of AppOmni, point to added visibility into third-party plug-ins as a key to mitigating risk.

“There’s not a lot of good visibility into the plug-in, in the supply-chain problem,” Soby said. “It’s because a lot of these applications, it’s really hard to pull something out when it has 50 integrations…The vendors know that if you have some SaaS vendors plugged in everywhere and everything’s relying on it, you can never rip it out.”

This is especially true as people leave companies and divisions are reshuffled with new teams and personnel—software will be integrated and subsequently forgotten about.

“When you talk to your procurement team or your legal team, which is normally where your vendor security people tap into, they say, ‘Hey, what vendors are we using? Who do we have on contract?’” Sobi said. “It does not account for all these random connections and plug-ins that your end users or your business units have done.”

What to do. There’s no way to sidestep the basic blocking and tackling that comes with risk management for plug-ins and other software, Marcin Weryk, head of Northeast and Central regions for Coalition’s cyber underwriting teams, told IT Brew.

Weryk said having a regular, routine review of third-party risk management is still key.

To ensure the third-party vendor is doing all they can to secure their systems, Weryk suggested having some form of written document detailing the party’s risk management process, along with annual reviews of contracts. Automating the process of getting this information could be a potential solution.