In managing cyber risk, it’s not enough to ensure that your business’s systems and enterprise web presence are secure. You must look beyond your perimeter properly vet the third and fourth-party vendors who will have access to your data without being subject to your governance. If an organization outsources technological functions to third parties, or uses them in its supply chain or data handling, the risk is compounded by these parties’ weaknesses. The 2013 Target data breach, which began at an air conditioning subcontractor, is a well known example, but the danger of third-party vendor risk has only increased. More third party breaches are being discovered than ever before.
Here are five key things to know about vendor risk:
If an attacker is going to target a large organization, they’ll want an entry point that won’t raise suspicion. This means using a valid gateway that they can access while masked as a legitimate user, rather than working through the target’s high security. The attacker finds a third party that is less secure– often a smaller vendor with less stringent security protocols. They then leverage this access to enter the larger network. For example, in the Target breach, attackers began by using malware to steal credentials from the air conditioning subcontractor, and from there had access to Target’s vendor-dedicated web services.
The scope of risk is greater than a single third-party relationship would suggest, as an organization’s third parties can also have their own third-party vendors, known as fourth-parties, or "second-tier" third-parties. Organizations must understand how their first-tier vendors manage their own third parties. PwC also notes that vendors based overseas come with their own challenges, having “different laws, practices, and business ethics.” For example, many companies outside the United States are bound by data sovereignty laws that prevent shipping their citizens’ data to the U.S. because of privacy concerns. Third-party risks also don’t need to involve hacks or attacks on a vendor. With the increasing use of cloud storage, unsecured cloud instances managed by third parties are a frequent cause of data exposure.
For customers, the complexity of third-party relationships can make the full scope of cyber risk difficult to comprehend. Even if a security risk is due to a third party’s lax security, in the mind of the customer it will be the main organization that bears responsibility. This is a legal consideration, too. The organization will often find it difficult to show that it took sufficient steps to manage its third-party risk, and will be considered to retain responsibility even if a third party handled its data. There’s some justification to this: if a company takes every precaution internally, but fails to vet the security of a vendor using a tool like a cyber risk assessment questionnaire, it may as well have taken no precautions at all.
Even former third-party relationships can create risk to an organization. For example, TigerSwan’s former recruiting vendor left sensitive information publicly available in an S3 bucket until only recently. While the contract with the vendor was terminated in February 2017, thousands of resumes remained stored in the Amazon S3 subdomain “tigerswanresumes.” When dealing with third-party cloud solutions, it’s important to understand not just how the data will be stored, but also how it will be handled when the relationship ends.
The Software Engineering Institute states that “[traditional] information security practice sometimes treats third party risk management as an ‘add-on’ to otherwise siloed security activities.” Organizations manage risk areas independently, both internally and for third-party relationships, often by simply reacting to issues as they arise. This quick solution may work in the short term, but it fails to provide a complete picture of cyber risk, and leaves unknown vulnerabilities to be discovered. What’s necessary, according to Deloitte, is a proactive approach to risk as a source of organizational value. This covers all categories of third-parties and all areas of risk, considering operational risk factors […] with reputational/financial risk factors […] and legal/regulatory risks […].
A fully developed approach to managing third party risk would cover the enterprise, addressing both third-party behaviour and the relationships within the digital environment. It requires organizations to vet their vendors, use vendor risk assessment questionnaires when searching for partners, enforce minimum security standards for third parties, and easily monitor the environment as part of the overall risk management strategy. Achieving that level of trust is challenging. But thanks to technological innovations, and new approaches to the problem, next generation vendor risk management is within reach.