Third-Party Risk Management — Don’t Collaborate Without It!
How did your organization ever accomplish as much as it did before you started deep collaboration with your vendors and business partners?
No doubt about it: Giving partners limited access to your applications and data can be a competitive advantage, with benefits like business agility and innovation. But open doors also represent potential IT vulnerability, whether an attacker accesses your systems using the partner’s credentials, steals information about you from the partner or cripples the partner directly.
If you’re going to enjoy the benefits of deep collaboration with third parties, then you must also accept the other side of the coin: third-party risk management (TPRM).
“We know how secure we are. But how secure are our partners?”
It’s a fact of doing business now that you’re only as secure as the companies with which you’re collaborating. Your own risk management strategy has to take into account the risk profile of the suppliers, contractors, service providers, resellers and other partners who access your information systems.
TPRM is an exceptionally broad attack vector. One study found that 62% of organizations surveyed had experienced a recent, critical risk event, but only 36% had a formal, enterprise risk management program. In another study, 75% of executives reported either that their organizations had no method to measure cyber risk (49%) or that they don’t know if they measured it (27%). And 57% of organizations reported they did not keep an inventory of all the third parties with which they share sensitive information.
So, how do you determine how secure your partners are?
One way is to ask them. You can put in place programs, processes and questionnaires to discover the measures they take to defend their own systems from cyberattack. You can make their access to your systems contingent on security standards like password policies, intrusion detection and malware scanning. If you have the staff and budget, you can help them establish and enforce those standards.
But most of those programs and processes depend on self-reporting. Your partners may address all of your concerns in questionnaires and interviews, but what aren’t they telling you? Are they leaving out important details because they lack knowledge of their own vulnerabilities, or because they’re keen not to lose your business? Their good intentions are not as important as your security.
When point in time becomes point of failure
Even if you succeed in assembling a comprehensive picture of your partners’ security, it’s just that: a picture. It’s a point-in-time overview of a risk profile in a constantly changing landscape of business conditions and threats.
Consider five critical, third-party risks that business partners can introduce to your organization at any moment:
- Ransomware — Increasingly disruptive attacks have compromised the operations of companies around the world. If one of your partners is a victim of ransomware, they may be unable to fulfill their normal commitments to you until they have resolved the crisis. Worse yet, if the attackers manage to exfiltrate files from your partners’ network before encrypting them, data about your organization may end up in the wrong hands.
- Notification of data breach — It could take a long time for you to find out that one of your partners had been attacked. For one thing, embarrassment often impedes companies from publicly announcing that their defenses have been breached. For another, months may go by before they realize that their data — including your data — has been leaking to cybercriminals.
- Malicious network activity — You want to encourage communication from your partners’ networks to yours. But what if that communication includes traffic like bots and servers designed to capture credentials?
- Exposed credentials — If bad actors steal or buy credentials you’ve issued to a partner, they have immediate entrée to your systems. Not knowing with certainty who is logged onto your network is extremely risky.
- The dark web — Has information about your company leaked from a partner to forums on the dark web? Cybercriminals there could be discussing and planning attacks against your network. They could be buying and selling information about your company that they obtained from your partner’s vulnerable network.
Keep in mind that those are prominent risks this year. Ransomware wasn’t much of a thing seven years ago, but it’s a terror now. What will be the next trend in information system risk?
Suppose your risk management process yielded a deep assessment of your partner’s entire risk profile at 5:00 p.m. today. You could still find out tomorrow that they had been the victim of a data breach. Then you have a big point of failure running through your point-in-time assessment.
Active monitoring for true third-party risk management
Your processes and programs are important components in managing the risk to your information systems. But they require ongoing tracking to keep up with changes in the threat landscape.
With active monitoring in areas like known-bad sites, the dark web, social media and the network traffic of your partner companies, you add the dimension of time to your TPRM. Ongoing tracking complements your point-in-time assessment to show you how partner companies use your information systems and where they present risks. You can then work with your partners to improve their security standards, research breaches in their systems and, ultimately, deliver more of the value of deep collaboration with far less risk.
Sign up for a webinar on August 25th at 10:00AM CT titled "The Triple Threat to Third Party Risk Management" hosted by NaviLogic.