Analysis
A Tale of DNS & BGP: Facebook Outage Post Mortem Oct 2021
Third-party management is more important than ever before. Usage is up across all industries, especially as more and more companies are looking to take advantage of cloud-based vendors. A Flexera 2022 State of the Cloud Report surveying 753 global cloud decision makers and users found that 57% of respondents’ said a top cloud initiative was migrating more workloads to the cloud while 42% said a top initiative was moving from on-prem software to SaaS companies.
Suppliers and production partners are also vital for many companies whether they’re providing raw materials, shipping products to resell, or are new Production as a Service (PaaS) partners, a new outsourcing model that can provide a global annual manufacturing value of $900B.
The increase of third-party use is also resulting in an increased attack surface. The more third-parties a company has, the more access points a bad actor can use. This is partly why, over the last few years, third-party risk has become a crucial component of a company’s overall risk management and cybersecurity strategy.
Even regulators are taking note and putting the onus on companies themselves. As the contracting party, you are accountable to your customers and clients for your third-party’s actions and mistakes.
This is why third-party governance and risk management (TPGRM) is important for companies to focus on. However, the approach needs to take into consideration today’s modern third-party environment. In this article, we’ll provide some foundational principles worth adopting while giving you clear action items and helpful resources to help build out a comprehensive TPGRM strategy.
You can’t manage what you can’t see and when it comes to third-parties, they can be a sneaky bunch. Security leaders should leverage multiple tools, technology, processes, and policies that will help ensure you’re aware of the third-parties in your environment and any future ones.
Remember that other departments will likely add new SaaS apps on a regular basis. This includes services like payroll management, marketing automation tools, communications tools, and more. Even a social media app can expose a company if the integration is deep enough or if it provides users with access to critical data. Third parties also include partners like shipping partners, product or material suppliers, and even outsourced talent who may have access to certain folders or data you wouldn’t want out in the public.
While a compromise on these physical-based partners may not result in a data breach, it can still affect your company negatively. Apple’s product supplier Quanta, suffered an attack in 2021, resulting in their product plans leaking. For a company who pours millions in marketing, product planning, and release strategy, this can severely affect how a new product performs.
Make third-party governance risk management (TPGRM) a key component of your overall third-party management. Not only is third-party risk increasing, it’s becoming a major vector bad actors are using to attack companies. A joint report from SecureLink and Ponemon Institute found that 51% of the companies surveyed suffered a data breach caused by a third-party.
Here’s just a sample of the risks involved:
Data exposure or network compromise - third-parties may have access to your environment or critical data and assets. If an unauthorised user compromises them, they may find their way towards your files. In some cases - third parties are the environment. AWS, Cloud or Hybrid infrastructure, Google Workspace are all third-parties that house other company’s critical assets.
Business continuity - If you’re relying on a third-party for web hosting, payment processing, shipping, or warehouse management (just to name a few examples), you may not be able to fulfill your commitments if one of those third-parties is compromised for whatever reason.
Customer and Reputational Risk - As we saw with this year’s Uber Hack (the result of a third-party compromise), a major pain point stemming from a compromise could be the reputational consequences.
Risk needs to be a central focus of your TPGRM strategy and it can facilitate an effective deployment of your strategy for both internal and external efforts.
You can’t be expected to manage all vendors by yourself so for optimal management, it’s important to engage with internal departments and set up a vendor management strategy that includes communication and response, especially in case of a compromise.
Working in silos can exacerbate potential risks. For example, if your payroll processing partner is compromised by a network intruder and there’s a risk that your employees’ information is exposed. If there’s no communication or incident response strategy in place, you may not even know that the compromise occurred, preventing you from taking the appropriate response. Once you do find out, it may be too late and your data might already be exposed.
However, if you’ve worked with your internal departments as well as made clear to your partners as to what the communication strategy is in case of a compromise, you may be alerted as soon as it happens and direct the appropriate stakeholders to remove your third-party’s access to employee data and minimise the risk that your data is exposed.
Now that you have an understanding of some of the key principles that can result in successful third-party management, here are some actionable steps you can take.
Get company buy-in: It’s hard to impact your company without key stakeholders being bought in. Make sure your executive team and heads of departments understand the risk and can both follow and enforce any policies that will improve your chances of visibility.
In a Report on Third-Party Governance and Risk Management, Deloitte “believes that board and C-suite ownership and oversight of TPGRM is critical to be able to exploit the opportunities and manage the risks from third-parties efficiently and effectively. This also facilitates multiple stakeholder buy-in at the functional level”
The key here is to make sure you’re communicating in a way that speaks to their incentives. Heads of finance and the executive team are more likely to respond positively if you’re clear that the risk of not managing third-parties effectively can impact revenue while the marketing team may be more receptive to knowing you’re going to help them reach GDPR compliance.
Use monitoring, discovery, and detection tools: There are multiple tools that can help provide insight on what’s in your environment, connecting to your environment, and accessing your environment. These include:
These platforms, tools, and software can complement more traditional third-party management efforts like risk assessments and due diligence processes, providing continuous monitoring and management capabilities. However, be aware that more tools won’t necessarily result in improved management — be strategic about leveraging tools and platforms in a way that amplifies your team’s efforts rather than burdens them with additional responsibilities.
Be part of the procurement process: You should be aware if and when any new third-party is onboarded and working with your company, regardless of department. The sooner you enter these conversations, the better you can manage them.
Work with your executive team and heads of department to guarantee that you have a seat at the table when it comes to bringing any new third-party. This includes being part of the due diligence process so you properly assess and manage any potential new risk while also ensuring that onboarding, integration, and implementation is done with security in mind (and that any interdependency risk is accounted for). This can include simple measures such as ensuring MFA is on for certain platforms or apps, or validating a third-party’s own data storage and processing is done securely.
Focus on collaboration
You shouldn’t be scared of your third-parties and you should instead actively work with them, stay in constant communication, and collaborate with third parties. This can help improve your relationships with them, future partnerships, streamline processes, while also ensuring that all parties are aligned to the same goals.
When it comes to risk management, it can also help you properly assess and understand where a third-party stands. In case their cybersecurity doesn’t hit the standard you’re looking for, you’re able to work with them and put together a plan that helps them improve their security controls so their own risk doesn’t pass on to you.
Keeping close communication can also foster a communal environment of information sharing which can be crucial for managing risk, especially in case of a security incident or compromise. The more information you receive, and the faster you receive, the quicker more informed decisions can be made, which can be the difference between a prevented attack and a successful one.
TPGRM is a lofty undertaking. With multiple stakeholders, internal and external partners to work with, and multiple ways to achieve certain goals, it would be helpful to leverage some pre-existing resources developed to help leaders. Here are a few we found that are worth checking out.
Collaborative Action Toolkit by Keystone and Dow - Initially developed as a blueprint thinking framework to help Dow achieve internal buy-in and work with external partners, this toolkit was further refined to help all organisations align internally and engage with external partners to reach their goals.
Third-Party Risk Management Framework by McKinsey - This white paper shows you how to benchmark your third-party risk management framework and offers an example with 9 dimensions worth assessing.
Third Party Risk Management Framework by Gartner - A study by Gartner found that 80% of third-party risks were identified after onboarding, exposing a significant security gap in third-party due diligence. Their framework here is designed to help streamline upfront risk management so you can properly assess risk prior to third-party onboarding.
A company’s success can be dictated by its relationships with its third-parties and suppliers. The closer companies work together and collaborate, the more efficient they can be and the faster they can reach their goals. When it comes to managing third-party risk, it should be a continuous effort that goes beyond point-in-time risk assessments and one-time questionnaires.
Ongoing and real-time third-party risk management can have material benefits. Deloitte found that a real-time approach to third-party risk management led to over hundreds of thousands of dollars in savings for multiple companies.
By leveraging some of the frameworks and tips we’ve provided, you should be able to work towards getting corporate buy-in across key departments to help improve visibility efforts while also promoting collaboration across your third-party risk which will result in a more secure and proactive cybersecurity positioning.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
