Tutorial from our expert CISO – Subcontractors as a 2.5 party cybersecurity risk and how to manage them

Subcontractors as a 2.5 party cybersecurity risk and how to manage them

Content of This Tutorial

1. What is 2.5 party cybersecurity risk?

2. How Does 2.5 Party Risk Differ from Third Party Risk?

3. Some known breaches

4. How to manage 2.5 party cybersecurity risk?

5. What are mitigation strategies?

6. Real-life examples of how organizations manage 2.5 party risk

Cybersecurity risk management is a crucial process for any organization that relies on information systems and data to carry out its business functions. However, not all cybersecurity risks originate from within the organization or from hackers. Sometimes, the risks come from the parties that the organization works with, such as vendors and their subcontractors. These parties can introduce vulnerabilities and threats to the organization’s network, systems, and data, either intentionally or unintentionally. 

In this post, we will explore the concept of 2.5 party cybersecurity risk, how it differs from third party cybersecurity risk, and what are some real world examples. We will also discuss how to manage 2.5 party cybersecurity risk and what are some mitigation strategies.

Often, the weakest link in the security chain is a 2.5 or third party, such as a vendor, supplier, or service provider. Third-party cybersecurity risks are well-known and widely discussed. However, there is another type of risk that is less understood and more difficult to manage – the 2.5 party risk.

  1. What is 2.5 party cybersecurity risk?

A 2.5 party risk is one that arises from a contractor’s subcontractor that is not directly employed by the organization. Unlike a third party, a 2.5 party does not have a formal contractual relationship with the organization, and may not be subject to the same security policies, standards, or controls. A 2.5 party may also have access to multiple organizations’ data and systems, increasing the potential for data leakage, or malicious insider activity.

For example, a 2.5 party cybersecurity risk could occur when an organization or its contractor hires a freelance developer to work on a project that involves sensitive data. The developer may use his own laptop, software, and network connection, which may not be secure or compliant with the organization’s requirements. The developer may also work for other clients, some of whom may be competitors or adversaries of the organization. The developer could inadvertently or intentionally compromise the organization’s data or systems, either by negligence, error, or malice. This could cause serious harm and financial loss to the organization.

In essence, 2.5 party cybersecurity risk is a term that describes the cybersecurity risk that arises from subcontractors who have access to the organization’s network, systems, and data, but are not fully integrated or controlled by the organization. 

  1. How Does 2.5 Party Risk Differ from Third Party Risk?

Let’s start from what is well known. Third party cybersecurity risk is one that arises from direct vendors who provide products or services to the organization, such as cloud providers, software vendors, or hardware suppliers. Vendors are typically subject to strict contractual agreements and SLAs that define security requirements and responsibilities. 

The main difference between 2.5 party and third party cybersecurity risk is the degree of access and integration that the parties have with the organization’s network, systems, and data. 

Vendors’ contractors have indirect and temporary access to the organization’s resources, but they are not fully integrated or controlled by the organization. 

On the other hand, vendors have direct and permanent access to the organization’s data, but they are fully integrated and controlled by contractual agreements and SLAs.

  1. Some known breaches

There have been several real world examples of 2.5 party cybersecurity risks that resulted in data breaches from subcontractors. 

Probably you have already heard of these cases. But, did you know that all are caused by 2.5 parties?

– In January 2023, Mailchimp, a platform for email marketing and newsletters, detected an unauthorized user within their infrastructure. The intruder had previously targeted Mailchimp employees and managed to gain their account credentials through social engineering techniques. The intruder used the compromised credentials to access data on 133 Mailchimp accounts.

– In May 2022, Cisco, a digital communications company, became aware of an attacker within their network. The attacker conducted a series of voice phishing attacks to access a Cisco employee’s Google account. The attacker used the employee’s credentials to access Cisco’s internal systems and tried to increase their level of access.

– In 2021, a contractor working for T-Mobile accessed the personal information of 54 million customers from an internal database. The information included names, addresses, phone numbers, social security numbers, driver’s license numbers, etc.

– In December 2020, SolarWinds, a software company that provides network management tools, disclosed a massive cyberattack that compromised its Orion software. The attackers inserted a backdoor into the software updates that were distributed to thousands of SolarWinds customers, including government agencies and private companies. The attackers used the backdoor to access the customers’ networks and steal sensitive data.

– In November 2020, Target, a retail giant, revealed that it had been hit by a data breach that exposed the personal and financial information of 70 million customers. The breach was traced back to a third-party vendor that provided heating and air conditioning services to Target. The vendor’s network was compromised by malware that stole the vendor’s credentials to access Target’s network. The attackers used the credentials to install malware on Target’s point-of-sale systems and capture the customers’ data.

– In July 2020, Twitter, a social media platform, suffered a major security breach that affected 130 high-profile accounts, including those of celebrities, politicians, and businesses. The attackers gained access to Twitter’s internal systems and tools by contacting Twitter employees and convincing them to provide their credentials or access codes. The attackers used the access to post fraudulent messages on the compromised accounts, asking followers to send bitcoin to a specific address.

– Also in 2020, a contractor working for Marriott International accessed the personal information of 5.2 million guests from an internal application. The information included names, addresses, phone numbers, loyalty account numbers, dates of birth, etc .

– In 2019, a contractor working for Capital One hacked into the bank’s AWS server and stole the personal information of 106 million customers from the US and Canada. The information included names, addresses, phone numbers, social security numbers, credit scores, etc .

– In 2018, a contractor working for SunTrust Bank stole the personal information of 1.5 million customers from an internal company platform. The information included names, addresses, phone numbers, account balances, etc .

– In 2017, a contractor working for Booz Allen Hamilton left classified information from the National Security Agency (NSA) on an unsecured Amazon Web Services (AWS) server. The information included passwords to access US government systems and sensitive details about NSA operations.

  1. How to manage 2.5 party cybersecurity risk?

Managing 2.5 party cybersecurity risk is challenging because it involves a high degree of trust and transparency between the organization and the chain of subcontractors. However, there are some steps that can help mitigate this type of risk:

– Specify what data and systems the subcontractors can access, how they can access them, and what they can do with them.

– Conduct due diligence on the subcontractors’ backgrounds, qualifications, reputations, and references. Verify their identity and credentials, and check for any red flags or conflicts of interest.

– Establish a clear communication channel and feedback mechanism. Monitor their progress and performance regularly, and provide guidance and support as needed.

– Implement security controls and best practices on both ends. Ensure that the subcontractors use secure devices, software, and network connections, and follow the organization’s security policies and standards. Encrypt data in transit and at rest, and use strong authentication and authorization methods.

– Limit the access and privileges of subcontractors to the minimum necessary. Grant access only to the data and systems that are relevant to the work, and revoke access when the work is completed or terminated.

– Audit and review their work periodically. Check for any anomalies, errors, or breaches in the data or systems that subcontractors accessed or modified.

– Document and report any incidents or issues that arise during or after the work. Investigate the root cause and impact of any security incidents, and take corrective actions as appropriate.

  1. What are mitigation strategies?

Some efficient mitigation strategies for 2.5 party cybersecurity risk are:

– Request your vendors to use trusted platforms or intermediaries to find and hire their subcontractors. These platforms can provide vetting, verification, rating, and escrow services for all parties.

– Use secure collaboration tools and cloud services to share data. These tools can provide encryption, access control, logging, backup, and recovery features.

– Use cyber insurance to cover potential losses or liabilities from cybersecurity incidents involving all parties. Cyber insurance can provide financial compensation for direct and indirect costs of a breach, such as data recovery, legal fees, fines, reputation damage, etc.

– Update and upgrade software – request all subcontractors to apply all software updates as soon as they are available, or use automated update services that are delivered through protected links. This can prevent cybercriminals from exploiting known vulnerabilities.

– Limit and control account access – Subcontractors should only have the minimum level of access they need to perform tasks. The organization should have documented procedures for securely resetting credentials or use a privileged access management tool to automate credential management. Ensure you have on/offboarding procedures aligned with a zero-trust approach.

– Enforce signed software execution policies – Subcontractors should only use software that is signed by a trusted source. This can run malicious or unauthorized software on the organization’s network or devices.

– Formalize a disaster recovery plan – Subcontractors should also be included in the DRP, which should address data protection, data restoration, offsite backups, system reconstitution, configurations and logs.

– Actively manage systems and configurations – Automate regular scan and inventory of their devices and software, and request removal of any unnecessary or unexpected hardware and software. Request subcontractors to follow the organization’s security policies and standards for configuring their devices and software, and to report any changes or incidents to the organization.

– Streamline upfront due diligence: The organization should perform a thorough assessment of security capabilities and controls before engaging the chain of subcontractors. The organization should focus on the critical risks that the contractor may pose to the organization’s network, systems, and data, and establish clear expectations and requirements for the contractor’s security performance.

– Establish business-driven methods for ongoing risk management analysis – The organization should have a risk management framework that identifies, assesses, prioritizes, and mitigates the cybersecurity risks that subcontractors may introduce to the organization. The organization should also communicate and collaborate with them on the risk management process, and review and update the risk profile and mitigation strategies regularly.

  1. Real-life examples of how organizations manage 2.5 party risk

– Microsoft uses a risk management framework that identifies, assesses, prioritizes, and mitigates the cybersecurity risks that contractors may introduce to the organization. Microsoft also communicates and collaborates with the contractors on the risk management process, and reviews and updates the risk profile and mitigation strategies regularly.

– JPMorgan Chase regularly scans and inventory network connected devices and software, and removes any unnecessary or unexpected hardware and software from the network. JPMorgan Chase also follows its security policies and standards for configuring its devices and software, and reports any changes or incidents to the organization.

– Amazon performs a thorough assessment of the contractor’s security capabilities and controls before engaging them. Amazon also focuses on the critical risks that the contractor may pose to the organization’s network, systems, and data, and establishes clear expectations and requirements for the contractor’s security performance.

– Netflix limits and controls the account access and privileges that contractors have to perform their tasks or projects. Netflix also has documented procedures for securely resetting credentials or uses a privileged access management tool to automate credential management. Netflix also updates its onboarding and offboarding procedures to align with a zero-trust approach.

– Apple enforces signed software execution policies that require contractors to only use software that is signed by a trusted source and verified by the organization’s operating system. This prevents contractors from running malicious or unauthorized software on the organization’s network or devices.

– A global financial services company implemented a third-party risk management framework that included all subcontractors and vendors. The company used a standardized questionnaire to assess the security posture of subcontractors based on their level of access to sensitive data or systems. The company also required them to undergo security awareness training and sign confidentiality agreements.

– A large healthcare provider developed a subcontractor management policy that defined roles and responsibilities for hiring, managing, and their termination. The policy also specified security requirements such as background checks, encryption of devices and data, use of secure VPN connections, compliance with HIPAA regulations, etc.

– A multinational technology company created a subcontractor portal that provided them with access to relevant information and resources. The portal also enabled them to request access to data or systems based on their project needs. The company used automated workflows to approve or deny access requests based on predefined criteria.

At the end – should you need more details on this hot topic, attend our Conference and contact us directly to provide you with more insights and personalized advice.

Share this post
Next IT Security Team
Next IT Security Team
Articles: 66

Nordics Edition

C-Level IT Security Event

BeNeLux Edition

C-Level IT Security Event

DACH Edition

C-Level IT Security Event