Outsourcing tasks such as payroll, logistics or fulfillment is generally viewed as a way to trim costs and improve operational efficiency. But somewhere between reducing overhead and improving ROI lies the murky world of security. The sobering reality is that anytime a company’s data touches or intersects with an outside company, there’s a risk of hackers and attackers stealing, altering or damaging the data. In fact, over 50 percent of breaches originate through third parties, including current and former service providers, consultants, suppliers and partners, according to The Global State of Information Security Survey.
At the center of everything is a simple enough concept: In the digital age, all business is risky business. However, dealing with the associated risk is anything but simple. As organizations turn to a growing array of third-party partners–and even subcontractors and fourth-party partners–to address core business functions there’s a need to fully trust that a partner network is secure. The task can be daunting. “Mapping third party relationships and supporting an array of business processes is an extremely complicated and challenging activity.,” explains Jeff Mandel, director of the Third-Party Risk Management Practice at security firm Optiv.
What’s more, the situation isn’t getting any easier. As cloud adoption grows and the Internet of Things (IoT) takes hold, the breadth and depth of connection points between and among organizations continues to expand. A BOMGAR vendor vulnerability study found that a typical firm has 89 different vendors access its network weekly. The outcome? Best practice security practices, controls and tools that worked in the past may not measure up. It’s no longer adequate to focus on the perimeter. “There is no perimeter,” states Lucas Moody, chief information security officer (CISO) at Palo Alto Networks.
The takeaway? “It’s important to have clearly defined relationships and strictly defined rules of engagement,” adds Ken Dunham, MSS Technical Director at Optiv. “Interdependence increases risk.”
Understanding Third Party Risk
There are many factors that can contribute to third-party risk. “However, one of the biggest challenges is that organizations frequently lack visibility into security practices across their entire ecosystem of vendors, partners, suppliers, contractors, subcontractors and others,” Moody says. To be sure, connected systems, APIs and cloud-based data introduce benefits but also risks. Regulations such as GDPR, which introduce shared responsibilities among controllers and processors, ratchet up the stakes further. “If your vendors, partners or customers get hit, you might get hit too,” says Dunham.
The level of risk associated with outside organizations can range from minor to major–and include many different types of threats. An outside service provider’s security practices might not match a company’s internal level of security. Policies and procedures might be enforced inconsistently, subcontractors might lack the necessary tools and technologies, and compliance standards may vary significantly. The BOMBAR report found that 69 percent of respondents said that they had possibly or definitely suffered a security breach as a result of vendor access within the last year.
Indeed, every third-party relationship introduces potential risks, though they aren’t all the same. These include: IP and direct data loss; financial risks; legal issues, regulatory and compliance problems; geopolitical dangers; and privacy risks, to name a few. A third-party breach can also cause irreparable damage to a brand. Although the risks and repercussions vary from industry to industry, company to company and breach to breach, the harsh reality is that all organizations expose themselves to third party risk, and even fourth-party risks. It’s how they address these issues and concerns that matters.
“It’s often difficult to identify who is consuming data through routine business relationships,” Moody says. “Aligning rules, regulations and governance models becomes far more difficult. Policies, procedures and protections often vary greatly across organizations. This points to a need for a third-party risk framework that recognizes risks and mitigates impacts,” he adds. This framework must reach across the enterprise but also touch the various intersection points with outside companies.
Asking the Right Questions
A focus on people, process and technology is at the center of an effective third-party security framework. “It’s not simply a compliance check-box exercise. It’s important to work toward a comprehensive risk-based approach, aligning the level of due diligence to the measured risk of the third-party ” Mandel explains. Along the way, organizations must address a number of crucial issues: What’s the current state of our third-party risk program? Where are we strong and where are we weak? Where are our partners strong and weak? Where do possible security gaps exist? “You don’t have to address everything at once, but you do need to conduct an assessment and ask key questions to ensure that business and security processes are aligned with risk policies,” he notes.
Within a third-party security framework, it’s important for an organization to identify specific risks, classify data and who has access to it, and build access controls and other security protections that match the risk and threat level for specific roles, responsibilities and various other factors. “It’s about understanding the data lifecycle and ensuring that the security framework in place is tiered to address the specific risks,” Mandel explains. This, in turn, translates into a need for assessing systems and data internally but also interviewing partners, vendors and others to understand their business practices. “It’s crucial that processes, practices and systems are all aligned. It’s an ongoing challenge,” he adds.
After an organization has completed a risk analysis and classified internal data and specific threats, it’s essential to survey vendors, partners and others to understand in detail their policies and practices. This typically involves the outside organization’s staffing strategy, data management and retention practices, access controls, security systems, cyber-insurance framework, and the way it enforces provisions on its contractors, their subcontractors and others. Mandel says it’s wise to delineate specific responsibilities–including how investigations take place and incident response occurs–along with defining penalties for failure. It important to review these agreements periodically, he adds.
Technology, too, plays a role in securing third-party networks, but in the end, there is no simple solution. “Understanding how your organization’s data is used and possibly exposed to third parties is critical. You can’t assume that they are all doing the right things and have the same level of integrity as your company,” Moody says. “You have to build in the tools, technologies and processes to identify your choke points, deliver full data visibility and adopt the right protections.”