Strengthening Third-Party Risk Management

Brandon Dobrec


May 1, 2019

third party risk management eerm

In business, we get by with more than a little help from our friends. These friends—or third parties—deliver a wide range of products and services to keep companies moving forward.

According to Deloitte research, three out of five executive leaders view third parties as essential to cutting costs, while 57% said they enable the organization to focus on core functions. But even if your company is reaping the spoils of these agreements, it is likely also increasing its exposure to cyberthreats. Adding third parties to your operational portfolio often allows them to access your critical internal systems and data.

What’s more, whether it is oversights like misconfigured perimeters or leaked credentials, your partners’ cybersecurity problems can easily become your problems: 56% of organizations have experienced a data beach caused by a third-party vendor, and 42% have suffered from a breach caused by an attack on one of their third parties, according to research from the Ponemon Institute. Nearly 60% cannot determine if their vendors’ security policies and defense can sufficiently prevent a breach, and less than half even evaluate the security and privacy practices of vendors before initiating a business agreement that requires sharing sensitive or confidential information. Given these lapses, only 17% of companies rate themselves as “highly effective” at mitigating third-party risk.

The dependence upon third parties and the resulting potential for exposure have paved the way for extended enterprise risk management (EERM) programs. However, organizations have made relatively little progress in developing these programs, as only 1% claim to have “optimized” EERM with integrated strategy and decision-making processes, executive champions, and continuous improvement and investment, according to additional research from Deloitte. More than half believe it will take at least two years to reach their intended state of optimization, with nearly a quarter anticipating it will take more than three years.

If your organization is attempting to progress toward this goal, the following five steps can help strengthen EERM programs or other forms of third-party risk management:

1. Broaden your definition of a third party—then narrow it. To fully grasp third-party risk, you must understand how broadly the concept applies. The third party could be the contractor paid to clean your bathroom, or the landscaping business that cuts your lawn every week. At the other end of the spectrum, if your organization authorizes a major supply chain agreement or acquires a company, you bring a larger and more impactful third party into the enterprise. When you recognize that third-party cyberrisk includes all network assets that you do not directly control but that can still affect you, that is when you are taking the necessary broader view.
Before signing any papers, you should assess third-party candidates with business-driven criteria, taking into account not only price and ROI projections, but also cybersecurity policies and practices. Cybersecurity is a key business consideration today. A vendor could promise mega-savings for the next 10 years, but if they regard cybersecurity as an afterthought, the relationship could ultimately cripple your bottom line.
At the same time, you must narrow your perspective. For example, if you hire a large, global accounting firm to audit your books annually, you obviously have to ensure that the firm is not increasing your risk as it accesses your most sensitive financial information. That said, you do not need to conduct due diligence of the firm’s entire global operations—that would be a waste of time and resources. Instead, you should focus strictly on the firm’s resources that contain your data.

2. “Tier” your exposure. Any new relationship entails some level of scrutiny, but you should “tier” each third party according to what they will access. You do not need much more from a bathroom cleaner than minor self-reporting (“Yes, my employees have clean legal records, and no, they will not connect their personal devices to your internal Wi-Fi.”).
But you must dig deeper with consultants, vendors, and business partners who work with your proprietary information and/or customers’ credit card numbers, home addresses and additional personally identifiable information (PII). These may require onsite audits, penetration tests, and reviews of the candidate’s IT team members’ standing with certifications such as Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP).

3. Continuously monitor third parties with the greatest potential for impact. After the candidate with high-level access has demonstrated cybersecurity policies and practices that are at least adequate and the contract is signed, you reinforce protection through continuous monitoring. Getting a scorecard or report once a month, week or even a day will not cut it. You need to have “eyes” on the partner at all times, with tech tools sending real-time alerts whenever something bad may be happening.

4. Determine the quality of data coming in. There is a lot of data out there about threats and vulnerabilities, and security operations center (SOC) teams cannot manage it all on their own. They benefit immensely from automated solutions that focus on the data that is most relevant to your specific operations, industry, and business requirements, such as flagging a third party that has introduced a series of questionable websites possibly containing malware.
But technology alone is not enough; it works best when you employ skilled professionals who augment the data’s contextual value with a human perspective. These professionals take the alerts, then determine whether the suspicious websites serve any useful function and, if not, remove them immediately.

5. Keep the reporting flexible. Not every company seeks reporting of its third parties’ threat status in the same way, nor does every executive look for the same thing. The chief marketing officer, for instance, may want the latest on a particular attack that has targeted customer PII. But the chief financial officer could be more interested in ransomware. Your tools should be flexible enough to customize reporting to effectively respond to the range of requests and interests within your organization.

While a little help from friends is a vital component of corporate survival, there could be serious repercussions if you do not choose your associates wisely. To reduce your cyber exposure, it is critical to identify the third parties serving your organization and the extent of damage they can cause, and then conduct due diligence accordingly. By investing in cybersecurity tools that incorporate continuous monitoring and contextual analysis of your third party, you can establish a consistent and manageable level of vigilance that will ensure a prosperous relationship.
Brandon Dobrec is senior product manager at LookingGlass Cyber Solutions.