The Essentials for Third-Party Risk Management

Cyber attackers often look for the most promising and lucrative opportunities and, as we have seen in the past year, that’s often taking place across organizations’ supply chains.

According to Verizon’s 2022 Data Breach Investigation Report, the supply chain was responsible for 62% of system intrusion incidents in 2021. The report points out the growing interconnected risks that now exist between organizations, their vendors, partners, and third parties.

Headline-making Breaches

While third-party risks have always existed, it became a harsh reality for many organizations when, in 2020, hackers targeted SolarWinds, an information technology company. That attack, according to an SEC report, could have affected about 18,000 organizations.

Potential victims used a SolarWinds product called Orion, including non-governmental organizations, Fortune 500 companies, and several U.S. government entities such as the Department of Homeland Security, the National Nuclear Security Administration, the State Department, the Pentagon, the U.S. Treasury, and the Department of Energy.

In this incident, nation-state actors inserted malicious code into Orion, which gave attackers access to Orion users. As often happens with third-party attacks, this attack was unnoticed for months.

About 20% of breaches disclosed in the Verizon report took months or longer to discover, and of those breaches, about half were discovered by “actor disclosure,” meaning on the asset or as a ransom note or other information, not system detection.

More Third-Party Focus Needed

While attacks like SolarWinds help bring awareness to security risks associated with supply chains, most organizations still have a lot of ground to make up for supply chain risk assessments and risk management.

According to Prevalent’s 2022 Third-Party Risk Management Study, almost half of respondents (45%) experienced a third-party security incident in the previous 12 months. That’s up from 21% the previous year. And, almost 70% indicated that third-party data breaches are a top security concern.

The report indicates that third-party risk is finally becoming more strategic for organizations, with about 67% of respondents saying their executives and board members have more visibility into these risks in the past year. However, 12% are not monitoring for third-party breaches and on top of that another 8% have no third-party incident response program at all.

This report also says, on average, it takes respondents about two-and-a-half-weeks between incident discovery and remediation.

Those Sticky Spreadsheets

While third-party risk is gaining more attention, many organizations struggle to collect risk data and take timely actions or produce accurate reports.

What’s the hang-up?

Those pesky old spreadsheets.

In fact, the Prevalent report says that in 2022, some 45% of respondents are still using spreadsheets for third-party risk assessments. As a result, for about 40%, it can take between a week and a month to create reports and audit evidence about those supply chain risks.

On top of that, many still struggle to produce reports that clearly show they’re meeting compliance requirements and about half say it limits them in terms of proactive third-party incident response and prevents them from assessing risks at every stage of a vendor’s lifecycle.

The harsh reality for organizations that stick with these spreadsheets is this type of risk management is only going to get harder as risk audits and compliance requirements continue to be increasingly complex. It’s a challenge further heightened by a constantly evolving and expanding risk landscape as well.

A resilience management platform that enables continuous visibility into risks across your entire enterprise can help streamline and automate many of those tedious, error-prone tasks now handled by spreadsheets and can certainly help close security gaps that are often undiscovered using outdated and ineffective tools such as spreadsheets.

Ramping Up Resiliency

So, what can you do? How can your organization ramp up your vendor resiliency and improve your third-party risk management practices? Here are a few suggestions:

1. Conduct a vendor risk assessment and business impact analysis.

A few key points here worth noting: It’s essential to examine your relationship with your third-party vendor. For example, ask:

• What type of service does this vendor provide?
• How critical is this service to our organization?
• What would the impact be on the organization if this third-party service was disrupted?
• How quickly would the impact happen?
• Are there interrelated disruptions that would also occur?
• Do we have a response and recovery strategy in place and what does that look like?

2. Understand Vendor Security Protocols

Historically, many organizations adopted a service level agreement (SLA) or other documentations at the beginning of a vendor relationship addressing security standards. As we’re seeing with increased third-party breaches, this is no longer an effective way to manage third-party risks.

Instead, your vendor risk assessments should be ongoing. Be sure they also align with your organization’s security and compliance standards.

Question to consider:

• Does the vendor have established security practices?
• What are these security practices?
• Do we have an SLA or other agreement in place that mandates security compliance?
• Are we conducting routine security audits to ensure the vendor’s security controls function as described?

3. Live by Least Privilege

As we move into resilience management with the mindset we’re no longer preparing for if an attack may happen, but when, it’s important to think about how much access your vendors may have to your data and systems.

To better protect your organization, adopt a least privilege access (LPA) policy that ensures your third-party vendors only have access to the data and systems needed to perform their roles. As these roles may evolve over time, be sure to routinely review your user access privileges to ensure least privilege maintenance.

4. Implement Reporting and Continuous Monitoring Practices

When we talk about vendor risk, while cyber risks are important, vendors bring a range of other potential risks to the table, for example, financial, regulatory and compliance, reputation, geopolitical, environmental, and others.

These risks are constantly evolving, so be sure to implement reporting and continuous monitoring practices that ensure you’re staying on top of these risks.

5. Know Your Risk Thresholds and Alternatives

And while knowing your vendor risks is a step in the right direction, it’s also important your organization has the capabilities to analyze those risks against your organization’s risk threshold or risk appetite and know who is tasked with determining if those risks are accepted, avoided, mitigated, or remediated.

Often, even with great vendor-client relationships, sometimes the third-party risk introduced is just too great. In those instances, you’ll want to have a contingency plan in place.

Some things to consider:

• Do we have a reliable alternative vendor to switch to if needed?
• What does our inventory look like? Can we maintain it if we switch vendors?
• Are we nurturing our alternative vendor relationships?
• Have we done the legwork to ensure the alternative vendors’ security and compliance practices align with our organization’s goals and strategies?

Does your organization need help identifying third-party risks and building or maturing an effective third-party risk management program? Contact a Castellan advisor today to learn more about how we can help.