How businesses can improve their third-party security [Q&A]
In recent years many of the most high-profile cyberattacks have come through the supply chain, involving third-party suppliers and partners.
It's historically been difficult for businesses to assess third-party risks, often involving time consuming manual processes in order to do so.
We spoke to Kelly White, CEO and founder of RiskRecon to find out about the current challenges the industry is facing and how technology can help improve security posture.
BN: Why has third-party cybersecurity become such a big challenge for security teams?
KW: Third-party cyber risk is a rapidly growing challenge for organizations of all sizes. Look no further than the recent catastrophic security incidents like the SolarWinds SUNBURST hack that demonstrate the impact a third-party cybersecurity incident can have.
This is a challenge for security teams because organizations are operating in complex digital ecosystems that interconnect customers, vendors, and partners through which data is shared and transactions are processed. As the digital business ecosystem continues to expand, the challenge for security teams to manage their organization’s growing risk surface has never been greater.
Even the most mature security teams are struggling to manage third-party cyber risk, validating that there is a fundamental problem with managing the cyber risk being exposed by third parties.
BN: What are some of the current challenges and trends facing security leaders when it comes to third-party cyber risk?
KW: Traditionally, most third-party risk management programs have been reliant on the manual process of questionnaires. This takes a lot of time for both the security team and the vendor -- which no one has time for. Plus, traditional risk assessments performed annually or bi-annually are not designed for today's rapidly changing digital ecosystem, leaving security teams struggling to get the continuous visibility they need into their organization's third-party cyber risk. Without continuous third-party monitoring, security teams only gain access to one single point in time, which ultimately compromises risk mitigation and limits an accurate assessment of third-party risk.
In addition, security leaders are tasked with protecting their organization in today's dynamic cyber risk landscape which includes deep supply chain layers. It's not just third parties you need to be worried about, cyber risk can come from supply chain layers beyond the company’s immediate third parties. These types of incidents can have a huge impact. According to the annual study Ripples Across the Risk Surface by the Cyentia Institute and RiskRecon, a Mastercard company, a data breach affecting multiple parties causes 26x the financial damage of the worst single-party breach.
BN: If security professionals are struggling to gain risk visibility into their organization and its extended ecosystem, what investments and technology should they be thinking about?
KW: Security and risk professionals need to invest in solutions that provide them with a comprehensive view of their third-party cyber risk based on continuously updated data that reflects their current environment and extended ecosystem.
For security and risk teams looking for a third-party risk management solution (TPRM) for the first time or are re-evaluating their current vendor, look for a solution that will automate the process and provide full visibility into your full digital supply chain, enabling teams to spend more time on more strategic activities. By providing an accurate and timely picture in your entire digital supply chain, you can know who poses the greatest risk to your organization and prevent a breach going undetected. Also ensure that they can provide you with the appropriate resources to quickly understand and act on the risks that threaten your organization.
BN: Other than technology investments, what are some tips security leaders can follow to increase their third-party security posture?
KW: The biggest thing is understanding that third-party risk management should not be a one time or once a year project. Security teams need to prioritize this and implement an ongoing program with ongoing monitoring in order to effectively mitigate risk and threats from third parties.
Here are a few ways for security teams to bolster their third-party risk management program to better protect their organization in today’s increasingly interconnected digital landscape:
- Update security questions -- Make sure you are asking the right questions. It’s important to build and ask questions that enables you to understand how a vendor is handling the company’s data. But don’t stop there. Ask questions that give you insight into the technologies they are using internally and externally by third parties, fourth parties, and beyond.
- Prioritize risk -- A well-structured continuous third-party monitoring program provides security teams the ability to prioritize. An easy way to do this is, assigning vendors a risk rating. That way you have a clear understanding of your vendor's security posture, can rank vulnerabilities in order of priority and then tackle issues accordingly.
- Take action -- Based on your assessment of your vendors, create a custom-built risk action plan that you can use to engage with your vendors to immediately remediate issues.
BN: Ransomware seems to be everywhere these days, how can cybersecurity ratings and effective third-party risk management help protect organizations from becoming its next victim?
KW: We've seen a major uptick in ransomware cyberattacks recently and this trend will only continue as the digital business landscape continues to grow more complex. Cyber criminals know this is a highly successful form of attack that gives them access to critical, high-value data and they keep evolving their tactics to maintain that success. Security teams should not put their guard down as these attacks are only becoming more prominent and more sophisticated.
A robust third-party risk management program that addresses your organization's current environment and extended ecosystem at any given moment will help ensure your company doesn't become the next ransomware headline. Continual vulnerability detection allows security and risk professionals to act on risks confidently and quickly before they can be exploited.
Photo Credit: Olivier Le Moal / Shutterstock