Managing Third Party and Insider Threats: Building Security Resilience
By James Rees, MD, Razorthorn Security
In an era of interconnected services and external partnerships, two critical security challenges loom large: third party risk and insider threats. Recent events highlight these concerns – from the massive breach of Social Security numbers through a service provider to the CrowdStrike incident that grounded major airlines, causing hundreds of millions in damages. As I discussed in a recent episode of the Razorwire podcast (with guests Iain Pye and Chris Dawson), these incidents remind us that often the greatest security risks don’t come from external hackers, but from trusted partners and employees.
As organisations embrace software as a service (SaaS) and an expanding ecosystem of digital services, they face a complex web of security dependencies. Each partnership, while bringing efficiency and innovation, also introduces new vulnerabilities. Similarly, as businesses embrace remote work and digital transformation, the traditional boundaries of trust and security are being redefined, making insider threats more sophisticated and harder to detect.
Understanding Third Party Risk and Its Challenges
The landscape of third party risks has grown increasingly complex due to the interconnected nature of business. Direct service provider breaches represent the most immediate threat, where trusted vendors suffer security incidents that directly impact their clients’ operations. The CrowdStrike incident in July ‘24 serves as a stark reminder of how a single service provider’s compromise can cascade through multiple organisations, leading to substantial operational disruptions and financial losses.
Supply chain compromises present an equally concerning challenge, targeting the intricate network of suppliers and service providers that modern organisations rely upon. Perhaps most troubling is fourth party risk – the suppliers of our suppliers. These relationships often remain invisible to organisations until a security incident brings them to light, as demonstrated when cloud service providers experience outages affecting countless downstream organisations.
Organisations face several fundamental challenges when managing these risks. Limited visibility into supplier security practices remains a pressing concern, even when organisations maintain robust internal security measures. The complexity of conducting thorough security audits presents another significant hurdle, with many organisations constrained by contractual limitations that restrict their ability to perform detailed assessments.
Contract limitations and vendor lock-in further complicate matters, as organisations often discover too late that their service agreements provide inadequate protections or make it prohibitively expensive to switch providers when security concerns arise. This creates a particularly challenging situation where organisations must balance operational necessity against security risks they may have limited ability to mitigate.
The Cost-Security Balance
Despite the inherent issues with using third parties, they offer compelling advantages that are difficult to ignore. Cost savings stand as perhaps the most immediately apparent benefit, as organisations can leverage shared infrastructure and expertise without substantial capital investments. This financial efficiency extends beyond mere infrastructure costs to include reduced staffing requirements and decreased operational overhead.
However, the security implications that come with these benefits are significant. The loss of direct control over data and critical systems represents a fundamental challenge, as organisations inevitably surrender some degree of control over how their data is handled and protected. The increased attack surface resulting from third party relationships presents another serious concern, as each new service provider potentially introduces additional points of vulnerability.
Dependencies on external security practices introduce further complications. Organisations must rely on their service providers to maintain adequate security measures, yet they often have limited ability to verify or influence these practices. Data sovereignty issues add another layer of complexity, particularly when dealing with international service providers or operating across multiple regulatory frameworks.
Insider Threats: Categories and Scenarios
The landscape of insider threats has evolved significantly, presenting organisations with a complex array of challenges. Accidental or negligent insiders represent perhaps the most common, yet often overlooked, category. These individuals typically have no malicious intent but may inadvertently compromise security through carelessness, lack of training or simple human error.
Disgruntled employees present a more deliberate threat to organisational security. Their intimate knowledge of systems and processes makes them particularly dangerous, as they can exploit their access to cause significant damage or disruption. As I mentioned in the podcast, there have been several cases that I’m aware of where IT directors or staff, upon learning of their impending departure, deliberately locked critical systems or exfiltrated sensitive data.
State sponsored threats have emerged as a particularly concerning category, especially for organisations dealing with sensitive intellectual property or critical infrastructure. These sophisticated operators may spend years establishing themselves within target organisations, often appearing as legitimate employees while secretly gathering intelligence.
Common scenarios include data theft before departure, with employees copying sensitive information or intellectual property before leaving an organisation. Access broker opportunities represent a particularly dangerous trend, where disgruntled employees sell their credentials to criminal organisations. The rise of cloud storage and personal devices has made these threats increasingly difficult to detect and prevent.
Detection and Prevention Strategies
Modern security requires an integrated approach that combines technological solutions with human centric strategies. For third party risk management, regular security assessments form the foundation of any robust programme. These assessments must be thorough and ongoing, rather than just tick box exercises conducted at the beginning of a relationship. Organisations should evaluate not only technical security controls but also the vendor’s financial stability and overall security culture.
Right to audit clauses have become increasingly crucial in vendor contracts, though their mere inclusion is insufficient. These clauses must be carefully worded to ensure they provide meaningful audit rights and can be practically exercised. Contracts should include provisions for both scheduled and incident-triggered audits, along with clear procedures for addressing identified security concerns.
Vendor diversity represents a critical strategy for reducing dependency and managing risk. When we discussed this topic on the podcast, both Chris and Iain emphasised the importance of maintaining multiple cloud provider relationships in order to be more resilient to service outages. This approach, while potentially more complex to manage, provides essential resilience against single point failures.
For insider threat mitigation, behaviour monitoring systems have evolved significantly, now incorporating advanced analytics and artificial intelligence. These systems must balance security requirements against privacy concerns, focusing on identifying genuine risk indicators while minimising false positives that could damage employee trust.
Regular background checks throughout the employment lifecycle have become increasingly important, though their implementation requires careful consideration. Annual criminal record checks and ongoing vetting procedures can help identify potential risks, although it’s important to be transparent and fair in these processes.
Future Trends and Solutions
AI powered threats currently represent perhaps the most significant concern. AI generated impersonation attacks, for example, are becoming increasing sophisticated. We discussed a case on the podcast where a malicious actor used AI for a job interview and was subsequently hired. The threat was only detected when malware was later discovered being loaded onto their MacBook.
Remote work complications have fundamentally altered the security paradigm, creating new vulnerabilities that organisations must address. The traditional security perimeter has effectively dissolved, requiring organisations to rethink their approach to access control and data protection. This shift has made it increasingly difficult to monitor employee behaviour and protect sensitive information.
State sponsored threats continue to grow in sophistication and frequency, targeting not only government organisations but also private sector companies with valuable intellectual property. Certain nation states play very long games, sometimes placing operatives in organisations years before activating them for specific missions.
Conclusion
The intertwined nature of third party risk and insider threats represents one of the most significant challenges in modern cybersecurity. As organisations continue to rely more heavily on external services and partnerships, the traditional boundaries between internal and external security threats have become increasingly blurred.
The balance between trust and verification emerges as a critical consideration in managing both third party and insider risks. This balance becomes particularly delicate when dealing with trusted employees and long term service providers, where excessive security measures might damage productive relationships, yet insufficient controls could leave the organisation vulnerable.
The importance of continuous monitoring cannot be overstated in today’s dynamic threat landscape. As demonstrated by recent high profile incidents, organisations can no longer rely on point-in-time assessments or periodic reviews. Instead, they must implement comprehensive, ongoing monitoring programmes that can detect and respond to emerging threats in real time. If this is something required by your organisation, take a look at Razor’s Edge – Razorthorn’s own continuous monitoring and testing platform.
Looking forward, organisations must focus on building resilience rather than simply attempting to prevent all possible security incidents. The evolution of security challenges will continue, driven by technological advancement and changing business practices. Successful organisations will be those that can adapt their security strategies while maintaining operational efficiency. This requires a delicate balance between implementing robust security controls and maintaining the flexibility needed to operate effectively in today’s dynamic business environment.
Get in touch to discover how Razorthorn can help your organisation with third party security.
TALK TO US ABOUT THIRD PARTY SECURITY
Please leave a few contact details and one of our team will get back to you.