Why Third-Party Cyber Risk Management Matters?

While many enterprises have taken tremendous strides in recent years to measure and manage the cyber risk present within their own IT systems, they struggle to extend that vigilance to third-party risk.

In this article, we detail the need to gain a strong understanding of third-party cyber risks and how your business can be impacted by a lack of third-party data.

Read this article to learn more about:

The state of third-party risk management today
Real-world examples of some recent third-party cyber incidents
How to overcome third-party risk visibility gaps

Content Summary

Introduction
Third-Party Technical Relationships: More Present Than You Think
You Can’t Abstract Away Risk
The State of Third-Party Risk Management Today
Overcoming Visibility Gaps

Introduction

That’s a problem in a time where third-party systems increasingly make up the backbone of modern IT. Enterprises today leverage cloud resources and technical connections with vendors and partners to go to market faster, meet customer demands, and stay competitive.

There’s nothing intrinsically wrong with those third-party relationships, but they have the potential to come with a risky dark side.

After all, organizations entrust more of their crown jewels to third parties every day. They’re sharing customer data with SaaS providers that help them with analytics, storing intellectual property on public cloud platforms, openly connecting their internal systems with the networks of technical partners. And the list goes on.

Each of these relationships has the potential to add considerable risk to the enterprise because every third party that touches those crown jewels has the potential to compromise them.

As such, the more that enterprises build out their digital ecosystems, the more important it is for them to see and manage cyber risks incurred by their third-party relationships.

Third-Party Technical Relationships: More Present Than You Think

Many organizations realize that they need to do a better job at managing third-party risk, but they don’t prioritize the problem because they don’t realize the true scope of the risk.

Third-party technical relationships are rarely as isolated or limited as many executives seem to think. Scratch deep enough under the surface of most modern IT architectures and you’ll usually find that the most crucial infrastructure and processes rely heavily upon third-parties to bring the business full value.

That’s because innovation in the era of digital transformation depends upon integrated systems and extended technical ecosystems. Third-party relationships are usually completely enmeshed in the way that organizations develop software and deliver digital services to external and internal customers. Some of the most common external resources found in the innovation supply chain include:

Cloud platforms and hosting
SaaS services
Open API connections
Third-party software components
Specialized consulting services
Data aggregation services
Managed services

What’s more, because digital transformation makes every business a software business, even seemingly non-technical business relationships often require the connection of IT systems and the sharing of crucial data streams.

The point is that third-party connections are everywhere—and so are third party risks. Internal systems are rarely bubble-wrapped anymore. So even an organization completely confident in its cybersecurity protections could be working with very little cyber assurance if it doesn’t monitor and manage how its third- parties conduct their risk management.

You Can’t Abstract Away Risk

The fundamental truth about third-party risk is that an organization can abstract away IT complexity and outsource IT work, but it can never outsource the cyber risk.

When a third party breaches your customer data, the customer still comes to you for accountability. No matter who exposes the information, headlines still feature your company’s name when your data is breached.

Multi-party cyber incidents that affect numerous organizations that have both direct and indirect connections to the initial victim are a troubling class of incidents known as cyber ripple events. A recent study of ripple events shows that they can cause 13x the financial damage of a single-party incident.

Some dramatic recent examples that demonstrate the ripple dynamic in action include:

Computer Facilities: A third-party marketing firm working with Nedbank, one of South Africa’s biggest financial institutions, recently exposed personal data of 1.7 million customers of the bank. Nedbank used Computer Facilities to run SMS and email marketing campaigns. A compromise of the third-party’s systems led to the exposure of all the data that Nedbank had shared with it.
AMCA: A breach of systems at the American Medical Collection Agency (AMCA) compromised the personal information of over 24 million individuals. This single event at this third-party collection agency caused costly downstream impact at 29 different client companies who shared patient information with it. One of the most high- profile organizations was Quest Diagnostics. Approximately 11.9 million Quest patients were affected, and the firm now faces a class-action lawsuit as a result.
Rocktop Partners: More than 24 million financial and banking documents related to mortgages originated by numerous institutions including Citibank, Wells Fargo, Capital One, and the Department of Housing and Urban Development were exposed by an unsecured cloud instance run by a small fintech startup Optics ML. The company had been tasked to run a cloud database for Ascension, a data and analytics company run by the parent company Rocktop Partners, which buys distressed loans and mortgages. The incident shows how third-party ripples can run in many concentric circles.

These are no isolated incidents. Cyber ripple events with downstream impact upon other organizations are demonstrably on the rise. Recent research shows they have been increasing 20% annually since 2008.

The State of Third-Party Risk Management Today

Unfortunately, too many enterprises today are completely blindsided by down-stream impact from ripple events at their third parties. They never see the threat coming because they simply do not have the mechanisms in place to monitor how well their vendors and partners are managing risk in shared or connected systems.

According to Ponemon Institute, almost half of organizations do not earmark any of their cybersecurity budgets to help their vendor risk program with third-party risk management. Most organizations remain relentlessly hyper-focused on cybersecurity internal controls, without looking to very relevant external systems.

Companies that do spend money to help with vendor risk only spend an average of about 17% of that security budget third-party risk management—and that money is often spent on ineffective remedies.

The truth is that many third-party risk management programs rest on accountability mechanisms that were devised in a very different technological era. When the field of third-party risk management arose a couple of decades ago, the standard for checking up on external parties was via vendor questionnaires, documentation, and the occasional visit to a larger third-party vendor’s data center.

This worked okay when there were a relatively small number of vendors to be assessed, the company data still resided on-site, and the vendors themselves had large, sophisticated security teams (e.g., Microsoft, Oracle, EMC, etc.).

Of course, this world no longer exists—but the third-party risk management process has not changed. As a result, many enterprises are flying blind about third- party risk. They’re sharing crown jewels without any assurance that moment-to-moment, day-in and day-out, ALL of their vendors are reliably protecting their risk interests.

The question is, how much of your business viability can you afford to rest on unverified trust? Do you trust:

That your most critical vendors have a 10% internet system software patching failure?
That all of your vendors consistently focus threat intelligence operations on internet points of presence that matter?
That vulnerabilities in your vendor’s systems can’t be exploited to attack systems where your data resides?

In cybersecurity it’s not good enough to simply trust.

No other area of security relies almost entirely on the “honor system” to manage risk. It would be like sending email to all employees, asking them a long list of security questions about their computer. And then entirely relying on their answers without any testing, monitoring, or verification.

You must verify third-party risk posture, too. Because of the vendor performs poorly as an enterprise, eventually that poor performance will show up in systems relevant to you.

Overcoming Visibility Gaps

Reliance on third-parties for collaborative innovation is a foregone conclusion to bring about digital transformation. But incurring undue risk from third-party relationships doesn’t have to be.

With the right tools at hand, organizations can effectively monitor and manage the risk posture of their third-party portfolio to bring it in line with that of internal systems. Third-party cyber risk management is ultimately about verifying trust in an enterprise’s entire digital landscape.

Source: riskrecon