COMMENT
Mitigating third-party risk can seem daunting when you consider the slew of regulations coming along with the increasingly advanced tactics of cybercriminals. However, most organizations have more leeway and flexibility than they think. Third-party risk management can be built upon existing risk governance practices and security controls currently implemented at the company. The reassuring aspect of this model is that it means that organizations do not have to completely eliminate existing protection to successfully mitigate third-party risk, and this encourages a culture of gradual and continuous improvement.
Third-party risk presents a unique challenge for organizations. On the surface, a third party may seem trustworthy. But without complete transparency into the inner workings of that third-party vendor, how can an organization ensure that the data entrusted to it is secure?
Organizations often downplay this pressing question due to the long-standing relationships they have with their third-party vendors. Since they have been working with a third-party vendor for 15 years, they will see no reason to jeopardize their relationship by asking to “look under the hood.” However, this line of thinking is dangerous: a cyber incident can occur when and where you least expect it.
A changing landscape
When a data breach occurs, not only can the organization be fined as an entity, but there can also be personal consequences. Last year, the FDIC has strengthened its guidelines on third-party risk, setting the stage for other industries to follow suit. With the emergence of new technologies such as artificial intelligence, the consequences of mishandling data by third parties can be disastrous. The new regulations will reflect these serious consequences by imposing harsh penalties on those who have not developed rigorous controls.
In addition to new regulations, the emergence of fourth- and even fifth-party vendors should incentivize organizations to protect their external data. Software is not a simple internal practice like it was 10 years ago: today data passes through many hands, and with each link added to the data chain, security threats increase while oversight becomes more difficult. For example, performing adequate due diligence on a third-party vendor is of little benefit if the controlled third party outsources private customer data to a negligent fourth party and the organization is unaware of this.
Five simple steps ready to use
With the right roadmap, organizations can successfully mitigate third-party risk. Better yet, expensive and disruptive technology investments aren’t always necessary. For starters, what organizations need when performing due diligence is a sensible plan, capable staff willing to participate, and increased communication between IT, security and business teams.
The first step is to thoroughly understand the supplier landscape. While this may seem obvious, many organizations, especially large companies with budgets to outsource, overlook this crucial step. While hastily establishing a relationship with a third-party vendor can save money in the short term, all of these savings will be wiped out if a data breach occurs and the organization faces steep fines.
After analyzing the vendor landscape, organizations should determine which third-party roles are “critical”: These roles could be operationally critical or process sensitive data. Based on criticality, suppliers should be grouped into tiers, which allows flexibility in how the organization evaluates, reviews and manages the supplier.
Sorting vendors by their criticality can shed light on the over-reliance organizations may have on their third-party vendors. These organizations need to ask themselves: If this relationship suddenly ends, do we have a backup plan? How would we replace this function while continuing our daily operations seamlessly?
The third step is to develop a governance plan. A synergy between the three main arms of an organization is needed to effectively perform due diligence and manage risk: the security team sheds light on flaws in the vendor’s security program, the legal team determines the legal risk and the Business team foresees the negative cascading effect on operations if data or operations are compromised. The key to creating strong governance is to tailor the plan to an organization’s specific needs. This is particularly applicable to organizations in less regulated industries.
The governance phase involves the drafting of contractual obligations. For example, often in cloud computing, business leaders mistakenly rush to sign a contract without understanding that certain security measures may or may not be included in the basic package. Contractual obligations often depend on the industry, but a standardized security clause should also be developed. For example, if we are evaluating a delivery company, there may be less focus on the vendor’s software development lifecycle (SDLC) process and more on resilience measures. However, if we are evaluating a software company, we would like to focus on the vendor’s SDLC processes, such as how code is reviewed and what safeguards apply to production.
Finally, organizations must develop an exit strategy. How can an organization cleanly separate itself from third parties while ensuring that customer data is deleted? There have been cases where a company severs ties with a vendor only to receive a call years later informing it that its former partner had suffered a data compromise and that its customers’ data had been exposed, despite supposedly that such data had been deleted. Moral of the story: Don’t assume. In addition to an accidental data breach, there is also the possibility of third-party vendors using a former partner’s data for internal development, for example using that data to build machine learning models. Organizations must prevent this from happening by stating in clear, specific and legally binding terms how providers will delete data if the partnership ends and what the consequences will be if they do not.
Create a culture of shared responsibility and continuous improvement
Taking a team approach to performing due diligence means that the chief information security officer (CISO) doesn’t have to completely take on the responsibility of mitigating a third-party vendor’s risks. THE The SEC charges against SolarWinds set a troubling precedent: a CISO can fall, even if the problem stems from an organization-wide dysfunction. If IT and business teams support the CISO in evaluating third-party vendors, it sets the stage for future cross-team collaboration, increases organizational buy-in, and produces better security outcomes.