To enable their own digital transformation, organizations rely on an ever-increasing and expansive ecosystem of third parties to broaden and optimize their capabilities. By leveraging the extended digital capabilities of these external partners, organizations are better able to grow and compete in their respective markets. Whether these third parties are suppliers, contractors, vendors, business partners or joint ventures; third parties' "third parties" (i.e., Nth parties); or external technologies (e.g., Internet of Things (IoT), open APIs, artificial intelligence (AI), or others), organizations are looking to this network to enhance their business for a number of reasons, including:
- Cost savings
- Outsourcing and extending the labor pool
- Expanding quickly into new markets
- Innovating or leveraging innovations
- Participation in joint ventures
- Leveraging the third party's expertise
- Transfer of risk (such as through insurance)
- Engaging in new business models
- Compliance with regulations
The resulting relationships brings a host of benefits but also complicates, adds to, or exacerbates existing risks to the organization. For example, one of – if not THE – most critical risk companies everywhere face is cyber risk, or the potential to be breached and lose customer data, intellectual capital, or more. Because many third parties are technology partners, have complex IT solutions, or a lack of security controls, cyber risk can be introduced by them into your environment. In fact, a 2018 Ponemon Institute study, "Data Risk in the Third-Party Ecosystem" showed that 56% of the organizations surveyed had experienced a data breach caused by one of their vendors.
Let's examine a few reasons why this statistic might be so high. With such complex partnerships and technologies today, how can you adequately reduce the risk third parties pose to your company? Most organizations do not know which risks are most critical to assess or even how to assess them. Others struggle to gain accurate and actionable risk data on their vendors because most of the data collection is manual or dependent on the third parties to self-assess and self-report. Organizations also struggle to efficiently scale their third-party governance program to accommodate an ever-increasing ecosystem of third parties. Finally, security and risk analysts can't confidently verify that third parties processing company data and customer data have sound security postures because of the lack of data, metrics, and reporting.
At a more foundational level, third-party management must follow a basic lifecycle, which includes the following steps:
- Properly engage with third parties;
- Perform due diligence to identify the types and amount of risk the third party poses to your organization (such as information security risk, financial risk, resiliency risk, strategic risk, environmental risk, etc.);
- Determine what digital channels your third parties have access to;
- Understand what basic treatments are in place, so the risk is at an acceptable level;
- Monitoring online activities by third parties in real time; and
- Respond to threats and fraud attempts originating from third parties
Managing third-party risk requires a multi-dimensional program. Companies often have multiple internal functions contracting with third parties, but they must eliminate silos to ensure a coordinated view of third parties and their activities occurring on behalf of the company. Also, since not all external parties accessing your systems are known (i.e., IoT devices, AI), an integrated approach to understanding and managing business, information security, and fraud risks is the only way third-party risks can be effectively managed.
There is no holy grail to managing cyber risk from your third parties, and the risk can never be eliminated. However, there are steps that should be taken to reduce that risk to acceptable and manageable levels, which includes implementing an effective governance and risk management program. There are many criteria for a "good" governance program; however, you can tell if your program is on its way if you can make statements like these:
Our program can:
- Manage risk by real-time, on-demand, and continuous assessment of the most critical security risk indicators by third party
- View security issues for each third party and pinpoint potential exposures and root causes to be addressed
- Easily demonstrate risk control quality to regulators and standards bodies
- Prioritize efforts based on both technical and business value
- Allocate risk resources to where they are needed most – high-value, high-risk third parties
# # #
Learn more about managing third-party risk at rsa.com.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity