Information security is the risk topic of the year. Following the many cyber-breaches reported in 2016, most companies are setting focus on securing their own networks and data. But preventing the theft of sensitive information from third-party systems and personnel adds a new layer of complexity that must be addressed. 

Despite incredible advances in technology and enhanced regulatory interest, the number of cyber-attacks involving access through third parties has grown dramatically. This isn’t surprising given that more than 80 percent of companies outsource some aspects of their business operations to third parties. The tasks third parties perform are becoming more customer-facing, including sales, distribution, and support services. As a result, third parties can have a more direct impact on a company’s reputation. Trustwave’s 2013 Global Security Report indicates 63 percent of data breaches can be linked to third parties. There is no reason to expect that number to get smaller in the coming year.

IBM’s 2016 Cost of Data Breach study estimates the average cost per record breached is $158 and, over the past 10 years, almost a billion records have been compromised in the United States alone. Lloyd’s, the British insurance company, estimated in 2015 that cyber-attacks cost businesses as much as $400 billion a year.

Despite these events and findings, the PwC “2015 U.S. State of Cybercrime Survey” reports:

Only 42% of respondents consider supplier risks

23% do not evaluate third parties at all

Most companies do not have a process for assessing third-party security capabilities

While this is beginning to change, most organizations remain woefully unprepared to manage risks that are increasingly driven not by individual hackers but by organized cyber-crime rings. Whether stealing millions by intrusion into accounts payable systems, embedding malware that causes companies to rely upon fabricated data, or demanding ransom for data or operating systems held hostage, cyber-attacks today often take advantage of third-party relationships. They are rapidly evolving in sophistication and impact.

Our approach to information security must likewise become more sophisticated and must be applied across the extended business enterprise. Planning and execution must take place throughout all stages of the supply chain including third-party agents and business partners. Any third party can create vulnerabilities, not just those that are essential to your business. Conducting due diligence on essential third parties is not enough. Consideration should be given to assessing the risk of all third parties and determining appropriate controls based on that risk evaluation. And then, you must monitor changes to the factors that go into the risk assessment to ensure controls remain relevant and appropriate.

Conducting due diligence on essential third parties is not enough. Consideration should be given to assessing the risk of all third parties and determining appropriate controls based on that risk evaluation. And then, you must monitor changes to the factors that go into the risk assessment to ensure controls remain relevant and appropriate.

But how do we do this when an organization may have thousands, or tens of thousands of vendors and other third parties? How do we take the appropriate level of care in selecting partners and suppliers without wasting time and resources? What are the first steps in assessing information security risk presented by these relationships?

Drew Wilkinson, a cyber-risk expert at Booz Allen Hamilton, notes in an interview with Computer Weekly that many organizations fail to track basic information about their third parties: Which third-party supplier contracts are active? What information do suppliers have access to? What are their most critical data assets? Even when organizations attempt to manage third-party and supply chain cyber-risks throughout the relationship lifecycle, he says they tend to do some due diligence at the start to select suppliers that are deemed low risk, but there is no provision for monitoring changes that might increase a supplier’s risk over time. He cites the example of a financial services firm that excluded legal services from its general procurement process to save time, omitting law firms from any cyber-security review even though they regularly handle sensitive customer data.

Clearly, ongoing monitoring and process is essential throughout the lifecycle of a third-party relationship. Even at the end of a relationship, certain steps should be taken to re-assess risk and establish required actions as the third-party contract is terminated. But none of the ongoing risk management measures will be sufficient without first taking steps to identify all third parties and the “owner” of the relationship in the organization.

The Challenge of Third-Party InfoSec: An OCEG Roundtable

Switzer: Maintaining information security is more challenging as use of third parties who touch critical information has grown. What types of information and vulnerabilities should be front of mind?

Schrock: As more business services are being outsourced, sensitive data that have traditionally only been used internally are now being processed outside of an organization’s network, sometimes in other countries. This includes customer or employee personally identifiable information, product data, and other intellectual property. Global privacy regulations, such as GDPR, are changing what data types can be transferred and stored. Yet, recent surveys indicate that 60 percent of organizations don’t fully know what sensitive data their third parties can access. 

Goldman: While the nature of threats and vulnerabilities vary based on the context of the relationship and type of service being outsourced, a vendor’s InfoSec controls are going to depend on the systems and processes they use to manage the data. New technologies, such as cloud-based solutions and the Internet of Things, and sub-contracting arrangements, which are often unchecked or unknown, broaden access to the data and expand the third-party threat landscape.

Minsky: A quantitative risk assessment reveals how a vendor’s product or service might impact the organizational area relying on it. It also reveals the sensitivity of stored or accessible information. The impact score determines the cost benefit of further analysis of vendor security. For high-impact business areas and sensitive data, assess risks at the entity/vendor level and the product/service level. 

Switzer: Business operations, technology in use, third-party relationships, and data privacy laws are constantly changing. How do we keep up?

ROUNDTABLE PARTICIPANTS

Moderator: Carole Switzer
Co-Founder & President
OCEG
Dov Goldman
CEO
Hiperos Network
Steven Minsky
CEO
LogicManager Inc.
Adam Schrock
Managing Director
Risk Advisory Services
Grant Thornton

Goldman: Third-party risk management programs must be aligned with business objectives. That way, no matter what events occur that expose new risks, the program is always focused on what matters most—protecting the business. Processes must enable organizations to identify their critical third parties and tailor due diligence activities to the risk imposed by the relationship. To prepare for a change in a third party’s risk posture, companies must identify the factors that increase risk and include them in monitoring for the life of the contract. 

Minsky: Link security policies, risks, controls, tests, and incidents through a common taxonomy. When one element changes, the trickle-down effects should be automatically identified and acted upon. Notifications should be pushed to associated stakeholders, including security, legal, finance, compliance, and the business area depending on the product. If a vendor is acquired, affected process owners should receive security assessments of new vendors. Data should be centrally managed, connecting risks to vendor and product security, supply chains, and usage areas. Changes to any piece should be pushed into your accounts payable system, requiring contract review before payment issuance. 

Schrock: Organizations need to take an agile approach to ensure that their sensitive information is protected. What’s working today may not work tomorrow. Staying in lock-step with the business strategy will increase the organization’s ability to quickly determine the business criticality and the inherent risk associated with an outsource relationship. Organizations should focus on third parties that are supporting critical business functions and are creating the most risk for the business, then tailor requirements and due diligence to align with the risk of each third party.

Switzer: What are the first steps any company should take in building its third-party information security program?

Minsky: Organizations that use ERM to assess vendors, products, and the business areas relying on these products can automatically link assessments and easily limit special contract requirements to cases where the risk makes this effort worthwhile. When all risks related to a vendor are aggregated from different business areas using the product or service, it’s straightforward to insert predefined, specific contract standards from a library. When adhered to, a requirement should prevent identified risks from materializing. Knowing the risks also makes it easy to specify monitoring and reporting needs, including audit requirements.

Schrock: Organizations need to consider the lifecycle of third-party relationships, from evaluating potential third parties through terminating the relationship with them. In this respect, processes and controls should be defined in alignment with business objectives and integrated into business and procurement processes. One area that is often overlooked is the need to continuously monitor the risk. Leading organizations use a two-pronged approach for high-risk third parties. They perform periodic security control assessments, either internally or leveraging consortiums, and then actively monitor third-party networks for signs of security incidents and malicious activity using threat intelligence feeds. 

Goldman: It is critical to build a control library that defends against the risks the company is exposed to, defining controls relevant to each risk caused by each outsourcing service. Relying on third-party attestations may be acceptable for low-risk relationships, but for any critical or high-risk service, companies themselves must validate the effectiveness of vendor controls. They can outsource portions of the process by hiring a managed service to do assessments or rely on IT threat intelligence to actively monitor third-party networks for signs of security issues, but fully outsourcing risk management is not possible—the company must always evaluate the effectiveness of vendor controls in relation to its risk tolerance.

Switzer: What is a key mistake you see companies making, and what do you recommend to correct or avoid it?

Schrock: Many organizations struggling with third-party risk management tend to view the issue from a pure compliance standpoint. Instead of driving business value by identifying and managing risk, this fosters a “check-the-box” approach that doesn’t meet the need. Measuring and communicating a program’s effectiveness is also challenging. Communicating third-party risk requires effective reporting that not only measures typical intake and risk metrics, but also measures business outcomes. For example, an organization could measure and compare the risk and performance of third parties that provide similar services, allowing it to push more services to top-performing third parties. 

Goldman: Many think taking a “one size fits all” check-the-box approach will cost less. Although this simplifies the process, it can create unnecessary work, particularly if there are many manual steps. Instead, third-party risk programs hampered by a lack of budget and resources should be carefully tailored to the business’ needs. We’ve seen many under-resourced programs overcome this challenge by outsourcing the risk assessment process to cost-effective managed service providers and relying on technology for automation and standardization.

Minsky: Too often, security tools are isolated within a silo. Without an integrated, risk-based approach, information isn’t captured in a location accessible to business areas interacting with or relying on third parties. Thus, security, procurement, and legal areas are blind to security risks that could have been avoided with coordination. Also, poor governance across silos is often misdiagnosed as a technology problem; purchasing expensive technology leaves the root-cause risk unaddressed. For example, 63 percent of breaches are caused by weak/stolen passwords. This results from an inability to centrally track assets and involve affected process owners. How can access rights and password quality be controlled if the security group doesn’t know what assets exist?