Concerns about cybersecurity aren’t going anywhere. In fact, it is more important than ever to increase your company’s resilience to business disruption and lower your cyber-related risks, particularly as they pertain to your third parties, with ransomware on the rise and other threats emerging. However, how do you find the cyber threats concealed in your constantly expanding third-party ecosystem?
What Is Third-party Cyber Risk?
A third-party cyber risk refers to the potential risks and vulnerabilities associated with the interactions of the organization’s vendors, suppliers, contractors, or partners. Generally, these risks arise because third parties have access to an organization’s systems, networks, data, or other digital assets, which can be exploited by cyber attackers for unauthorized access, data theft, and disruption of business operations.
Types of Third-party Cyber Risk?
- Data Breach by a Third Party: Data breaches involving a third party are now very common. The risks of data breaches have grown along with the use of cloud services, SaaS applications, and outside security and IT contractors. The use of outside contractors, applications, or IT infrastructure has recently resulted in data breaches at companies like Marriott, Volkswagen, and Capital One.
- Issues with compliance: Many compliance requirements take third-party cyber risk into account. Direct controls are established by laws like HIPAA, CMMC, GDPR, CCPA, and others for how businesses can share data or grant third parties access to it. Organizations may face serious legal, regulatory, and public relations issues if they do not comprehend and adhere to compliance requirements.
- Neglect of Service Attacks & Ransomware: Ransomware hasn’t typically been considered a risk coming from outside sources. However, malicious actors have stepped up their efforts to spread ransomware in recent years by increasingly focusing on software applications used by hundreds or even thousands of businesses. Ransomware was one of the most frequently used attack vectors in third-party data breaches covered by the 2022 Verizon Data Breach Investigations Report. It is important to consider the third-party cyber risk posed by software vendors who demand privileged access to IT infrastructure.
What Is Third-party Cyber Risk Management?
Third-party cyber risk management is the process of identifying, assessing, and mitigating potential cybersecurity threats that originate from an organization’s external or outsourced partners like suppliers, vendors, or service providers. The goal of third-party cyber risk management is to minimize the likelihood and impact of data breaches, financial losses, and reputational damage that can result from these risks.
Why Is Third-Party Cyber Risk Management Important?
Because organizations increasingly depend on outside vendors and suppliers to perform crucial business functions, third-party cyber risk management has now become one of the major crucial factors for companies to stay risk free and compliant. A company may be exposed to serious risks, including data breaches, financial losses, and reputational harm, if these third-party systems or processes have any security flaws. Identifying, evaluating, and mitigating the risks posed by third-party vendors are all part of managing third-party cyber risk, which calls for a thorough and proactive approach to cybersecurity. Organizations can protect their digital assets and uphold the confidence of their stakeholders by managing third-party cyber risk effectively.
The cost of neglecting cyber risk
Businesses globally face significant risks, including IT outages, ransomware attacks, and data breaches, with 75% attributing breaches to third-party excessive access. Managing third-party cyber risks is vital for customer trust and obtaining cyber insurance policies. With cyber insurance clauses becoming more common, better security standards result in better rates. Effective third-party cyber risk management can influence whether a company secures favorable insurance rates or is denied coverage, as providers seek high security standards before issuing policies.
Challenges to Third-Party Cyber Risk Management
The volume and complexity of the IT compliance challenge are both constantly increasing. Business today is evolving quickly. Standards, laws, and enforcement are all changing, and the business is also going through rapid change. The role of the CISO is evolving. Their area of responsibility now includes maintaining oversight of high-value assets, policies, training validation, and control ratings in addition to monitoring for risks and threats.
The IT landscape is evolving as all of this is taking place. Employees enter and exit through a rotating door. Processes are always changing. Organizations must have agile IT compliance processes to reduce emerging cyber risk as a result of a growing reliance on third parties and outsourcing agreements. The CISO must ensure that controls extend to third parties outside of the organization.
The following are the biggest difficulties that IT compliance currently faces:
- relationships with third parties and an increasing reliance on technology and information
- recognizing, articulating, and controlling changes in the commercial and regulatory environment
- shifting from point-in-time assessments and checkbox compliance to continuous compliance monitoring
Contracts, SLAs, and audits are used by organizations to make sure that their vendors share their commitment to data security. But let’s say the parties weren’t thoroughly screened. In that case, hackers can gain access to the target organization’s data by hacking one of those vendors. To stop it, the organization must confirm controls among all participants in the supply chain.
Since COVID-19, 52% of legal and compliance leaders have expressed concern about third-party cybersecurity risks, according to Gartner. The pandemic poses new and worsened risks that CISOs must address. For instance, the abrupt shift to working from home exposes third parties who are untrained in securing home offices to cyber threats. These dangers also affect the organizations they support.
Assessing Third-Party Cyber Risk During Sourcing
Nearly every vendor you work with carries some level of cyber risk, even those with very limited access to sensitive data or IT infrastructure. However, reducing the likelihood of a data breach or security incident later on depends on identifying vendors who expose your organization to unnecessarily high levels of cyber risk. Here are some queries to put to prospective vendors, especially those with high-profile risk.
- Does the business have a formalized cybersecurity programme that complies with reputable standards like NIST CSF or ISO 27001?
- Has a third party or external auditor verified that the security programme complies with the standard in its entirety?
- Does the company have all the necessary legal authorizations in place before using your organization’s data? (such as HIPAA, GDPR, and CCPA)
- Has the company ever received a fine for failing to comply with cybersecurity regulations?
- What percentage of Nth or 4th parties does the organization rely on?
- Has the company ever experienced data breaches or publicly reported security incidents?
- Is the company’s location in a nation where they might be required to violate contracts and disclose sensitive corporate data?
Third-Party Cyber Risk Mitigation during Intake and Onboarding
Finding vendors who present a manageable level of risk is just the start. Throughout the contract’s lifespan, risk identification and reduction opportunities are made possible by the intake and onboarding phase.
Include cybersecurity clauses in the agreement
Based on compliance needs and profiled risk, include specific data storage and cybersecurity requirements in your contract clause with the vendor. The timing and conditions of the vendor’s data sharing with third parties (i.e., your fourth parties) should be outlined in standard clauses. Consider including requirements for identity and access management, data retention, and encryption standards in the SLA as well.
Rank Inherent Risk
For third-party cyber risk to be properly managed, inherent risk scoring is essential. The risk that an organization poses before the implementation of particular controls required by your organization is known as its inherent risk, as was previously mentioned. The following suggestions can help you improve your inherent risk scoring method:
- Avoid a one-size-fits-all strategy: The profiled risk of an organization should serve as the basis for inherent risk scoring. Vendors should be ranked according to the infrastructure and data to which they have access. When vendors are not properly tiered, the effort is wasted on the wrong ones while those who could pose a significant organizational risk are given insufficient attention.
- When calculating inherent cyber risk, take vendor location into account. Governments in some regions may have ownership stakes in certain vendors or data-sharing requirements that may supersede the vendors’ contractual obligations to your company. When estimating the level of inherent risk that a vendor poses, take into account both the location of the vendor and local politics.
Bonus Tip: You can tier vendors based on specially created criteria by utilizing a specialized third-party cyber risk management solution.
Find the Nth and 4th party vendors
It might be worthwhile to look into the extended supply chain of the vendor you are onboarding if there is a significant amount of inherent risk associated with their access to IT and data. Pay close attention to businesses that interact with their IT infrastructure or have access to the information they store. Understanding the use of fourth and Nth parties helps to focus your third-party monitoring strategy throughout the contract lifecycle and to inform your overall vendor risk management programme.
Identifying and remediating third-party cyber risks
Cybersecurity risks emanating from third parties should be assessed and remedied as part of your broader TPRM program. Here are a few tips you can use:
Connect Vendor Controls to Compliance Requirements
You must make sure that the vendor complies with necessary controls based on the type of data they are handling if you have obligations under HIPAA, GDPR, NYDFS, or other regulations. This process can be made significantly quicker by using third-party cyber risk management software.
Never hesitate to request new controls or outside audits
Don’t be afraid to ask that the organization undergo an audit based on a framework (or compliance requirement that your organization falls under) if they haven’t already had an outside organization certify that they are compliant with a well-known cybersecurity standard. Losing a potential client is far preferable to discovering that a self-certification of HIPAA compliance was false and that your company is now responsible for a breach as a result.
Recognize the Mechanisms of Fourth and Nth Party Data Sharing
Based on their responses during the intake and onboarding phase, you should have a general idea of what external organizations your vendor uses. Ask about the specific policies and procedures your vendor has for sharing data or access with third parties as your company conducts its formal vendor risk assessment. Ask them to establish formal policies and procedures if they don’t already have any.
Regularly evaluate and address risk
Risk is not constant. Throughout the lifecycle of the contract, the cyber risk that a vendor poses to your company is likely to change significantly. As vendors gain trust, they may accept more work, which gives them access to resources that weren’t considered in the initial risk assessment. This is known as scope creep. Regularly reevaluate vendor risk as the agreement with the organization changes to make sure residual risk stays within allowable bounds.
Make use of a shared library
Many organizations, especially those with a strong vendor tiering plan, decide to use finished content that has already been submitted and shared within an industry exchange to accommodate resource limitations. The more vendors that participate, the more there will be in these vendor exchanges that overlap with other businesses. This reduces the amount of time needed for data collection while also accelerating the processes for risk identification and mitigation.
Continual monitoring of third-party cyber risk
Rapid changes to a vendor’s risk profile can be overlooked, even if you regularly conduct risk assessments to check for third-party risk. To manage third-party cyber risk effectively, it is essential to continuously check for changes in your contractor’s cybersecurity posture. To make sure you don’t miss a significant security event, here is a list of sources you should keep an eye on throughout the vendor lifecycle.
Dark Internet forums
Malicious actors frequently coordinate and plan attacks against large organizations using forums only open to authorized users using the TOR network. You can quickly spot potential cyberattacks that are underway or have already been carried out against third parties by keeping an eye out for mentions of third- and fourth-party vendors in dark web forums.
Dark Internet Markets
Botnets with browser fingerprints are sold on dark web markets like the Genesis Market, where malicious parties can use them to get around 2FA and other security measures. Monitoring these marketplaces can help you quickly determine if third-party access is being offered for sale, letting you know if a possible data breach is currently taking place. Additionally, malicious actors frequently sell stolen credentials and account access on dark web marketplaces. Other malicious actors can then use these to facilitate account takeover and phishing attacks. Monitoring these marketplaces can aid in your understanding of the cyber risk posed by vendors. Some queries to make are:
- Are the vendor’s or its solutions’ credentials available for purchase on the dark web?
- Are there any botnets available for purchase that have subdomains that would suggest the victim is a vendor employee?
- Has the vendor already identified credentials for sale, or are they largely unaware of their external risk profile?
Sites at Pastebin and Clearweb
Not all account thefts and data breaches occur on the Dark Web. Employees frequently unintentionally release third-party data that turns up on Pastebin and other open forums. Malicious actors have also been known to post files containing thousands of credentials on open access forums, further compounding these difficulties. A crucial component of performing ongoing third-party monitoring is checking Pastebin and other open forums for confidential information, credentials from other parties that have been stolen, and other sensitive information.
The MITRE CVE database and other vulnerability databases can assist your company in locating exposures in software created or used by third-party vendors. You can automatically identify third- and fourth-party software vendors with potential vulnerabilities by using third-party cyber risk management software.
Databases with Data Breach
Searching for vendors in databases of reported data breaches, such as those from Privacy Rights Clearinghouse and the State of California, is another crucial aspect of third-party cyber risk monitoring. You should evaluate the risk to any data shared with the third party after even a small-scale data breach prompts you to do so. It might also necessitate a review of any applicable legal compliance standards.
Automating the Monitoring Procedure
Software for third-party risk monitoring can aid in automating the process of locating and evaluating third-party cyber risks. By monitoring 1,500+ criminal forums, tens of thousands of onion pages, 80+ dark web special access forums, 65+ threat feeds, and 50+ paste sites for leaked credentials, as well as numerous security communities, code repositories, and vulnerability databases, you can discover third-party cyber incidents for 550,000 companies.
Best Practices for Third-Party Cyber Risk in your supply chain
Businesses have identified a number of procedures that have improved their ability to manage cyber risks with their third parties.
- A focus on brand integrity rather than brand protection is one of these practices. This backs up life-cycle threat modeling, which proactively identifies and fixes supply chain vulnerabilities.
- IT, security, engineering, and operations staff collaborate to develop the procurement and sourcing processes, and multiple stakeholders are involved in the decision-making process.
- All requests for proposals (RFPs) and contracts contain standard security terms and conditions that are adapted to the type of contract and the needs of the business.
- Owners of assets or companies must formally accept liability for deviations from security standards and any resulting effects on their operations.
- Due to the fact that many risk assessments rely on supplier self-evaluation, many businesses use on-site validation and verification of these reviews. Some businesses cross-train employees to work at suppliers’ businesses so that security standards can be continuously monitored.
- Before they actively join the supply chain, new suppliers go through a testing and assessment phase to evaluate their capabilities and compliance with various requirements.For instance, a supplier might perform a number of pilots in high-risk areas before joining the supply chain entirely.
- Tier 1 suppliers must administer the same survey to their suppliers as the Original Equipment Manufacturer (OEM) does.
- Approved vendor lists are established for manufacturing partners.
- Among a stakeholder group, quarterly reviews of supplier performance are evaluated.
- Annual supplier gatherings make sure that suppliers are aware of the priorities in terms of security and business needs.
- Suppliers are given access to mentoring and training programs, particularly in complex or important areas of concern for the business, like cybersecurity.
What Third-Party Cyber Risk Certification Should I Get?
Two certifications for IT risk assessors and third party risk professionals are proudly provided by the Shared Assessments Program. The Certified Third Party Risk Professional (CTPRP) and Certified Third Party Risk Assessor (CTPRA) certifications from Shared Assessments are both regarded as de facto industry standards.
At the individual, organizational, and industry levels, certifications in the area of third party risk have become the standard. The certifications serve as proof that an individual has attained a certain level of competency. For businesses, the certifications guarantee a level of competency for specific roles or responsibilities. Risks have expanded and changed for the industry, increasing vulnerabilities, volatility, and career opportunities.
Certified Third Party Risk Professional (CTPRP)
The CTPRP is divided into four separate sections:
- Understanding risk to your organization is the risk management foundation.
- Managing your programme (how to set it up and run it)
- The IT risk controls you should focus on during an assessment are known as risk control domains.
- Process of risk assessment (best practises for conducting an assessment)
The CTPRP course participants come from backgrounds in security, compliance, procurement, business resilience, law, audit, IT vendor management, and even facilities management.
Attending a CTPRP course will benefit anyone involved in their company’s third party risk management lifecycle or looking for insight into best practices for setting up and managing a programme.
Certified Third Party Risk Assessor (CTPRA)
The CTPRA certification verifies the knowledge required to conduct in-depth evaluations of third parties during assessments within particular IT risk control domains. The CTPRA has four sections, just like the CTPRP:
- Risk Based Due Diligence: Risk Management Foundation
- Risk Management Domains
- Process for Assessing Risk
The CTPRA focuses on best practices and principles in audit, security, and privacy. The certification is intended for IT security professionals, and it offers a basis for creating a reliable playbook for carrying out onsite or virtually assessments.
Frequently Asked Questions
Q1: How do you handle cyber risks from vendors and third parties?
To handle cyber risks from vendors and third parties, perform risk assessments and choose vendors with robust cybersecurity protocols. Include cybersecurity requirements in contracts and conduct regular audits of vendors’ practices. Train employees in data handling and threat recognition, create an incident response plan, and consider cyber insurance to manage potential financial risks. Do remember that cybersecurity is a shared, ongoing responsibility.
Q2: What is third party cybersecurity?
Third-party cybersecurity refers to the policies and procedures that a company utilizes to make sure that its vendors, partners, and other third parties do not endanger its digital systems and data. Setting cybersecurity criteria for third parties, regularly auditing their security procedures, and incorporating particular security requirements in contracts are a few examples of the actions that might be taken. Given that third parties may provide a security risk to an organization, it is an essential component of risk management.
Q3: What are third party attacks?
Third-party attacks, or supply chain attacks, are cyberattacks targeting a vulnerable point in a network, typically a less secure third-party vendor. Instead of directly attacking the main organization, hackers exploit vulnerabilities in these third-party systems to gain access to the targeted organization’s network. These attacks can be challenging to detect and prevent thus making them complex in nature.