Third-Party Cyber Risk Management

Organisations today are only as secure as the weakest link in their supply chains. You may have a strong internal cyber security posture and the right controls set up at the right points across your network and endpoints. However, even your painstakingly built security infrastructure will fail to protect you if one of your partners is compromised and you don’t have an effective supply chain risk management program.  

With the increased use of outsourced and cloud-based services over the past few years, IT supply-chains have become more complex and the associated risks have multiplied. It gets more difficult for businesses to keep track of all the third-parties they are directly or indirectly sharing data with as the degrees of separation between them increase.

According to a report published by the Ponemon institute in 2020, in the two-year period between 2018 and 2020, more than 53 percent of the organisations surveyed suffered at least one supply-chain attack, with the average cost of remediation exceeding $7 million.  

Increasing emphasis on post-engagement, ongoing risk assessments

In an increasingly complex third-party ecosystem, organisations need stronger protections against supply-chain threats, with greater emphasis on ongoing assessments post-onboarding. Initial due diligence when evaluating vendors is still critical but given that the attack surface changes quickly in fast-evolving digital environments, continual post-engagement evaluation is necessary for risk identification and reduction.  

Steps to manage and reduce third-party risks:

Identify and take inventory of your partners and vendors

Understand your third-party ecosystem. Go through a discovery process to identify all the third-parties you work or share data with, directly or indirectly, and categorize them according to the nature of data and assets they have access to. The greater the access to business-critical or sensitive information, the higher the risk.

Establish a process to evaluate risk

Initial due diligence

To assess the degree of risk posed by individual third-parties, document what data needs to be accessed, why access is needed, what type of service is being provided, and how your data will be stored, used and protected. This information can be collected via interviews with a vendor, or questionnaires provided to them. However, simply getting a questionnaire filled has proven to be insufficient as a risk-reduction mechanism by itself. This needs to be supplemented by external risk assessments and audits both at the initial stages of engagement and on an ongoing basis.  

Ongoing security assessment

After initial due diligence and post-onboarding, vendors need to be continually assessed on their security posture and performance beyond the questionnaire. In addition to traditional audits, third parties’ public domains and information exposed online can be checked for vulnerabilities and security gaps using a risk assessment tool.  

These tools “automate and support the identification, assessment, analysis, remediation, and monitoring of the information and operational risks associated with an organization’s use of IT vendors.” - Gartner

Work with vendors to remediate security issues

Once risk assessment is complete and gap areas identified, work with the vendor to close these gaps.  

Put a process in place for ongoing risk assessments and remediation when gaps are detected, and create a plan for handling incidents.  

Larger organisations may need to engage supply chain risk management services to manage their entire vendor ecosystem which can include hundreds and sometimes even thousands of third parties at varying degrees of separation.  

Some questions to ask when selecting IT vendors

• What service will the vendor be providing? Is it a critical service?
• What data will be accessed; what access controls will be in place; how will the data be used, stored, and protected?
• Which third-parties does the vendor work with? How are third-party risks identified and managed?
• Which security frameworks does the vendor follow?
• What is your assessment of the vendor’s existing cyber security posture? Does this need improvement?
• Which regulatory compliance requirements does the vendor meet? Are these the same requirements that apply to your industry?  
• How will you work with the vendor to address risks at all stages of engagement?  

Conclusion:

To effectively manage and reduce third-party cyber risks:

1. Create and periodically review a third-party cyber risk management plan for all your vendors and partners.
2. Place equal emphasis on pre-contract due diligence and the post-engagement assessment of risks on an ongoing basis.
3. Consider using a tool that automates and supports the entire third-party cyber risk management lifecycle.
4. Work closely with vendors to address risks and ensure compliance with regulatory requirements.  

How LinearStack can help

At LinearStack, we’ve helped enterprises with complex third-party ecosystems to secure their business against supply-chain attacks. We provide advice and assistance to reduce third-party risk, and can also build and manage your security infrastructure for you to protect you from advanced attacks 24x7x365.  

For cyber security services in New Zealand or Australia, call us at 0800 008 795 or email info@linearstack.co.nz