Third-Party Cyber Risk Management










Third-Party Cyber
Risk Management

by James G. Barr

Docid: 00018053

Publication Date: 2302

Publication Type: TUTORIAL

Preview

With few exceptions, today’s enterprise, especially a large enterprise,
is a virtual enterprise, meaning the enterprise relies on the
contributions of outside vendors, suppliers, and other business partners
to help develop, distribute, and maintain its products and services. While
often essential, this third-party community can present significant risks,
particularly since third-party entities function independently and
autonomously from the enterprises they serve. A simple example is a
manufacturing firm that contracts with a transportation company to deliver
its finished goods. While the nature of the relationship may be well
defined in various contracts and service level agreements, the
manufacturer is at risk if the transportation company fails to perform as
required or expected. For instance, from an IT perspective, the
transportation company could be responsible for introducing a computer
virus into the supply chain software that both the manufacturer and the
transportation company share. Such third-party cyber risks are difficult
to manage because the primary party (in this case, the manufacturer) has
limited influence over the how the third-party (the transportation
company) conducts its business and secures its systems.

Report Contents:

Executive Summary

[return to top of this
report]

With few exceptions, today’s enterprise, especially a large enterprise,
is a virtual enterprise, meaning the enterprise relies on the
contributions of outside vendors, suppliers, and other business partners
to help develop, distribute, and maintain its products and services.

Related
Faulkner Reports
Enterprise Governance,
Risk, and Compliance Software Tutorial
Enterprise Network Risk
Assessment Tutorial
IT Project Risk Management
Tutorial
Shadow IT Tutorial
The Risks of Using
Outdated Technology Tutorial

While often essential, these third-parties can present significant risks,
particularly since third-party entities function independently and
autonomously from the enterprises they serve. A simple example is a
manufacturing firm that contracts with a third-party transportation
company to deliver its finished goods. While the nature of the
relationship may be well defined, as specified in various contracts and
service level agreements, the manufacturer is, nonetheless, at risk if the
transportation company fails to perform as required or expected. For
instance:

  • The transportation company could declare bankruptcy or otherwise
    default on its primary obligations.
  • From an IT perspective, the transportation company could be
    responsible for introducing a computer virus into the supply chain
    software that both the manufacturer and the transportation company
    share.

Third-party risks are difficult to manage because the primary party (the
manufacturer) has limited influence over the how the third-party (the
transportation company) conducts its business.

Since the average enterprise interacts with dozens (and sometimes
hundreds or even thousands) of third parties, the practice of third-party
risk management – and, of late, third-party IT (or cyber) risk management
– has become vitally important.

Third-Party Cyber Risks

Third-party providers can be responsible for:

  • Malware injection, including ransomware
  • Supply chain disturbances or disruptions
  • Industrial espionage
  • Digital service outages

Critically, these events can result in the:

  • Loss of customers and public trust due to data disclosure
  • Loss of classified information resulting in compromised security
  • Production delays due to supply chain breaks
  • Loss of intellectual property due to data exfiltration1

Risk Types

Before tackling the topic of third-party cyber risk management, it’s
useful to explore the universe of enterprise risks. Generally, the
enterprise risk pool is divided into two parts: non-IT risks and IT risks.

Non-IT Risks

As itemized by Prevalent, there are five broad categories of non-IT
risks:

Operational, like a supply
chain disruption

Compliance, like fines or
other sanctions

Corporate Social Responsibility
(CSR), like violations of moral or ethical norms

Financial, like a non-viable
supply chain member

Reputational, like
image-deflating persons or practices

Non-IT risks are normally managed by the enterprise Procurement, Legal,
and Risk Management teams.2

IT Risks

There are two broad categories of IT risks, which, incidentally, can
manifest as non-IT risks:

Information Security, like
the presence of ransomware or other cyber infection

Data Privacy and Protection,
like the theft of personally identifiable information (PII)

IT risks are normally managed by the enterprise IT Security, Privacy, and
Vendor Management teams.3

Cyber Risks

Cyber risks, whether primary- or third-party-induced, can present as both
IT and non-IT risks. For instance, one piece of malware can:

  • Allow unauthorized access to enterprise information (an Information
    Security risk)
  • Enable the theft of employee personal data (a Data Privacy and
    Protection risk)
  • Prompt the imposition of a penalty by government regulators (a
    Compliance risk)
  • Generate negative publicity (a Reputational risk)

Third-Party Cyber Risks

[return to top of this
report]

While enterprise IT and security departments are usually aggressive in
protecting their own systems, applications, and devices from cyber
attacks, they are often less vigilant in detecting and deterring threats
posed by third-party, or supply chain, partners. Of particular concern are
the following phenomena.

Indifference to Third-Party Cyber Risks

Although not exclusive to cyber risks, ignoring – or, more charitably,
not emphasizing – third-party risks is often a major enterprise failure.
Reciprocity, a cyber risk management firm, reports that:

“According to one 2021 report by the Ponemon
Institute, 74 percent of organizations say they had experienced a
cybersecurity breach in the previous 12 months because they gave ‘too much
privileged access’ to third parties.

“[Fifty-four (54)] percent of companies also
say they don’t assess the security practices of third parties before
allowing access to sensitive or confidential data. Another 63 percent are
in the dark about which third party has access to their networks, and what
kind of permissions those parties have.

“Your organization may be one of the 60
percent of companies that work with more than 1,000 third parties.”4

Expansion of the Enterprise “Attack Surface”

An enterprise and its various third-party partners are normally linked
electronically to:

  • Expedite the exchange of critical information
  • Enable real-time electronic commerce
  • Reduce administrative costs

Unfortunately, such tight integration permits cyber criminals to launch
attacks against the enterprise by leveraging one or more third-party
attack vectors – vectors made available due to poor third-party security
measures.

Obviously, the greater the number of vulnerable partners, the greater the
attack surface, and the greater the threat to the enterprise.

Expansion of the Enterprise Third-Party Pool

IT service management and delivery is becoming more fragmented as
enterprise officials build out their IT infrastructure by enlisting more
third-party partners. These partners include:

  • In the cloud category, software as a service (SaaS), infrastructure as
    a service (IaaS), and platform as a service (PaaS) providers
  • For remote/hybrid work, voice/data networking, videoconferencing, data
    security, and remote backup/recovery providers
  • For managed services, managed network services and managed security
    services providers
  • In terms of new technologies, artificial intelligence, machine
    learning, Internet of Things (IoT), and edge computing providers

Overall, “first-party” computing, as symbolized by the on-premises data
center, is rapidly diminishing, replaced by a universe of third-party
connected companies, agencies, information systems, and devices.

Not Accounting for “Fourth-Party” and “Fifty-Party” Risks

While normally hidden from view, an enterprise’s third-party partners
have their own third-party partners (making these companies fourth-party
partners), and these fourth-party partners may have their own partners
(again, from the enterprise viewpoint, fifth-party partners).

For the enterprise third-party cyber risk management specialist, not much
can be done to control these cascading relationships except ensuring, to
the extent possible, that enterprise third-party partners are practicing
sound cyber risk management.

Evaluating Third-Party Providers

[return to top of this
report]

The National Risk Management Center suggests a four-stage process for
managing risk: Identity, Analyze, Prioritize, and Manage, as pictured in
Figure 1.

Figure 1. The Four Stages of Risk Management

Figure 1. The Four Stages of Risk Management

Source: CISA5

By applying this model to third-party providers, a formula for
third-party cyber risk management emerges.

Identify

Identify the enterprise’s major third-party providers, or those providers
that contribute to the performance of critical enterprise business
functions. While this should be a short list relative to the total number
of third-party providers, expect at least several dozen prominent names.

Gather information about each high-profile provider – a formal inventory
is the best vehicle – to define the provider’s:

Cyber Involvement – Do
provider IT systems interface electronically with enterprise IT systems?
If the answer is no, the level of enterprise cyber risk is low.

Oversight Level – If the
provider is part of the enterprise’s electronic supply chain, are
provider-enterprise digital interactions regularly monitored for evidence
of cyber intrusion?

Disruption Potential – If
provider IT systems are compromised, which enterprise IT systems – and, by
extension, which enterprise business functions – are in jeopardy.

Review the data to determine which providers represent the greatest
third-party cyber risks, and proceed to analyze these providers.

Analyze

For each third-party provider identified in the previous step, conduct a
cybersecurity risk analysis. As recommended by analyst Lisa-Mae Hill:

Verify that the provider has
implemented “strong third-party risk cybersecurity monitoring and
plans.”

“In addition to collecting standard due
diligence documents, such as your vendor’s cybersecurity protocols and
testing to verify third-party information security, you need to assess the
vendor’s security testing. By assessing their testing, you’ll be able to
determine whether the vendor’s data is truly safe and confirm that they
have an effective incident detection and response plan in place.”

Confirm that the provider shares
“cybersecurity best practices and [provides] adequate training to [its]
employees, contractors, and [its] OWN vendors.”

“With employee, contractor, and vendor
management, you must understand the vendor’s ability to protect your data.
Training for these groups as well as documented and enforced access
management are critical to data protection. Confidentiality agreements,
security training, management of vendors, and access management are just
some of the ways a third party can offer assurance that anyone with access
to your data is properly trained.”6

Prioritize

Review the risk analyses conducted in the previous step. Identify which
providers pose the greatest potential cyber risks, and prioritize
remediation actions. These actions include, as appropriate:

Working with the providers to improve their
cybersecurity awareness

Collaborating with the providers to implement
a set of enterprise-acceptable cybersecurity safeguards, such as
state-of-the-art:

    • Antivirus software
    • Firewalls
    • Intrusion prevention systems
    • Data loss prevention programs
    • Content filtering applications

Identifying alternative providers and removing
high-risk incumbents from the enterprise supply chain

Manage

Once risky providers have been eliminated from the third-party pool – or
their cybersecurity practices upgraded to enterprise standards –
enterprise officials should develop a formal Third-Party Cyber Risk
Management Program (TPCRM).

While tailored to the specific needs of the enterprise, two special
options, as recommended by Reciprocity, deserve careful consideration:

First, “McKinsey suggests that organizations,
led by their CIOs and CISOs, should form alliances with their third
parties to minimize third-party cyber risk. So, to meet your risk
mitigation requirements, your [enterprise] should work with vendors,
suppliers, and other third parties to sustain a united security front.

Second, the enterprise can “contract with an
external TPCRM service provider. An experienced provider can provide clear
oversight of the third-party cyber risks affecting your [enterprise]. The
provider can actively identify, prioritize, and remediate these risks
posed by your suppliers, partners, and other supply chain relationships.
It can also manage your critical information systems that third parties
access or use, while creating a buffer between at-risk assets and cyber
criminals.”7

TPCRM Best Practices

[return to top of this
report]

In addition to establishing a process for evaluating third-party
providers, enterprise risk officials should implement the following best
practice measures, each intended to ensure that third-party cyber risk
management “has legs,” i.e., will become a staple of enterprise governance
and compliance programs.

Continuous Evaluation

The third-party provider pool must be evaluated on a continuing basis
because:

  1. Provider pool members come and go over time.
  2. Member commitment to cybersecurity may change over time.

As observed by analyst Kelly White, “[continuous] third-party monitoring
can not only help you identify and remediate risk, but can also serve as a
helpful tool in communicating your organization’s security hygiene to
board members or executive leadership.”8

Third-Party Consolidation

When it comes to third-party providers and cybersecurity, less is more,
or, more precisely, fewer is more.

When third-party services are required, look for well-established,
well-respected providers that can each satisfy multiple needs.

Third-Party “Offboarding”

Terminating third-party relationships can, itself, be risky.

As analyst Matt Moog reveals, “[a] thorough offboarding procedure is
critical, both for security purposes and recordkeeping requirements. Many
organizations have developed an offboarding checklist for third parties,
which can consist of both an assessment sent internally and externally to
confirm that all appropriate measures were taken. Critical, too, is the
ability to maintain [a] detailed evidence trail of these activities to
demonstrate compliance in the event of regulatory inquiry or audit.”9

[return to top of this
report]

References

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]