Managing Third-party Cyber Risks

Today, cyber security risks are well known and widely recognized. With multiple information systems that collect and store vast amounts of critical data, and internet-connected or smart systems to help improve efficiency and performance, your organization faces added risks that need to be managed.

We know that cyber security incidents result in financial, reputational and legal damage, and as a result, cyber security has found a place on the agenda of managements and boards. Yet, those risks are constantly expanding.

The expansion of risks: Third-party vendors

Third-party vendors that provide in many cases specialized products and services to your organization have also increased in number over time. Multiple third-party vendors exist today, which can include call centres, ecommerce providers, collection agencies, outsourced information technology (IT) or software solution providers, paper shredders, amongst many others. These vendors may have suppliers, who in turn also have suppliers—so third-party vendors result in expanded ‘nth parties’.

These vendors typically have access to the organization’s information or network in some manner, which could access to your IT systems, operational technology (OT) systems, software & applications, or even your most sensitive data. Multiple third-parties can be connected to your systems, and are collecting, aggregating or storing this data. They expand your organization’s supply or value chain, but also your risk profile.

Many of the risks that organizations face today can emerge from these third-party or nth-party vendors. The expansion of access points through vendors increases weak links in the value chain—something attackers are constantly scanning and looking for. Whether it is through your network, or an extended vendor’s link back to you, they can find an entry point and cause damage.

In the age of digital disruption, third-party vendors tend to be smaller in size, and more nimble. Yet, they may not have the same level of preparedness and guards in place, and can be soft targets. Having a robust third-party risk management program is vital to mitigate these risks and improve outcomes for your organization.

31% of vendors are considered a material risk in the event of a breach

The breach of information that took place at Target in 2013 was one of the first cases in the media to highlight the risks that third-party vendors can bring.

A vendor had access to the Target network, but because Target did not adequately secure access, threat actors found a way to enter the environment and access payment card information. The loss for Target from that incident is reported to be close to US$300 million.

Some newer incidents have also been reported in the media, including for some well-known technology firms through their vendors. There has also been an incident with attackers accessing finance and payroll directories of a large and well-known organization by finding a weak link in the supply chain, and then uploading the folders to the cloud.

If technologically advanced organizations have weak links through their vendors that attackers can exploit, they definitely exist in other organizations. Today, it’s often not a question of whether they will attack an organization, it is a question of when they will attack.

How well you are prepared, and how difficult and expensive you make it for the attackers, will determine how much you deter or reduce the impact of such attacks.

An experimental study: How easy is it to get critical information?

At the National Conference for YPO in Toronto in 2016, we conducted a study amongst the 400 attendees of the conference, most of which were company chief executives. A rogue Wi-Fi network was set up by us. When people tried to log in through their personal email or Facebook accounts, as many public Wi-Fis require today, their login credentials including their passwords were obtained.

Of course, we provided full disclosure about the experiment and did not save their passwords. However, 16% of senior executives provided their credentials. What it revealed to the attendees of the conference was how easy it is to steal key information.

Managing your risks: Building third-party risk management programs

The point of discussing some of these risks and real-life examples is to establish that all risk cannot be eliminated. It’s usually a matter of time before an organization is breached through a weak link internally or in their value chain. However, the point is to minimize risks through robust third-party risk management (TPRM) programs, without the programs becoming too cumbersome.

The main objective of a TPRM program is similar to the current COVID-19 vaccine. It may not eliminate all risk of disease, but it significantly reduces the risk of extreme disease and outcomes.

In the case of TPRM, a robust program won’t entirely eliminate the likelihood of a breach, but it reduces the extreme outcomes an organization can suffer.

Third-party risk management program

Third-party risk management design

Whether you are establishing a TPRM program due to regulatory requirements, to reduce your risks, or both, a basic step-by-step approach is outlined below:

  1. Develop the assessment framework you will use. This could include:
    1. Regulatory requirements such as those from the Office of the Superintendent of Financial Institutions (OSFI), Payment Card Industry (PCI) amongst others
    2. Standards or policies you are trying to align with such as ISO 27001/2
    3. External assessment criteria such as contraction requirements or reputational impact
    4. The ‘crown jewels’ in your organization it is most important to protect
  2. Conduct workshops
  3. Develop standard reporting
  4. Identify and recommend tools across the board, such as automation tools
  5. Review your program with the right stakeholders, and adjust it as necessary
  6. Perform third-party risk assessments based on risk levels of vendors—high, medium and low risk levels, with vendors at high risk levels requiring more depth and frequency
  7. Collect information from vendors
    1. Notify and engage your vendors since having open communication and understanding can lead to greater cooperation
    2. Execute an assessment plan through questionnaires or passive risk tools
    3. Gather information from vendors using an adaptive and agile approach, through self assessments, clarification questions, evidence gathering, and if needed, additional testing
  8. Analyze the results you obtain from vendors, identify gaps, rate your vendors, and try to build in improvements if needed

With the fast-evolving cyber security and third-party risks your organization faces, it’s important to think of your TPRM program as a marathon, and not a sprint. It’s better to get started right away, but continually adjust and plan for the long term, rather than treat is as an intensive one-time exercise.

If you’re looking to learn more about how you can decrease your risk with third-party vendors, contact us for a free assessment and we will help you roadmap your path forward. Reach out to our team to get started.

Request a free consultation to identify your third-party cyber risk profile.



 

Author: Eugene Ng

Eugene Ng, CISSP, is MNP’s Cyber Security Leader for Eastern Canada. A member of the firm’s Enterprise Risk Services team, Eugene identifies security technology, products and services that give clients a competitive advantage.