The typical Fortune 500 company now works with as many as 20,000 different vendors, most of which have access to critical data and systems. As these digital ecosystems become larger and increasingly interdependent, the exposure to third-party cyberrisk has emerged as one of the biggest threats resulting from these close relationships.
In a survey of 170 large enterprises, Deloitte found that 28% of respondents had faced major business disruption due to third-party data breaches, and more than a quarter of organizations suffered reputational damage as a result. An astounding 87% of the enterprises surveyed admitted to “disruptive incidents” with third parties in the past two to three years. In terms of reputation and actual dollars and shareholder value lost, the damage is real. As a result, boards, CEOs, business leaders, and risk and security managers are struggling to keep up with their growing third-party cyberrisk exposure.
Third-party relationships represent some of the hardest-to-manage cyberrisks for organizations across all industries. Not only do companies need to fully understand the systems and data that each of these thousands of vendors have access to, but they have to thoroughly understand the strength of those vendors’ security controls. Doing so when information is static is challenging enough, but it becomes almost impossible when you consider that all of the information is fluid and evolving month-to-month, day-to-day or even hour-to-hour. Effectively monitoring and mitigating third-party risk is currently a herculean task that involves a great deal of data, manual processes and, ultimately, confusion.
The lack of insight around data and the processes of these extended relationships is proving to be a breeding ground for misinformation, which has led to significant misconceptions about third-party risk. From the way risk assessments are (insufficiently) performed to a lack of the information needed to truly understand the cyberrisk landscape within the digital ecosystem, the following myths have taken root in many enterprises.
Myth #1: Employees are the greatest insider threat.
The term “insider threat” is traditionally used to refer to employees, but the reality is that expanding digital ecosystems have put an end to the idea of clearly-defined insiders. Customers, partners and vendors are all part of an enterprise’s network now, thus organizations must expand their definition of an “insider.” Recent attacks on the SWIFT payment transfer network leading to an $81 million bank heist, for example, were not perpetrated by traditional insiders, but instead targeted the tools that bank employees use to drive their business.
Myth #2: On-site security assessments are the best third-party risk mitigation.
Security and vulnerability assessments for tier-1 vendors are a standard part of security and risk management protocol for most enterprises. In many instances, this means site visits to ensure that these critical vendors and partners have the processes, tools and personnel in place to keep data and systems secure. These assessments, however, come at significant cost, both in terms of staff needed to conduct them and resources dedicated to analyzing and gleaning intelligence from the data collected. Put simply, on-site security and vulnerability assessments are not scalable with today’s expanding digital ecosystems, and the result is more resources spent on collecting data instead of working to clearly identify and address risks.
Myth #3: Annual security and vulnerability assessments will tell me what I need to know about the threat landscape.
On average, enterprises assess their vendor and partner cyberrisk annually, but only assess lower-tier partners once. The reality, however, is that third-party cyberrisk exposure constantly changes as a result of a variety of factors, including the way vendors or partners do business and with whom, the known threats that exist, and the way they implement their technology. Enterprises need to understand the changes to their third-party cyberrisk exposure with greater velocity.
Myth #4: Collecting enough data from vendors, partners and customers is the key to mitigating risk.
Enterprises spend the vast majority of their time collecting data rather than performing risk management and mitigation processes to reduce the residual security risk third parties represent. This is an outdated approach that simply cannot keep pace with the constantly changing threat landscape. In order to truly understand up-to-the-minute risk exposure, companies need to embrace automatic, standardized security assessments and advanced analytic tools and techniques that can help them to cost-effectively manage cyberrisk across their entire ecosystem and prevent the real financial and reputational damage that results from a third-party breach.
Myth #5: The good guys just cannot keep up with the bad guys.
With data breach headlines popping up on a weekly basis, it is easy to see how some could fall victim to this line of thinking. It is true that cybercriminals have become incredibly sophisticated in the way they exploit third-party vulnerabilities, but those defending the wall have been busy too. According to PwC, 65% of organizations are formally collaborating with partners to improve security and reduce risks. Third-party risk is not going away any time soon, but collaboration—the pooling of information, resources and knowledge—represents the industry’s best chance to effectively mitigate this growing threat.
Outsourcing has increased dramatically in recent years and has evolved into a critical component of most businesses. The benefits—reduced costs, streamlined organizations, on-demand specialization and expertise from service providers, and the ability to focus resources on the core business—have been apparent, but they come with a significant trade-off in the form of elevated third-party risk. The organizations with the best understanding of where these risks lie and how best to cost-effectively mitigate them will have a significant advantage as digital ecosystems continue to expand.