Third-party engagement has steadily become an essential part of business operations for many organizations, enlisted for all kinds of products and services across nearly all sectors, regardless of size, geographical location or type of industry. But because systems are so interconnected and third parties often hold sensitive information or have access to a partner’s systems, they can also be the weak link in the cybersecurity chain.
Third-party cyber risk management
Third-party and digital supply chain attacks are on the rise, with third-party partners becoming an attractive target for threat actors for several reasons.
- A third party could present a softer target, creating an opportunity for threat actors to move from that network to their primary target. In 2013, for example, hackers breached the payment and personal information of as many as 110 million Target customers after compromising the password of Target’s HVAC vendor.
- A third party could provide a vehicle for widely distributing an attack against many potential targets. The recent SolarWinds supply chain hack is a prime example. Hackers, suspected of being from Russia, used a sophisticated attack to insert malware into SolarWinds’ software system, then piggybacked on updates to SolarWinds’ IT management software to spread their malware to quite a few large organizations, including several major federal agencies.
- A third party can actually become the primary target if it holds the sensitive data that threat actors want. In early 2020, General Electric (GE) suffered a breach of sensitive personal information on 200,000 current and former employees when attackers broke into the systems of GE’s HR document management vendor, Canon Business Process Services.
As those examples illustrate, the stakes are high and the potential for damage to businesses and their third parties is significant. Organizations can’t just assume that their third-party partners are cyber-secure. All parties involved in the vendor ecosystem need assurances—a level of trust built on a customer/third-party partnership focused on cybersecurity. A robust program of Third-Party Cyber Risk Management (TCPRM) is the best way to get there.
Securing the vendor ecosystem
As with any other aspect of a business partnership, all sides involved have to hold up their end of the bargain when it comes to cybersecurity. A customer organization has to understand that it retains responsibility for the data it shares with third parties and that the third parties—because they can access, hold and use that data—are effectively an extension of the customer’s business.
Third parties, for their part, have to recognize that their customers are entrusting them with critical data and access to their systems, and that they share the responsibility for protecting both the data and those systems. Data is equally as sensitive and/or valuable regardless of who is handling it, and it must be secured at every step along the way.
Organizations and third parties should employ TPCRM tools that apply cyber risk management to third parties by identifying their inherent risk, calculating the likelihood of a cyber incident involving the third party, and highlighting the residual risks that are most critical to address. The right TPCRM tools, which will make extensive use of automation, can do this on an ongoing basis, using both structured and dynamic data to allow an organization to enumerate the greatest risks among its third-party partners and prioritize resources based on risk exposure.
A TPCRM program also provides visibility to the partner organizations, ensuring assessments are current and readily available—as often as requested—to both the customer organization and the third party. Additionally, a TPCRM program provides a framework for collaboration among organizations, enabling them to keep their cybersecurity efforts up to date with the latest developments in third-party cyber risk management.
In addition to allowing organizations to understand and address risks, a TPCRM program will take routine workloads off the plates of IT and security staff members, allowing them to maximize their productivity as risk managers rather that data collectors. It also will reduce redundant efforts and be able to scale as a company grows, while providing the information and insights necessary for creating a prioritized, risk-based mitigation strategy.
A trust that survives
Breaches happen. Everyone in the cybersecurity community is well aware that threat actors are relentless, their tools and techniques are steadily becoming more sophisticated, and that no systems of defense are completely hack proof. But automated risk management tools, real-time threat information and an inclusive defensive strategy will significantly help in preventing successful attacks, as well as mitigating damage and accelerating recovery when they do occur.
Customer organizations and third-party partners can maintain trust in each other when an attack succeeds, but only if that trust is built on sincere, shared, collaborative due diligence on both sides before, during and after an attack. Robust TPCRM programs help organizations build—and maintain—that level of trust.