Is Third-Party Cyber Risk Leaving You Exposed?
If we were to look back 5 years ago, we would see many organisations focusing their cyber defence efforts almost entirely on the protection of their own organisation, stopping at the point of securing their network perimeter. Today, however, these same companies are increasingly concerned about third party cyber security.
The advent of digital transformation has created a business environment that is dynamic and continuously evolving. Consumers/customers now expect to be able to interact with companies in real time. As a result, companies are increasingly reliant on a network of partners and third parties to help them meet these demands. But while outsourcing has helped companies to remain competitive, it has also increased their attack surface and exposed them to additional cyber security risk.
Furthermore, attackers have become more sophisticated over time: instead of conducting direct attacks, they are choosing the path of least resistance, compromising a business’s supply chain or key vendor as a means to gain access.
Possibly the most famous example of this is the Target breach that occurred in 2013, when hackers were able to obtain the credit card data of 41 million customers by stealing network credentials from Target’s heating, ventilation and air conditioning provider. Excessive access rights granted to the third-party vendor and a poorly-configured system allowed the hackers to gain access to the customer service database. Target was subsequently fined over $18 million and ordered to pay a further $10,000 in compensation to each customer affected by the breach.
Unfortunately, for both customers and businesses alike, costly third-party data breaches like this are not unique. In 2017, Equifax was breached via an Apache Struts application, leaving over 147 million individuals’ personal information exposed and Equifax liable to pay more than $700 million in compensation.
Given the significant financial, operational and reputational damage that can result from a third-party cyber security breach, why are so many organisations still on the back foot when it comes to the effective management of their third-party cyber risk?
1. Materiality and criticality of third-party products/services are not considered
Many organisations do not consider the materiality or criticality of the products/services that they procured from third parties or how these vary over time. Different relationships — even with the same vendor — expose an organisation to different levels of risk. For example, one supplier may not have an API to internal systems, while another may be involved with vital daily data transfers. While protection for the former may not be a priority, taking action to mitigate any risk associated with the latter would be critical, since it poses a clear threat.
Identifying the riskiest relationships is vital to defining a well-prioritised mitigation roadmap. In this way, security teams can make effective use of time and resource, tackling the biggest threats first.
2. Inability to build scale and agility into the third-party risk management process
The ongoing monitoring of third parties is a vital part of third-party security risk management. This typically involves the completion of a security assessment questionnaire, issued by the organisation to a third party on a periodic basis, in order to measure the strength and maturity of the vendor’s security controls. Often, these questionnaires take the form of lengthy spreadsheets, resulting in a time-consuming and often impractical process that does not scale well.
Furthermore, many organisations do not tailor their questionnaires based on the materiality or criticality of the service being provided by the third party. Some even mistakenly believe that there is no need to monitor their ‘low-risk’ or ‘less-critical’ third parties, such as those that provide marketing or cleaning services, etc.
In order to reduce complexity within the process, organisations should categorise their third parties by materiality and criticality, and design questionnaires that align to each category.
3. Third-party security assessments do not provide visibility or assurance of the cyber risk posture
Organisations may develop an approach to ongoing monitoring that does not allow the materiality and criticality of a third party to dictate the type and depth of their security assessment. Critical third parties, for example, may need to be assessed on-site using a more in-depth type of review in order to appropriately evaluate the operating effectiveness of security controls. In addition, the structure of the assessments themselves may fail to comprehensively evaluate third-party cyber risk posture.
Given that answers to questionnaires are highly subjective, and may therefore fail to provide a reliable or transparent view of the vendor’s true posture, it is essential that companies formulate rules- and logic-based questionnaires which strike an appropriate balance between objective and subjective questions, being careful to avoid nested questions, for example.
4. Insufficient skilled resources to ensure traceability of and control over third-party risk management
As organisations expand their third-party ecosystems, they frequently struggle to assess and keep track of security assessment responses from what can be hundreds of suppliers worldwide. Causes can range from:
- a lack of resources with the appropriate skills or expertise;
- a lack of traceability being built into the process.
In order to closely monitor and review security risk questionnaires on an ongoing basis, companies need to be able to see at a glance when each questionnaire was sent, how much has been answered and when it was completed. A vendor risk management tool can help to keep track of the security assessment process whilst reducing the demand on resources.
5. Lack of ownership and governance
Typically, several different teams are involved in the end-to-end third-party risk management process, from Procurement to a company’s IT, Cyber Security and Legal teams, etc. This means that, when it comes to performing due diligence checks or the continuous monitoring of third parties, multiple questionnaires across various risk types may be issued to vendors simultaneously, which can cause confusion and frustration.
Furthermore, firms often struggle to find a home for third-party risk management, and with insufficient governance around the process, more often than not, input from security and privacy teams is not incorporated within the end-to-end process.
Organisations should nominate a single point of contact / owner per vendor to coordinate and streamline interactions with third parties. More broadly, the function that owns and governs end-to-end third-party risk management should ensure that the right teams are involved when defining the process.
Key considerations when establishing a third-party cyber risk management programme
When mobilising a third-party cyber risk management programme, there are several key components to consider. To implement these effectively, your approach must be scalable so that it can evolve alongside your ecosystem.
- Identifying your third parties: Organisations should start by building a register of their existing third parties. Indeed, per European Banking Authority guidelines, as well as a consultation paper published by the Bank of England in December 2019, companies will be required to have documented an outsourcing register by the end of 2021. Note that the definition of ‘outsourcing’ provided by the PRA rulebook does not capture all arrangements between firms and third parties, e.g. hardware purchases, therefore it will be up to the firms to assess whether their third-party arrangements are applicable.
- Categorising and prioritising your third parties by the inherent risk they pose to your organisation: Define a methodology, which may include a set of key questions and/or key criteria, to assess the inherent risk associated with a third party, i.e., how material and/or critical the third party is to you. Note that this may vary throughout the duration of your engagement depending on the type of service being provided, the level of access that the third party has to your organisation’s critical systems, the type of access and number of users with access, etc.
- Performing due diligence: This should be part of the onboarding phase, prior to formally contracting with a third party. Evaluate the security posture of the third party using an industry standard (e.g. NIST or ISO27001) questionnaire. The level of due diligence required should depend on the categorisation and prioritisation of the third party as determined in step 2.
- Ensuring the inclusion of relevant SLAs and KPIs in third party contracts: The outcome of the due diligence process in step 3 should determine the relevant security clauses to be included in the contract with the third party (e.g. “all of the third party’s security incidents/breaches should be communicated to the organisation within 24 hours”).
- Continuously monitoring the security posture of your third parties: Risk assessments should be conducted on a periodic basis, and the type and frequency of this assessment should vary depending on the criticality of the third-party relationship. For example, whilst annual deep-dive assessments might be required for critical third parties, high-level assessments may be conducted every two years for third parties of medium criticality, and recertifications for less critical third parties every three years. The type of assessment might vary from an on-site deep-dive audit to assess the operating effectiveness of security controls to a high-level interview-based remote audit to assess the design effectiveness of security controls.
- Terminating a third-party relationship: A robust Third-Party Cyber Risk Management framework should include both an Exit Strategy and a Business Continuity Plan. Firms should consider and test all possible outcomes following an outage at a third party or the termination of a relationship with a third party. These might include, for example, bringing the data, function or service back in-house / on-premise, or transferring the data, function or service to an alternative service provider.
Creating a dynamic third-party cyber risk management programme will enable you to make informed decisions about your third parties and your cyber security. It should go without saying that any such initiative requires the buy-in and ongoing engagement of a company’s C-Suite and Board in order to be truly effective. C-Suite executives and Board members must proactively enable their security teams to implement a third party cyber strategy, whether that means providing funding to procure third party management tools, approving plans to scale up in the long term or hiring a team of appropriately skilled auditors to continuously monitor third parties. Those who do not adequately engage with their organisation’s third-party cyber security practices risk opening themselves up to the financial, operational and reputational ramifications of leaving their back door open.