Table of Contents
Ms. Doyle’s warning should be evident for risk and compliance officers. A mistake by a vendor or contractor can result in a costly and time-consuming error for a company that can also lead to reputational damage if customers are affected. This is especially true with cybersecurity, where there have been numerous examples of companies adversely affected by preventable mistakes made by vendors in their supply chains. One has to look no further than the recent supply chain attacks on software manufacturer Solarwinds Corp. and Microsoft Corp.’s Exchange email software. These attacks, which were very difficult for customers to prevent, may have infected tens of thousands of companies globally and the wide reaching effects are still not fully understood.
Perhaps the most high-profile third-party attack was the breach that affected Target Corp., which started with compromised email credentials from a refrigeration and air-conditioning contractor for the retail giant. The attack resulted in approximately 40 million stolen credit and debit records, an $18.5 million multistate lawsuit settlement and a significant black eye for the company’s reputation. This should be a cautionary tale for businesses around the globe that have third-party suppliers.
The Crux of the Challenge
The supplier ecosystem provides a highly desirable target for cybercriminals. A successful attack on one company’s network opens up numerous opportunities to expand into other connected businesses. It may take weeks before the intrusions are revealed, if they are ever discovered, providing ample time for the attackers to infiltrate multiple systems without being detected.
Complicating matters is the multiple attack vectors criminals can use to infiltrate a supply chain. These include stealing login credentials from third-parties (Target), exploiting third-party software updates (SolarWinds), or injecting malicious code into vulnerable applications or software to steal customer payment card information.
And the potential damages from third-party breaches are substantial. Examples include significant operational downtime, loss of sensitive information and revenue, reputational damage, compliance issues and legal complications, including fines.
Designing and Implementing a Plan
The dangers posed by third-party vendors are apparent, but what can be done to minimize them? third-party cyber risk management is a strategic approach that enables an organization to analyze and monitor cyber risks associated with suppliers, vendors and other service providers. A well-organized program can mitigate third- party cyber risks while facilitating the general process for on-boarding and managing third-party suppliers.
There are a variety of approaches to third-party cyber risk management, some of which can be found in this paper’s Resources section. Many adhere to the following format:
- Identify: Compile a current list of vendors and suppliers by working with an organization’s procurement office.
- Prioritize: Develop a rating system that ranks and prioritizes the third parties based on the following considerations:
- Their level of access to your network
- The importance of the relationship to your business
- Their cyber profile and precautions taken
- The criticalness of data that can be accessed
- Assess: Conduct a full audit of your partners and assign each one a score.
- This can be done by sending all of the relevant parties a questionnaire that will deliver insights into their cyber practices and potential risks to your operations.
- An outside consultant with experience designing and analyzing the results of TPCRM questionnaires could be brought in.
- Technology solutions that ingest a list of third parties and provide scores, as well as providing on-going scanning, are also an option.
- Respond: Take action with the organizations in the order of the risk they pose, with the following options:
- Accept the risk an organization poses
- Work with the third-party to improve its posture to a tolerable level and monitor while it makes corrections
- Remove the third-party based on the risk and seek a replacement with cyber posture in mind
- Track: Conduct follow-up inquiries to measure progress.
- Standardize: Establish an on-boarding process for every new partner with one of the stipulations being data breach notification requirements in the contract.
- Revise: Conduct regular reviews of the program to enable enhancements.
High-Level Guidance from a Cyber Risk Expert
Eric Fiedberg, co-founder and co-president of risk consulting firm Stroz Friedberg, spoke with WSJ Pro Research and recommended the following best practices for cyber risk management:
- Design a thorough but ingestible questionnaire that identifies significant risks and promotes transparency and accountability, while obligating the vendor to provide hard data and allow an inspection if an incident happens.
- Ensure that staffing and budgeting for the TPCRM process makes it possible to cycle through third-party vendors in a short amount of time so important vendors do not go unattended for years.
- Pay attention to the risk posed by the trojanization – malware that misleads users of its actual intent – of software providers and the risk of installing malware during updates. Do you trust your software providers? Can you detect malware and see its potential exploitation?
Insights from Third Party Cyber Risk Management Workshop Highlights
On May 10, 2022, the WSJ Risk & Compliance Forum included a workshop on third-party cyber risk management. Kelli Tarala, principal and founder of digital security firm Enclave Security and SANS Institute third-party cyber risk instructor, and Anson Fong, chief information security officer at Los Angeles World Airports, provided their ‘Insights from Third Party Cyber Risk Management.’ The following key findings and professional tips were discussed during the workshop.
Structuring for Success
Proper preparation and having safeguards in place are key first steps in the development of a robust third-party cyber risk management program.
- Know Your Network and Vendors: Organizations need to understand their networks, what they’re connected to, and where the data flows, because this will help to better understand how to protect them. It’s also important to conduct an assessment to see who the vendors are and what they can access.
- Control Data Access: Due to increased reliance on cloud storage, there are more and more entry points for getting into a network. Emphasis should be placed on access control, including third-party consultant contractors who have to read, write or modify access to critical data.
- Involve the Right People: When starting a program, coordinate with the chief information security officer, the chief information officer, the chief risk officer (if the business has one) and representatives from the legal, procurement and purchasing departments. It’s also important to keep the board of directors apprised of cyber risk so they aren’t blindsided if an incident happens.
“I see organizations doing good things and the documentation is lacking a little bit. If we don’t document it, it didn’t actually happen.”
Maturing the Program
Developing a mature and comprehensive third-party cyber risk management program does not happen straight away. After a program is started, it may take months or even years to assess the security questionnaire results from hundreds of third-parties, prioritize which vendors have vulnerabilities that need to be addressed and make necessary adjustments to the program to minimize risk.
- Expand Your Toolkit: Researching the dark web can be a useful tool for tracking suppliers and vendors. Determining if a third-party has experienced a data breach or a data leak that is being sold on a dark web market can provide insight into its vulnerabilities and security posture.
- Frameworks Matter: Find out what security controls framework third parties are using. Knowing a vendor is using an established framework such as the Center for Internet Security’s Critical Security Controls framework offers a level of confidence that those vendors have a plan and are taking security seriously.
- Take the Next Steps: A mature program will have advanced from practicing basic hygiene, such as inquiring about a vendor’s information security policy and determining whether a third-party is sending data to fourth and fifth-parties; to intermediate hygiene, which involves documenting processes; then being proactive by reviewing the processes for their effectiveness, which will lead to a fully optimized vendor management program.
- According to Mr. Fong, your organization is only as secure as your weakest link.
- Risk isn’t just an IT concern, it is organization-wide.
- Ms. Tarala said risk management is a contiguous approach involving threat monitoring, control implementation and validation, risk reporting and risk response.
- You may not get a perfect solution the first time; keep refining in light of your company’s culture and needs.
Watch the ‘Insights from Third Party Cyber Risk Management’ workshop here. All WSJ Pro Cybersecurity research reports, webinars, events and data are available at www.wsj.com/pro/cybersecurity/research
WSJ Pro Research is a premium membership that supports executive decision making on critical business issues by supplementing the news with timely, in-depth research and data.
All WSJ Pro Cybersecurity research reports, webinars, events and data are available at wsj.com/pro/cybersecurity/research
Meet the Author
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8