In the dynamic digital arena, the importance of robust cybersecurity has become increasingly evident. Yet, as businesses grow more dependent on external entities for diverse services, they expose themselves to fresh vulnerabilities – third-party cyber risks. The recent surge in third-party-related cyber incidents accentuates that cybersecurity transcends the confines of an organisation. It extends to every partner, supplier, and contractor within the supply chain.
Take, for example, the notorious 2013 Target breach affecting upwards of 40 million customers, which stemmed not from a direct assault on the company's systems but an intrusion via their HVAC vendor. Or the 2020 SolarWinds supply chain attack, compromising thousands of customers through malicious code in a software update system. These episodes underscore the dire repercussions of neglecting third-party cyber risk management.
At the heart of this challenge is the Chief Information Security Officer's (CISO) role. In the contemporary complex cyber threat landscape, a CISO's duty spans protecting their organisation against internal and external threats and ensuring the cybersecurity integrity of their third-party associations.
Establishing and preserving a resilient cybersecurity ecosystem—one equipped to identify, manage, and mitigate third-party cyber risks—is a formidable endeavour. It necessitates a thorough grasp of the threat environment, the crafting of robust strategies, and the employment of best practices.
This blog sets out to dissect those practices, spotlighting real-world cases and practical guidance, to aid CISOs in forging a resilient cybersecurity ecosystem that encompasses their third-party relations.
Understanding the third-party threat landscape
In the interlinked digital ecosystem of today, organisations depend on an array of third parties for services from cloud computing and data management to customer service and supply chain operations. While these alliances foster operational efficiency and innovation, they also introduce new vulnerabilities to an organisation's cyber landscape. Let's scrutinise some prevalent threats and challenges posed by third-party relations:
- Data breaches: Third-party vendors frequently access an organisation's sensitive data. Should these entities have subpar security measures, they may become the weakest link. The 2019 breach of American Medical Collection Agency (AMCA), a third-party bill collector in the health sector, serves as a stark example. Hackers infiltrated the data of numerous AMCA clients, impacting millions and leading to AMCA's bankruptcy.
- Supply chain attacks: These occur when a cybercriminal gains system access through an outside partner or service provider with system and data access. The SolarWinds assault is a prime example, where hackers infiltrated multiple US government bodies and prominent corporations via a compromised software update.
- Insider threats: These emerge from individuals with authorised system access via third-party relations. A case in point is a rogue employee at a vendor for AT&T in 2018, who illicitly unlocked countless phones, costing AT&T losses exceeding $5 million annually.
- Regulatory and compliance risks: Non-compliance with relevant regulations by a third party, such as GDPR or CCPA, can subject your organisation to legal sanctions. An instance is the British Airways £183 million GDPR fine, partly due to compromised third-party website scripts, resulting in a data breach.
Grasping these threats is the initial step in managing third-party cyber risks. The subsequent step is to construct a resilient cybersecurity ecosystem capable of anticipating, withstanding, and adapting to these risks – a responsibility primarily shouldered by CISOs. The ensuing segments will explore best practices for CISOs in third-party cyber risk management.
Elements of a resilient third-party cybersecurity ecosystem
Creating a robust cybersecurity ecosystem inclusive of third parties demands a comprehensive approach, entailing several pivotal elements. Understanding these facets can assist CISOs in establishing a structured and effective framework for third-party cyber risk management.
- Security policy and standards: Clear and stringent security policies and standards are the foundation of a resilient cybersecurity ecosystem. This encompasses third-party security policies stipulating minimum security requisites for vendors and partners. For example, Google's Vendor Security Assessment Program, mandating compliance by all third-party vendors prior to engagement, reflects such policies.
- Third-party risk assessment: Regular, in-depth third-party risk assessments can pinpoint supply chain vulnerabilities. Apple's Supplier Responsibility Program, which conducts frequent risk assessments and audits of suppliers to ascertain compliance with the company's rigorous security and compliance stipulations, exemplifies this.
- Security awareness and training: The human factor often constitutes the most fragile link in cybersecurity. Hence, nurturing a security awareness culture within your entity and across third parties is vital. Firms like IBM have extensive security training and awareness programs that encompass their partners and vendors.
- Incident response planning: An effective incident response plan must include scenarios involving third-party breaches. Yahoo's slow and inefficient response to a third-party data breach, which exposed 3 billion user accounts, exacerbated the damage. In contrast, entities like Cisco have comprehensive Incident Response Plans that integrate third-party breaches, thereby curtailing response times and limiting harm.
- Continuous monitoring and auditing: Ongoing monitoring and auditing of third-party security practices can detect and rectify issues before they burgeon into significant problems. Facebook, for instance, as stringent ongoing monitoring and auditing procedures for third-party app developers accessing user data.
- Insurance coverage: Cyber insurance can provide a safety net against third-party risks. As an illustration, Mondelez's invocation of its insurance policy after the NotPetya attack, allegedly caused by third-party software, highlights the significance of such coverage.
- Collaboration and sharing of best practices: Sharing knowledge and best practices with third parties can bolster the overall security posture. Organisations like the Financial Services Information Sharing and Analysis Center (FS-ISAC) offer platforms for this kind of collaboration.
Best practices for CISOs: Building a resilient third-party cybersecurity ecosystem
The exploration of best practices for CISOs to build a resilient third-party cybersecurity ecosystem is essential in the current landscape where business operations are increasingly reliant on external entities. The key steps and strategic insights provided offer a robust framework for CISOs to bolster their third-party cyber risk management.
- Regular third-party due diligence assessments: Initiating a risk management capability with a structured due diligence schedule is a pivotal starting point. This proactive approach allows for continuous assessment and management of third-party risks, enabling CISOs to maintain control over external partnerships.
- Fostering a security-conscious culture: The emphasis on security training programs for both internal teams and third-party vendors is commendable. Regular updates and training are vital in keeping pace with the dynamic threat environment, thereby cultivating a security-first mindset across all operations.
- Implementing a TPRM Platform: The advocacy for a TPRM platform that is scalable, user-friendly, and capable of continuous monitoring is a testament to the importance of technology in risk management. The recommendation to explore 3rdRisk’s platform capabilities suggests a belief in the platform’s potential to streamline the risk management process.
- Developing a third-party incident response plan: A clearly defined incident response plan is crucial for swift and effective action in the event of a breach. By stipulating a detailed response strategy, organisations can ensure a coordinated and timely resolution to incidents, minimizing potential damage.
- Continious monitoring: The call to employ continuous monitoring and regular audits through a TPRM platform underlines the need for ongoing vigilance. Utilising the insights gained to refine security practices is a sound method to strengthen defenses.
- Legal and contractual measures: Acknowledging the importance of integrating legal considerations within third-party agreements showcases a comprehensive approach to risk management, covering all bases from operational to legal.
- Adapting and updating practices regularly: The acknowledgment of the ever-evolving nature of cyber threats and the consequent need to regularly update risk management practices demonstrates a forward-thinking, agile approach to cybersecurity.
Constructing a robust third-party cybersecurity ecosystem represents a formidable yet essential duty for today’s Chief Information Security Officers (CISOs). In light of the growing interconnectedness of contemporary businesses and the dynamic nature of the threat landscape, managing third-party cyber risks must take precedence as a strategic imperative.
By grasping the nuances of the third-party threat environment, adopting best practices, capitalising on technology, and promoting a security-conscious culture, CISOs can establish a sturdy cybersecurity ecosystem. Such a system will shield the organisation from external cyber threats and facilitate swift recovery and learning from any prospective incidents.
As the endeavour to create a steadfast third-party cybersecurity ecosystem continues, CISOs have the capacity to markedly improve their organisation’s cybersecurity stance and robustness through astute strategies, appropriate tools, and a dedicated commitment.