Risks stemming from third-party suppliers are at the top of the threat list for public sector organizations. According to a 2024 survey of chief information security officers (CISOs)— across all 50 U.S. states and the District of Columbia—security breaches involving a third-party are one of their most pressing concerns.
The survey highlights the need for public organizations to make strengthening third-party controls more of an imperative. This is especially important for public sector third-party supply chains, which are typically large with a complex web of dependencies.
Public sector organizations need to know what the potential risks are for each third party as well as any changes in supplier risk throughout the lifecycle of their contract, so they can mitigate those risks before they impact critical services. This poses a significant challenge as their suppliers operate outside the bounds of their organization—and third parties are deemed more lucrative and softer targets by threat actors looking to target organizations.
Here we explore what the third-party risks are, why they’re on the rise and key questions public sector entities should ask vendors to help mitigate risk.
Cyber Attacks on Third-party Public Sector Supply Chains
- California Public Employees Retirement System: The personal information of 769,000 retirees and beneficiaries, held by what is the largest public pension fund in the U.S., was compromised by the MOVEit file-transfer program breach in 2022.
- U.S. Department of Homeland Security: A 2023 cyber attack on Johnson Controls International might have compromised sensitive physical information for U.S. government buildings, including automation services for HVAC, fire and security equipment.
- Multiple U.S. government agencies: From the Department of Defense to the Treasury Department—as well as tens of thousands of U.S. businesses and their customers—were negatively impacted by the 2020 attack on SolarWinds, which resulted in economic losses greater than $200 million.
- United Kingdom’s National Health Service: A ransomware attack inflicted losses of $125 million and resulted in the cancellation of 19,000 medical appointments in 2017 when a software vulnerability in Microsoft’s Windows EternalBlue operating system was exploited by attackers.
More third-party exposure for the public sector than private sector
To protect their supply chains against third-party risks, public sector organizations must understand what their risks are both internal and external. It can prove to be a difficult task given factors such as transparency laws that require government agencies to publicly publish vendor contracts and expenditures. This inadvertently provides a clear roadmap for potential threat actors.
Any significant data breach that’s occurred for data of New Hampshire residents at the state government level…has been with a third-party partner that helps us deliver those government services.
— Ken Weeks, CISO for the state of New Hampshire in Government Technology
One vulnerability that should not go unnoticed or unattended is fourth-party risk that comes about by way of third-party suppliers. This happens when third-party vendors rely on other companies for services, creating additional layers of risk. For each third-party vendor in the supply chain, public sector organizations typically have indirect relationships with 60-90 times that number of fourth parties.
In the U.S., an executive order was issued to address these concerns by requiring federal agencies to enhance cybersecurity and software supply chain security. A key component of the order is the software bill of materials (SBOMs), a list of all the components that make up a piece of software including licenses and third-party dependencies. With it, organizations can reduce their third- and fourth-party risks.
Other common vulnerabilities include:
- Lack of continued oversight: While vendors may pass an organization’s initial vetting process, new risks can emerge that are undetected throughout the duration of the contract.
- Small vendors: As public sector organizations are required to work with a multitude of small and protected suppliers, it’s crucial to understand the risks that come with these types of third parties, which may have less robust security measures, making them easy targets.
Public Sector Breaches
In 2023, federal, state and local government agencies were found to be “highly vulnerable to breach especially through third-party software and internet-enabled devices,” according to the annual Data Breach Investigations Report.
The same report found that 20% of incidents and 11% of breaches analyzed in 2023 were linked to the public sector—the highest among all industries.
Recommendations for reducing third-party risk
While there are many ways for public sector organizations to lessen their third-party risk, the most critical requires them to continuously assess the third parties they work with. This requires organizations to focus on external threat detection in the same way that they do for their internal data systems and data via the National Institute of Standards and Technology (NIST) cybersecurity framework 2.0.
Public sector organizations should also be sure they are asking the right questions to surface potential risks and exposure, several of which are listed below.
Ask your third-party suppliers these 6 questions
- What data privacy and retention policies do you have in place, and what is your process for keeping them updated?
- What are your cybersecurity policies and protocols—both for your organization and the organizations you provide services to?
- What, if any, security breaches has your organization experienced recently? How were you alerted to the breach? What was your response?
- Who are the third party data sub-processors that process your customer data? And what for purposes are these organizations used?
- How does your organization manage vulnerabilities? Do you manage the process internally or outsource it?
- Are you able to supply proof of regular security assessments and audits?
The public sector’s reliance on third-party supply chains, while unavoidable, has created a risk that is rapidly becoming more visible, threatening the security of the sensitive information and critical services they oversee and provide.
As cyber attacks escalate, it’s imperative that public sector entities adopt a proactive approach to managing third-party risks. Leveraging AI-powered detection solutions, prioritizing robust security measures, and fostering a culture of transparency will help organizations stay ahead of emerging threats and maintain public trust.
The stakes are high, but with the right strategies and tools, it’s possible to build a more resilient future for the public sector and those it serves.
Dataminr Pulse for Cyber Risk
See how Dataminr Pulse for Cyber Risk helps public sector organizations continuously assess their third-parties to detect risks as soon as they emerge, helping to ensure they can manage and mitigate risks faster and more effectively.
Learn MoreAI for External Threat Detection: Hear From CISO Jesse Whaley
Amtrak's CISO on how Dataminr Pulse for Cyber Risk helps his company detect external threats.
Watch Video