Third-party risk: What it is and how CISOs can address it
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
In today’s world where business processes are becoming more complex and dynamic, organizations have started to rely increasingly on third parties to bolster their capabilities for providing essential services.
However, while onboarding third-party capabilities can optimize distribution and profits, third parties come with their own set of risks and dangers. For example, third-party vendors who share systems with an organization may pose security risks that can have significant financial, legal and business consequences.
According to Gartner, organizations that hesitate to expand their ecosystem for fear of the risks it can create will likely be overtaken by organizations that boldly decide to seize the value of third-party relationships, confident in their ability to identify and manage the accompanying risks effectively. Therefore, it’s critical to handle third-party security risks efficiently and effectively.
Risk and compliance
Third parties can increase an organization’s exposure to several risks that include disrupted or failed operations, data security failures, compliance failures and an inconsistent view of goals for the organization. According to an Intel471 threat intelligence report, 51% of organizations experienced a data breach caused by a third party.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
“Organizations often grant third parties access to networks, applications, and resources for legitimate business reasons. However, when doing so with a legacy VPN, they often provide overly broad access to an entire network, rather than granular access to the specific apps and resources needed to do their job,” John Dasher, VP of product marketing, Banyan Security told VentureBeat.
Third-party risks have grown so much that compliance regulations have become essential to an organization’s processes and policies. Despite evolving regulations and an increase in confidence for risk programs across the board, a report by Deloitte found that third-party risk estimates have also concluded that more than 40% of organizations do not do enhanced due diligence on third parties.
The rising cybersecurity threat
As the need for third-party risk management becomes more apparent to organizations, risk management teams have begun going to great lengths to ensure that vendors do not become liabilities when they become a crucial part of business operations.
However, when organizations often incorporate a third party into their business operations, they unknowingly also incorporate other organizations, whether now or in the future. This can cause organizations to unknowingly take numerous forms of risk, especially in terms of cybersecurity.
“It’s a huge concern as companies can’t just stop working with third parties,” said Alla Valente, senior analyst at Forrester. According to her, as businesses shifted from “just-in-time” efficiency to “just-in-case” resilience after the pandemic, many doubled the number of third parties in their ecosystem to improve their business resilience.
“Third parties are critical for your business to achieve its goals, and each third party is a conduit for breach and an attack vector. Therefore, if your third parties cannot perform due to a cyberattack, incident, or operational disruption, it will impact your business,” explained Valente.
Third-parties that provide vital services to an organization often have some form of integration within their network. As a result, any vulnerability within their cybersecurity framework can be exploited and used to access the original organization’s data if a third party does not effectively manage or follow a cybersecurity program.
Again, this becomes a growing concern, especially when a complex web of various vendors is created through third-party relationships that are all connected throughout their network.
Adam Bixler, global head of third-party cyber risk management at BlueVoyant, says that threat actors use the weakest touchpoint to gain access to their target and, often, it is the weakest link in a third-party supply chain that threat actors focus on to navigate upstream to the intended company.
“In general, we have seen that cyberthreat actors are opportunistic. This has been a highly successful technique, and until security practices are implemented systematically and equally throughout the entire third-party ecosystem, all involved are at risk of this type of attack,” said Bixler.
Bixler told VentureBeat that when BlueVoyant surveyed executives with responsibility for cybersecurity across the globe, it was found that 97% of surveyed firms had been negatively impacted by a cybersecurity breach in their supply chain.
A large majority (93%) admitted that they had suffered a direct cybersecurity breach because of weaknesses in their supply chain, and the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 — a 37% year-over-year increase.
It is not only cybersecurity that poses a severe risk, but any disruption to any business across the web of third parties can cause a chain reaction and thus greatly hinder essential business operations.
“The real danger lies in accepting third-party files from unauthorized or authorized vendors who don’t know they have been compromised. Over 80% of attacks originate from weaponized office and PDF files that look legitimate. If those files are allowed inside your organization, they pose a threat if downloaded,” says Karen Crowley, director of product solutions at Deep Instinct.
Crowley said that multistage attacks are low and slow, with threat actors willing to wait for their moment to get to the crown jewels.
Hazards of a third-party data breach
Enhancing access and data sharing can provide social and economic benefits to organizations while showcasing good public governance. However, data access and sharing also come with several risks. These include the dangers of confidentiality or privacy breaches, and violation of other legitimate private interests, such as commercial interests.
“The primary dangers of sharing information with undocumented third parties or third-party vendors is that you have no way of knowing what their security program consists of or how it is implemented, and therefore no way to know how your data will be maintained or secured once you share,” said Lorri Janssen-Anessi, director, external cyber assessments at BlueVoyant.
According to Anessi, it’s critical to safeguard your proprietary information and to demand the same level of security from third parties/vendors you engage with. She recommends that while sharing data with a third party, enterprises should have a system to onboard vendors that include knowing the third party’s cyber-risk posture and how these risks will be mitigated.
Organizations that do not take proper precautions to protect themselves against third-party risk expose their businesses to both security and non-compliance threats.
These data breaches may be incredibly disruptive to your organization and have profound implications, including the following:
- Monetary losses: Data breaches are costly regardless of how they occur. According to the Ponemon Institute and IBM’s cost of a data breach report, the average cost of a data breach is $3.92 million, with each lost record costing $150. The reason for the breach is one aspect that increases the cost of the breach, and a breach costs more if a third party is involved. Based on the analysis, the price of a third-party data breach often rises by more than $370,000, with an adjusted average total cost of $4.29 million.
- Exposure of sensitive information: Third-party data breaches can result in the loss of your intellectual property and consumer information. Several attack vectors can expose a company’s private information and inflict considerable damage, ranging from data-stealing malware to ransomware attacks that lock you out of your business data and threaten to sell it if the ransom is not paid.
- Damaged reputation: Reputational harm is one of the most severe repercussions of a data breach. Even if the data breach was not your fault, the fact that your clients trusted you with their information and you let them down is all that matters. This might also have a significant financial impact on your company.
- Potential for future attacks: When cybercriminals access your data through a third party, that breach may not be their endgame. It may simply be the beginning of a more extensive campaign of hacks, attacks and breaches, or the information stolen might be intended for use in phishing scams or other fraud. The collected data might be used in later attacks.
Best practices to mitigate third-party risk
Philip Harris, director, cybersecurity risk management services at IDC, says that to mitigate third-party risks more effectively, it is important to work with the appropriate teams within an organization that have the most knowledge about all the third parties the company deals with.
“Doing so can not only help create an inventory of these third parties, but also help classify them based upon the critical nature of the data they hold and/or if they’re part of a critical business process,” said Harris.
Jad Boutros, cofounder and CEO of TerraTrue, says it is important for organizations to understand the security posture of all of their third parties by asking questions during due diligence and security certification reviews.
According to Boutros, a few strategic guidance points that CISOs can follow to avoid third-party security hazards are:
- Understand what data is shared between the organization and the third party. If it is possible to avoid sharing susceptible data or transform it (i.e., with bracketing, anonymizing or minimizing) to defend against certain misuses, such mitigations are worth considering.
- Some third parties may also expose particularly risky functionalities (e.g., transferring data over insecure channels, or exposing additional power-user functionality); if not needed, finding ways to disable them will make for a safer integration.
- Lastly, regularly reviewing who in the organization has access to the third party and/or elevated access helps reduce the blast radius of an internal account compromise.
Other preventive solutions
A few other solutions that organizations can implement to prevent third-party risks are:
Third-party risk management (TPRM) program
With increased exposure due to cooperating with third parties, the necessity for an effective third-party risk management (TPRM) program has grown significantly for organizations of all sizes. TPRM programs can help analyze and control risks associated with outsourcing to third-party vendors or service providers. This is especially true for high-risk vendors who handle sensitive data, intellectual property or other sensitive information. In addition, TPRM programs enable organizations to ensure that they are robust and have 360-degree situational awareness of potential cyber-risks.
Cyberthreat intelligence (CTI) architectures
Another preventive security measure is implementing cyberthreat intelligence (CTI) architectures. CTI focuses on gathering and evaluating information concerning present and future threats to an organization’s safety or assets. The advantage of threat intelligence is that it is a proactive solution, i.e., it can inform businesses about data breaches in advance, reducing businesses’ financial expenditures of clearing up after an occurrence. Its goal is to provide businesses with a thorough awareness of the dangers that represent the most significant risk to their infrastructure and to advise them on how to defend their operations.
Security ratings, often known as cybersecurity ratings, are becoming a popular way to assess third-party security postures in real time. They enable third-party risk management teams to undertake due diligence on business partners, service providers, and third-party suppliers in minutes — rather than weeks — by analyzing their external security posture promptly and objectively. Security ratings cover a significant gap left by traditional risk assessment approaches like penetration testing and on-site visits.
Traditional methods are time-consuming, point-in-time, costly, and frequently rely on subjective evaluations. Furthermore, validating suppliers’ assertions regarding their information security policies might be difficult. Third-party risk management teams can obtain objective, verifiable and always up-to-date information about a vendor’s security procedures by employing security ratings with existing risk management methodologies.
Future challenges and important considerations
Harris says that third parties have always been an area where the attack surface has grown, but this hasn’t been taken too seriously and companies have taken a blind eye to it instead of seeing it as a real potential threat.
“Third parties need to be a board-level topic and part of the overall security metrics created to manage security holistically. There are various solutions, but these unfortunately require humans as part of the assessment process,” said Harris.
Gartner’s survey found that risk monitoring is a common gap in third-party risk management. In such cases, an enterprise risk management (ERM) function can provide valuable support for managing third-party risks. Organizations that monitor changes in the scope of third-party risk relationships yield the most positive risk outcomes, and ERM can support monitoring changes in third-party partnerships to manage the risk better.
According to Avishai Avivi, CISO at SafeBreach, most third-party risk solutions available today only provide an overview of cybersecurity, but the problem is much more profound.
Avivi said third-party breaches through supply chains are another growing risk vector that CISOs need to consider. To prevent attacks through supply chain endpoints, he highly recommends that companies that work with a significant amount of customer-sensitive data consider developing a full privacy practice.
“Solutions still need to evolve to support third-party assessments of the vendor’s privacy posture. While there are plenty of third parties that get SOC 2 and ISO 27001 audits, they are still not enough to get their privacy practices audited. Most companies do not look for the “privacy” category of SOC 2 or the ISO 27701 certificate. The solutions available today still need to mature before they can match the need,” Avivi explained.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.