general🌐InternationalCSO Online
Collective Defense Proposed for Third-Party Supply Chain Risk
Friday, January 2, 2026
What
The article highlights significant challenges in third-party risk management, exemplified by the APT29 attack on TeamViewer. It advocates for a "Musk Ox strategy" where CISOs collaborate to share intelligence and collectively support third-party vendors to strengthen their security posture.
Where
Affects companies relying on numerous third-party software and service providers (e.g., TeamViewer, Perimeter81, AnyDesk, GoToMyPC, LogMeIn), particularly those in the financial services sector through the FS-ISAC example.
When
The article references the APT29 attack on TeamViewer in June 2024 as a recent example of third-party risk.
Key Factors
- •Third-party vendors are often the weakest link due to limited transparency, complex supply chains, immature cybersecurity processes, and lower security investments, making traditional risk assessments ineffective.
- •The proposed "Musk Ox strategy" emphasizes collective defense where organizations collaborate to identify and mutually support vulnerable third-party providers, rather than just monitoring or reacting to incidents.
- •Existing practices like vendor assessments and contractual negotiations are largely insufficient, while continuous monitoring and incident response plans are reactive rather than preventative for systemic third-party risks.
Takeaways
- →Actively engage in industry-specific information sharing and analysis centers (ISACs) to gain collective intelligence on emerging threats and third-party vulnerabilities.
- →Explore collaborative initiatives with peer organizations to collectively support and enhance the security posture of shared critical third-party vendors, potentially involving joint efforts and contract renegotiations.
Read Full Article
Opens original article on CSO Online
