In the fast-paced digital world, the value of robust cybersecurity has never been more apparent. However, as businesses increasingly rely on external entities for various services, they open themselves to a new set of vulnerabilities – third-party cyber risks. The recent spate of third-party related cyber incidents underlines the fact that cybersecurity is no longer confined within the walls of an organization. It extends to every partner, supplier, and contractor in its supply chain.
For instance, the infamous 2013 Target breach, which affected over 40 million customers, was not due to a direct attack on the company's systems but a result of an intrusion through their HVAC vendor. Similarly, the 2020 SolarWinds supply chain attack, which compromised thousands of its customers, was orchestrated via malicious code inserted into the company's software update system. These incidents demonstrate the catastrophic consequences of a lapse in third-party cyber risk management.
At the epicenter of this issue is the role of the Chief Information Security Officer (CISO). In today's complex cyber threat environment, the responsibility of a CISO extends beyond protecting an organization from internal and external threats. They must also ensure the cybersecurity integrity of their organization's third-party relationships.
Creating and maintaining a resilient cybersecurity ecosystem—one that can identify, manage, and mitigate third-party cyber risks—is no easy task. It requires a comprehensive understanding of the threat landscape, the development of effective strategies, and the application of best practices.
This blog aims to explore those practices, highlighting real-life examples and actionable insights, to assist CISOs in creating a resilient cybersecurity ecosystem that extends to their third-party relationships.
In today's interconnected digital ecosystem, organizations rely on a multitude of third parties for services ranging from cloud computing and data management to customer service and supply chain operations. While these relationships drive operational efficiency and innovation, they also introduce new vulnerabilities into an organization's cyber landscape. Let's examine some of the common threats and challenges posed by third-party relationships:
Data breaches: Third-party vendors often have access to an organization's sensitive data. If these third parties have inadequate security measures, they can become the weakest link in the chain. The 2019 breach of American Medical Collection Agency (AMCA), a third-party bill collector for the health sector, is an infamous example. Hackers accessed the patient data of multiple AMCA's clients, affecting millions of individuals and leading to the bankruptcy of AMCA.
Supply chain attacks: These occur when a cybercriminal infiltrates your system through an outside partner or service provider who has access to your systems and data. The SolarWinds attack is one of the most prominent examples of a supply chain attack, where hackers managed to infiltrate multiple U.S. government agencies and high-profile corporations through a trojanized update of SolarWinds' Orion software.
Insider threats: These arise from individuals who have authorized access to your systems through the third-party relationship. For instance, in 2018, a rogue employee at SUNSPOT, a third-party vendor for AT&T, illegally unlocked millions of phones, costing AT&T an estimated loss of more than $5 million annually.
Regulatory and compliance risks: If your third party is non-compliant with relevant regulations (such as GDPR or CCPA), it can expose your organization to legal penalties. One such example is British Airways' £183 million GDPR fine, partly resulting from their third-party website scripts that were compromised, leading to a data breach.
Understanding these threats is the first step in managing third-party cyber risks. The next step is to build a resilient cybersecurity ecosystem that can effectively anticipate, withstand, recover from, and adapt to these risks – a task for which a CISO is primarily responsible. In the following sections, we will explore the best practices for CISOs in managing third-party cyber risks.
Building a resilient cybersecurity ecosystem that includes third parties requires a holistic approach, encompassing several key elements. Understanding these components can help CISOs create a structured and effective framework for managing third-party cyber risks.
Security Policy and Standards: Having clear and robust security policies and standards is the backbone of a resilient cybersecurity ecosystem. This includes creating third-party security policies that outline minimum security requirements for vendors and partners. For instance, Google's Vendor Security Assessment Program is a part of their security policies, which all third-party vendors must comply with before entering into a relationship with Google.
Third-party Risk Assessment: Regular and thorough third-party risk assessments can help identify vulnerabilities in your supply chain. For example, Apple's Supplier Responsibility Program conducts regular risk assessments and audits of its suppliers to ensure they meet the company's stringent security and compliance requirements.
Security Awareness and Training: The human element is often the weakest link in cybersecurity. Therefore, fostering a culture of security awareness, not only within your organization but also across your third parties, is crucial. Companies like IBM have extensive security training and awareness programs, which extend to their partners and vendors.
Incident Response Planning: An effective incident response plan should encompass scenarios involving third-party breaches. When a third-party data breach exposed 3 billion Yahoo user accounts, the company's slow and ineffective response compounded the incident's damage. In contrast, companies like Cisco have comprehensive Incident Response Plans that involve third-party breaches, reducing response time and minimizing damage.
Continuous Monitoring and Auditing: Regular monitoring and auditing of third-party security practices can help identify and address issues before they escalate into major problems. Facebook, for example, continuously monitors its third-party apps and has stringent processes in place to identify and address any breaches promptly.
Legal and Contractual Measures: Legal agreements with third parties should include clauses related to data security and incident management. When the ride-sharing service Uber suffered a data breach involving a third-party cloud service, it became clear that their contractual obligations did not adequately cover data security, leading to an escalated crisis.
By incorporating these elements, CISOs can create a resilient cybersecurity ecosystem that mitigates third-party cyber risks effectively. In the next section, we will delve into the best practices for each of these elements.
Establishing a resilient third-party cybersecurity ecosystem is a complex process that requires strategic planning, continuous effort, and the utilization of the right tools. Here are key practices for CISOs, each complemented by a concrete starting point:
4.1 Conduct Regular Third-Party Due Diligence Assessments
Periodic due diligence assessments help identify vulnerabilities and ensure your third parties adhere to your security requirements.
Starting Point: Build a third-party risk management capability. Develop a due diligence schedule that aligns with the criticality of each third-party relationship. This schedule could include assessments at onboarding, during contract renewals, and regular intervals in between. Embed this process into your TPRM platform for easier management.
4.2 Foster a Security-Conscious Culture
Cultivate a security culture within your organization and extend this to all third-party relationships.
Starting Point: Develop a comprehensive security training program and require all third-party vendors to complete it as part of their onboarding process. Based on the evolving threat landscape, periodic updates and additional training should also be conducted.
4.3 Implement a Third-Party Risk Management (TPRM) Platform
A robust TPRM platform centralizes the due diligence processes, risk management, and continuous monitoring, enabling you to maintain an up-to-date overview of third-party risks.
Starting Point: Begin by identifying the requirements of your TPRM platform. Prioritize scalability, ability to manage multiple risk domains, user-friendliness, speed of implementation, continuous monitoring, and compliance tracking. Make sure that you schedule a demo to get a good understanding of 3rdRisk's platform capabilities.
4.4 Develop a Third-Party Incident Response Plan
An incident response plan helps your organization react promptly and effectively when a breach occurs.
Starting Point: Start by outlining the steps to be taken in case of a data breach involving a third party. This plan should detail how the incident will be identified, contained, eradicated, and recovered. It should also specify how communication and reporting will be handled.
4.5 Monitor and Audit Regularly
Regular audits and continuous monitoring of your third parties can aid in early detection and mitigation of potential threats.
Starting Point: Leverage your TPRM platform to automate continuous monitoring of third parties. Schedule regular audits, and ensure the findings are used to improve security practices.
4.6 Include Legal and Contractual Measures
Legal agreements should include clauses related to data security, breach notification, and responsibilities.
Starting Point: Consult with legal professionals to draft contracts that define security requirements, responsibilities in the event of a breach, and penalties for non-compliance.
4.7 Adapt and Update Your Practices Regularly
With the ever-evolving nature of cyber threats, your third-party risk management practices should be adaptable.
Starting Point: Regularly review your third-party risk management practices and update them based on changes in the threat landscape, regulatory environment, or business operations.
Following these best practices, CISOs can proactively manage third-party risks, creating a cybersecurity ecosystem that can withstand, recover, and learn from cyber threats.
While human effort and strategy form the core of effective third-party risk management, technology is a critical enabler. Technology, particularly a comprehensive Third-Party Risk Management (TPRM) platform, can augment human efforts by automating processes, providing real-time insights, and enabling faster, data-driven decisions. This is key as manual labor is expensive, and risk professionals are difficult to find in the job market.
A TPRM platform can streamline the management of third-party risks by centralizing risk assessment processes, automating continuous monitoring, and providing instant visibility into third-party risks. By automating repetitive tasks, such platforms accessible up the CISO and their team to focus on strategic tasks, such as planning and implementing risk mitigation strategies.
Moreover, a TPRM platform can provide a single source of truth for all third-party risk-related data, enabling faster and more accurate risk reporting. It also aids in compliance by ensuring all third-party relationships meet the relevant regulatory requirements.
However, the key to reaping these benefits is choosing the right TPRM platform. CISOs should look for platforms that offer comprehensive risk assessment capabilities, real-time risk monitoring, dynamic dashboards for easy reporting, and flexibility to adapt to the organization's unique needs. Furthermore, the platform should be easy to integrate with existing systems and scalable to grow with the organization's needs.
Building a resilient third-party cybersecurity ecosystem is a challenging yet crucial responsibility for today's CISOs. Given the increasing interconnectivity of today's businesses and the evolving threat landscape, third-party cyber risk management must be a strategic priority.
By understanding the third-party threat landscape, implementing the best practices, leveraging technology, and fostering a culture of security awareness, CISOs can build a resilient cybersecurity ecosystem. This ecosystem will protect the organization from third-party cyber threats and enable it to recover and learn from any potential incidents rapidly.
While the journey toward building a resilient third-party cybersecurity ecosystem is ongoing, CISOs can significantly enhance their organization's cybersecurity posture and resilience with the right strategies, tools, and commitment.