Fourth-Party Risks

🔐 Fourth-Party Risks: The blind spot in third-party vendor security

As organizations, we’ve made real progress in managing third-party risk; vetting vendors, signing DPAs, and running due diligence checks. But there’s a quieter, deeper layer we often overlook: fourth-party risk.

💥 This is the exposure we inherit from our vendors’ vendors; the cloud providers, subcontractors, and invisible dependencies woven into our digital supply chains.

🤔 Why fourth-party risk continues to be a source of concern for us:

• 🧱 We have limited visibility into who our vendors rely on.
• 📉 Their security posture impacts us; even when we have no contract with them.
• 🔗 We’re accountable for compliance failures tied to someone two degrees removed.
• 🛑 An outage or breach downstream can take us down, too.

🎯 One notable example? The 2021 Kaseya ransomware attack. Thousands of companies downstream were impacted; many of whom didn’t even know they were connected (Kaseya VSA ransomware attack).

🛠 So what are we doing, and what should we be doing, as security leaders?

• 🏗️ Asking vendors to share who they rely on (think: SBOMs and transparency).
• 📃 Including fourth-party controls in contracts and SLAs.
• 📊 Using tools to monitor not just vendors, but their ecosystems.
• 🕵🏽‍♂️ Practicing zero trust and preparing for breakdowns beyond our direct control.

🔎 Supply chain trust is no longer linear; it's layered, and it’s inherited. If we don't go beyond third-party risk, we're not seeing the full map. ⛓️