Why Third-Party Risk Assessment must be an Ongoing Process

Article by Malcolm Taylor – InfoSecurity Magazine
22 April 2019

Whenever the business world embraces new technical innovations or working practices, it must brace for the inevitable wave of cyber-attacks as criminals adapt and find ways to exploit these strategies.

With each successive development, it often takes organizations several years to adapt their security defenses to effectively guard against these attacks. We have seen this pattern several times in recent years, such as with the move towards mobile working and the adoption of cloud-based infrastructure.

The most recent development is that organizations have come to rely on vast and intricate networks of third-party suppliers and partners for essential operations. While the idea of a large network of suppliers is not new or unusual in itself, the rapid advancement of the cloud means that organizations can now readily find a cloud-based service provider for almost every business need. As a result, the network of connections has become far denser and more complex.

In the US, William Evanina, the Director of the National Counterintelligence and Security Center recently announced that “supply chain infiltration is one of the key threats that corporations need to pay attention to” and in the UK, Ciaran Martin, CEO at National Cyber Security Centre told the CBI that third party risk was one of the top five priorities for boardrooms this year. There seems to be some consensus here.

Not only are firms relying on a greater number of third-parties, but these suppliers are more often entrusted with access to sensitive data and mission critical systems. The most recent Data Risk in the Third-Party Ecosystem report from the Ponemon Institute, which surveyed more than 1,000 security and risk professionals, found that organizations now share sensitive and confidential data with an average of 583 third-parties. Managing so many connections has proven to be increasingly difficult.

How third-party risks emerge
While the elevated interconnectivity often helps to establish a more dynamic and collaborative working relationship, it also exposes organizations to a much greater risk of cyber-attack. Just as firms were often slow to move on from perimeter-based defenses and tackle threats to their mobile workforce, the majority of companies are struggling to keep track of their network of third-parties and the risks they may be introducing.

Cyber-criminals will often target suppliers and partners in order to exploit their connections to larger and more valuable targets. According to Ponemon’s study, 59% of companies have experienced a data breach caused by one of their suppliers or third parties.

Many of the most notable security incidents in recent years have involved third parties to some extent, such as the breaches at Marriott International and Ticketmaster in 2018. The breach suffered by Target in 2013 is often held as the clearest example of third-party risk in action, as it originated through the HVAC supplier.

Organizations have commonly failed to keep up with the rapidly increasing scope and complexity of the third-party landscape. Ponemon found that, only 34% keep a comprehensive inventory of their third parties, with 69% stating this was due to a lack of centralized control.

Taking control of third-party risks 
With many companies now relying on hundreds, or even thousands, of partners and suppliers, prioritization is an essential first step to managing third-party risk. Firms should start with a list of all connections and prioritize them based on factors such as their security posture, their importance to the company, and the potential impact of a breach.

Alongside this, firms must develop a thorough understanding of how third-parties connect to their infrastructure and the extent of their access to assets. Reviews should not only account for technology, but also include policies and how well they are enforced.

Once this has been completed, organizations need to establish their own governance around reviewing third-parties, including risk thresholds and addressing unmitigated risks. This should cover what level of risk is acceptable, and the consequences if a firm does not address a known security issue.

These policies should then be integrated into vendor procurement policies in the same manner as service level agreements, providing a clear and binding understanding of the supplier’s responsibilities.

This framework will provide the foundations for managing third-party risk, but many firms still leave themselves exposed to security threats because they rely on periodic surveys of their partners and suppliers to assess risks. Not only is this, generally, a time-consuming and resource-heavy manual process, but the results will only produce a static snapshot of the organization at the time it undertook the survey.

The need for a dynamic approach 
Considering how rapidly cyber threats can emerge and evolve, the intelligence from one of these reports can become outdated in a matter of days. The implementation of new software or discovery of a new zero-day vulnerability means that a company previously rated as secure can quickly become a security liability.

Keeping up with this shifting landscape demands a much more dynamic approach to dealing with third party risk. In-depth reviews should be conducted on a regular basis, particularly for suppliers that represent a higher threat due to their level of access. Implementing a third-party monitoring system that is able to alert the organization to new threats in real time will help to identify risks and enable the organization to work with their partner to address them before a serious incident occurs.

With the new interconnected business world only set to become more complex as technology develops, organizations must be armed with an approach to manage third-parties risks in the most effective and dynamic way.