The Third-Party Risk Management Handbook
CISOs and security professionals always talk about risk when it comes to the cybersecurity of their organizations, but what exactly is risk? For the purposes of discussion, generally the level of risk in any given organization is defined as the severity of a possible issue combined with the value of the affected asset(s).
Naturally, cyber risk is taking that same principle and applying it to digital assets. As organizations struggle to protect themselves from the seemingly ubiquitous threat of cyberattack, the concept of risk management becomes all the more important. Protecting everything all the time from every possible threat is an unreasonable and impossible task, or as the saying goes, “He who defends everything defends nothing.” So as virtually every industry now has to grapple with how and where to assign their cybersecurity resources, it has fallen on CISOs and other leading security professionals to define the risk inherent in their organizations, and to find and deploy the technologies and methods necessary to bring it within an acceptable level.
Compounding this issue for security executives and professionals is the dramatic increase in connectivity in both IT and OT networks, brought about in part by the pressure for greater productivity and efficiency through digitization and the utilization of various third-party applications and services. Organizations now have hundreds of connections to third parties including vendors, customers, cloud environments, outsourced service providers, and more. Because each external connection represents another possible point of ingress to your networks, it should come as no surprise that as the number of connections has increased, so has the risk.
Third-Party Connections & Risk
Not only is each external connection another possible point of exposure in the attack surface of your network, but each additional connection actually introduces exponential risk. Think of it like your Facebook or LinkedIn profile – you may have first level connections, people you know well, maybe your family and good friends, and maybe a few people you can’t even remember how they got on your list. If a threat can compromise any one of these connections, they have a trusted link back to you.
Those people are also connected to another layer of folks you might be somewhat familiar with, but also plenty you don’t know. Those friends of friends are also connected to still more people who you probably don’t know at all. Though you may implicitly trust those who you are connected to directly, you have to assume they may have connections that you don’t. These all represent pathways that could lead back to you. If your first level friend is compromised by one of their friends, that’s a direct threat to your security. The same principle can be applied to your organization’s external connections.
One need look no further than the abundance of examples gracing the headlines each day to get some idea of the risk involved with third-party connections. Look at the Target breach a few years back – point of sale systems and an entire database of customer information were breached simply because an outsourced HVAC technician had access to the Target corporate network, and the network architecture was flat, unsegmented, and unprepared for such an attack. Once the attacker had a beachhead from the HVAC technician’s access, they moved laterally throughout the network until they found the crown jewels. One technician’s stolen login was enough to create a multi-billion-dollar loss.
Ticketmaster also recently admitted the personal and payment information of some 40,000 UK customers may have been breached through a third-party customer support vendor. BestBuy, Sears, Kmart, and Delta were all also breached via a third-party chat and customer services vendor. Then there are more even more complicated consequences when a company like Facebook gets hacked, because user logins can be used across a number of other third-party sites, including ecommerce accounts. It should come as a surprise to exactly no one that breaches through third parties are increasing and increasingly hard to detect.
What the Data is Trying to Tell Us
According to a November 2018 research report of third-party risk by the Ponemon Institute, an astounding 59% of organizations confirmed that their organizations had experienced a data breach caused by one of their third parties. Looking at just the US, the number is even higher at 61% in 2018, up from 56% in 2017, which was also up from 49% in 2016. 42% of organizations reported a breach through a third party in just the last 12 months, with another 22% unsure if they’d experienced such a breach.
That list of third-parties may also be longer than you think – The average number of (known) third-party connections for organizations now stands at an astounding 588! This is up from 471 in 2017, which again was up from 378 in 2016. However, according to the Ponemon study, only 34% of organizations have a complete accounting of their 3rd party connections that have access to their sensitive information. That number drops to a sickly 15% when it expands out to the Nth parties who have access to sensitive information, but with whom the organization has no direct relationship.
While almost everyone agrees the cyber risk from third parties is increasing, far fewer place managing this relationship risk as a top priority. 54% do not monitor the security and privacy practices of vendors with access to sensitive or confidential information, and 57% don’t know if their organization’s vendor safeguards are sufficient to prevent a breach. Only 37% believe that their organization would be highly effective at detecting third-party risks.
One of the reasons for this apparent lack of urgency may be that many organizations are also struggling without enough human and monetary resources to manage their third-party relationships and security. In fact, their lack of resources is often the very reason organizations turn to some third-parties and outsourcing in the first place. At the end of 2017, it was estimated there were over 300,000 unfilled cybersecurity positions – a shortfall projected to grow to a whopping 2 million by the end of 2019. With not enough people to fill positions, CISOs increasingly have to turn to more third parties, contractors and other B2B partnerships, which leads to more third-party risk, which only increases the need for more resources to manage them – and this cycle of exploding risk has no end in sight. Between the complexity of vetting, managing, and monitoring the ever-growing list of third-party connections, only 37% of respondents in the Ponemon study believe they have enough resources to sufficiently manage and secure them all.
Even among those organizations which attempt to evaluate third-party risk, the majority tend to use indicators that are mostly operational – a decline in the quality of products and services (74%) and turnover of key personnel (70%). Companies tended to downplay indicators that are more likely to reveal potential problems, such as a history of frequent data breach incidents (52%) and issues related to the access and use of the company’s sensitive systems and information.
Like social networks, it’s *your* responsibility to protect yourself and your organization by taking responsibility for every connection that you make and share information with. If you’re breached by or through a third party, nobody cares that it’s their fault. It always comes back to you – just ask the raft of Target execs who were fired in the fallout from their breach. Unfortunately, unlike your social network account, you can’t just delete your organization’s third-party connections. So what can you do?
High-Level Strategies for Third-Party Risk Mitigation
There are so many technologies and strategies and buzz words around cybersecurity these days that it can be difficult to know where to start. It’s hard enough thinking about the myriad threats that can find their way into your organization without even broaching the subject of third-parties and trusted connections. However, there are a few fundamental, high-level strategies to consider applying in your third-party risk mitigation plan. They can be used individually or in tandem to create a strong cybersecurity framework for your organization.
Defense in Depth
The primary principle of defense in depth is to build layers of security into your organization’s digital architecture, so that if one layer fails, there will be others to back it up and maintain security. It is essentially a “fail-safe” strategy that assumes threats will most likely eventually find a way through one or two layers of defense (a fairly safe assumption in most cases). There are no particular limits to the types of security involved, just those that best fit your organization. Role-based access controls, authentication, data encryption/tokenization, firewalls, data diodes, SIEM, and other technologies can all be used together to create a sophisticated, hardened defense.
Assuming that threats will eventually breach your network’s defenses (you may be sensing a theme), a risk-based strategy applies more security resources to your most sensitive assets while less resources are applied to the lower risk assets. Risk-based strategies also typically assume that there is not a way to completely eliminated risk – there will be a need for multiple sophisticated connections to external networks, for a large number of users to access or collaborate on (sometimes sensitive) data, legacy or outdated equipment in use, or other complex issues that complicate traditional security methods. Over time, larger and higher performing companies have evolved the idea of a risk-based strategy into a more comprehensive method of protecting their organizations known as “zero trust.”
A zero trust strategy assumes that a threat can come from anywhere inside or outside your organization, and therefore a continual assessment of every request or attempt to connect or access networks, devices, or information is required. This can be highly resource intensive, and typically requires sophisticated authentication schemes as well as some sort of SIEM automation in the form of cloud data collection, systems monitoring, etc. User and systems data are monitored continually to develop a baseline of what is considered “normal” activity, which then allows for alerts if any abnormal activity occurs. Reducing the number of your external connections, applying the least privilege principle, and having dedicated resources to monitor and calibrate the results are all key to making this strategy effective, and while it is theoretically a great strategy for complex, highly-connected organizations, in practice it is very difficult to fully achieve today.
Effective Steps to Reduce Third-Party Risk
To start rolling out your third-party risk mitigation strategy, let’s begin by taking a step back to the definition of what risk actually is – which assets are most valuable in your organization, and what is the potential fallout if they are compromised? Taking stock of your internal assets may be a simpler exercise than attempting to account for each and every third-party connection out of the gate and is a helpful place to start by assessing the inherent risk within your organization. Once you understand the value of your various information and systems, you can take the first steps to reducing the exposure of the most vital assets to both third-parties and other cyber threats.
Make Third-Party Risk Management a Priority
The next step would be to make third-party risk and relationship management a priority within your organization. Your entire risk mitigation strategy doesn’t need to happen overnight, but it does need to start somewhere. Simply by regularly involving senior leadership or boards of directors on incremental steps taken to protect sensitive information and systems from third-party breaches can help to reduce risk. In the Ponemon study, 53% of organizations that had not experienced a third-party breach regularly reported on third-party risk mitigation, compared to only 25% of those that had been breached. This is likely attributable to illuminating the problem, rather than sweeping it under the rug, which could lead to increased funding and other resources necessary to adequately address the scope of the problem.
Create an Inventory of Third-Parties with Access to Your Company/Data
Once you have some transparency and buy in, you may be in a better position to create a complete inventory of all third-party connections to your systems and digital assets. Again, like on social networks, to reduce risk, it’s vital to vet and keep track of your connections, limit what you share and how you share it. Creating this comprehensive inventory of third-party connections involves a full assessment across your entire organization. You can’t secure what you can’t see, and unauthorized or unknown connections are unfortunately very common. 45% of companies that had not been breached had created an inventory, compared to only 22% of those who had been breached. Not every organization has the resources or time to accomplish a full accounting of their connections, but any assessment is better than nothing. Remember that cybersecurity is incremental and a process, not a destination.
Prioritize Connections by Risk
Take the list of third-party connections and prioritize them by risk, according to what they have access to and the potential fallout of a breach and focus on securing the highest risk connections first. Apply the Least Privilege principle, making sure they only have access to the systems and data that are absolutely necessary. If no connection is needed, eliminate it! The fewer connections you have, the less there is to protect. If data sharing is only for monitoring or accounting purposes, consider using a higher security mechanism such as a data diode to share the data one-way. This effectively eliminates the connection into your organization just as if you had severed it completely. If external access is required, make sure to segment your network so the areas that are accessed by third parties don’t provide an open door to the rest of your organization.
Vet the Security & Security Practices of Third Parties
If your organization can afford the resources, it is highly recommended to vet the security and security practices of your vendors, customers, and other third-party connections. The simplest and least expensive option is to submit each of the connected organizations a questionnaire, or attestation, of their security practices. Such a questionnaire can be included in onboarding processes or required as a part of a service level agreement. Although the answers may be subjective or qualitative, it is far more helpful to get an account directly from the organization rather than relying on vague contractual language that they will follow security procedures to the best of their ability. Remember, any breach of your organization ultimately comes back to you, no matter how it happened.
Of course, an even better and more accurate method would be to go onsite at the third party and assess their security yourself, but that often requires more time and resources that many organizations can afford. It also requires an uncommon level of expertise, and a willingness from the third party to allow you onsite and into the gritty details of their security, which very few organizations are wont to do. As an alternative, more organizations are turning to independent risk scoring.
Often similar in style to a credit rating, these independent security ratings are based on objective and quantitative data. This repeatable, unbiased assessment allows organizations to build a baseline of acceptable security and risk, and to measure improvements to security over time. These security ratings bypass the need to “take their word for it” on their security, and (if positive) will provide a compelling selling point for those third parties in their other relationships over competitors. If you do an assessment of your own organization as well, the ratings can allow your organization to compare your security to that of your third-party connections. While the most expensive option, utilizing an independent security ratings firm does not typically require any additional personnel or other resources.
Once you have formally assessed the security of your third-party connections, you can return back to the previous step and reprioritize your security resources based on where they are needed the most. Or if you have the resources, you can begin to develop and automate a zero trust strategy.
Third-party connections and breaches are not going away any time soon, so there’s no time like the present to develop and maintain a strong risk mitigation plan. Depending on the level of resources available to you and your organization, you may not be able to roll out a fully automated, AI driven, zero trust cybersecurity extravaganza. That should not stop you from seeking out the strategies, tools, and technologies available to help you improve your security posture, shrink your network’s attack surface, and reduce risk to your organization. Your reputation depends on it!