It's no longer enough to simply ensure that your organization's systems and enterprise web presence are secure. Your risk management program needs to look beyond the perimeter of your organization to properly vet the third and fourth-party vendors who will have access to your data without being subject to your internal risk management process. The use of third parties in your supply chain or for data handling create potential risks that can be compounded by these third-party weaknesses. The 2013 Target data breach, which began at an air conditioning subcontractor, is a well known example, but the danger of third-party vendor risk has only increased. More third party breaches are being discovered than ever before. The discipline of third-party risk management (or TPRM) has evolved to help manage this new type of risk exposure.
Here are five key things to know about vendor risk:
1. Risk Starts Small
If an attacker is going to target a large organization, they’ll want an entry point that won’t raise suspicion. This means using a valid entry point that they can access while masked as a legitimate user. The attacker finds a third party that is less secure– often a smaller vendor with less stringent security protocols. They then leverage this access to break into a higher value organization. For example, in the Target breach, attackers began by using malware to steal credentials from the air conditioning subcontractor, and from there had access to Target’s vendor-dedicated web services.
2. Risk Extends Beyond Primary Vendors
The scope of risk is greater than a single third-party relationship would suggest, as an organization’s third parties can also have their own third-party vendors, known as fourth-parties, or "second-tier" third-parties. Organizations must understand how their first-tier vendors manage their own third parties. PwC also notes that vendors based overseas come with their own challenges, having “different laws, practices, and business ethics.” For example, many companies outside the United States are bound by data sovereignty laws that prevent shipping their citizens’ data to the U.S. because of privacy concerns. Third-party risks also don’t need to involve hacks or attacks on a vendor. With the increasing use of cloud storage, unsecured cloud instances managed by third parties are a frequent cause of data exposure.
3. Primary Companies Are Held Responsible
For customers, the complexity of third-party relationships can make the full scope of cybersecurity risk difficult to comprehend. Even if a security risk is due to a service provider's lax security, in the mind of the customer it will be the main organization that bears responsibility. This is a legal consideration, too. The organization will often find it difficult to show that it took sufficient steps to manage its third-party risk through due diligence, and will be considered to retain responsibility even if a third party handled its data. There’s some justification to this: if a company takes every precaution internally, but fails to conduct due diligence by vetting the security of a vendor using a tool like a cyber risk assessment questionnaire, it may as well have taken no precautions at all.
4. Risk Must Be Mitigated Throughout the Data Lifecycle
Even former third-party relationships can create risk to an organization. For example, TigerSwan’s former recruiting vendor left sensitive information publicly available in an S3 bucket until only recently. While the contract with the vendor was terminated in February 2017, thousands of resumes remained stored in the Amazon S3 subdomain “tigerswanresumes.” When doing business with third-party vendors, it’s important to understand not just how sensitive data will be stored, but also how it will be handled when the business relationship ends.
5. Traditional Cybersecurity Isn’t Enough
The Software Engineering Institute states that “[traditional] information security practice sometimes treats third party risk management as an ‘add-on’ to otherwise siloed security activities.” Organizations manage risk areas independently, both internally and for third-party relationships, often by simply reacting to issues as they arise. This quick solution may work in the short term, but given the real-time nature of cyber risk, it fails to provide a complete picture and leaves dangerous levels of risk exposure that can only be controlled through ongoing monitoring. What’s necessary, according to Deloitte, is a proactive approach to risk as a source of organizational value. This covers all categories of third-parties and all areas of risk, considering operational risk factors […] with reputational/financial risk factors […] and legal/regulatory risks[…].
Making Resilience a Reality
A fully developed approach to managing third party risk covers the entire organization, addressing both third-party behavior and the relationships within the digital environment. It requires vetting vendors through due diligence processes, the use of vendor risk assessment questionnaires for, enforcement of minimum security standards, and ongoing monitoring of vendors as part of the overall risk management program. Achieving that level of third-party management is challenging. But thanks to technology innovations such as security ratings, and new approaches to the problem, next generation vendor risk management is within reach.
We're seeing sectors such as the financial services industry beginning to lead the charge on managing third-party risk, thanks to the impact of regulatory requirements from entities such as the OCC and Federal Reserve in the US, and APRA in Australia. In a typical financial institution, multiple stakeholders from the board of directors, senior management, enterprise risk managers and internal audit are being mandated to implement robust risk assessment processes and lift their game to tackle this growing problem.