Outsourcing business services to a third-party provider might present risk to your organization’s security, reputation, and regulatory compliance. Sound third-party risk management is the answer.
Credit: Ground Picture / Shutterstock
As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to do so, but the use of third-party services can also come with significant — often unforeseen — risks.
Third parties can be a gateway for intrusions, harm a company’s reputation if a service malfunctions, expose it to financial and regulatory issues, and draw the attention of bad actors from around the world. A poorly managed breakup with a vendor can also be perilous, resulting in the loss of access to systems put in place by the third party, loss of custody of data, or loss of data itself.
What is third-party risk management?
Third-party risk management (TPRM) is a risk management discipline that involves identifying, assessing, and mitigating risks associated with use of external parties, such as partners, vendors, suppliers, contractors, and service providers. Such third parties often have access to a range of your organization’s systems and data, and they often operate as key participants in your organization’s critical business operations. As a result, third parties can increase your cyber risk profile, given that any security issues they might incur can have a follow-on effect on your organization.
Also often referred to as vendor risk management, TPRM gives organizations a framework for identifying all third parties that have access to organizational systems, data, and facilities. It also ensures your organization has assessed the risks associated with each third party it uses based on what that third party can access, what its security practices are, and what threats it is likely to be exposed to.
To mitigate third-party risk, organizations must engage with the third parties they rely on to conduct security assessments and audits of their security practices. They must also establish clear contractual agreements that spell out security expectations and responsibilities for all parties involved. Successful TPRM also requires ongoing monitoring and oversight to ensure third-party compliance with agreed-on measures, as well as the development of incident response and remediation strategies should any issues arise.
Why is third-party risk management important?
Reliance on third-party services is on the rise. As a result, organizations find themselves increasingly subject to potential security issues incurred by entities they partner with.
“Organizations are increasingly reliant on third parties, such as technology and cloud vendors, which store sensitive data or access critical systems,” says Luke Ellery, an analyst at Gartner. “This risk is higher if the third-party’s cybersecurity controls are poor. There is also the risk that the third party’s own suppliers are compromised. If the data or systems are compromised, then the impact could include brand and reputational damage, legal and regulatory fines or penalties, and remediation costs.”
The use of third parties is a broadly accepted necessity for many businesses, says Hanne McBlain, senior director with technology research and advisory firmISG, but they need to be managed on an ongoing basis. Third-party partnerships come with inherent business risks by moving aspects of control beyond a company’s walls. This takes on a particular urgency considering 98% of global organizations were connected to at least one third-party vendor that hasbeen breached in the past two years, says Caleb Merriman, CISO at Deltek, a provider of software for project-based businesses.
Top third-party cybersecurity risks
Here are the five main cybersecurity risks third-party services are exposing you to:
Compromised customer and company data from cyberattacks
Indirect cyberattacks — successful breaches coming into companies through third parties — increased to 61% from 44% in the last several years, according to the World Economic Forum’sGlobal Cybersecurity Outlook 2022. One of the reasons this occurs is that many companies don’t have the proper controls in place to effectively offboard third-party vendors, says Peter Tran, CISO at IT and security consulting firm InferSight. “They don’t have the processes in place to control the access management rights and provisioning that these accounts have, which leaves the door open for cyberattackers who look for aged accounts that are still active,” he says.
Data obtained from third-party breaches can be abused by threat actors to perform various malicious activities, including identity theft, fraud, account abuse, and external account takeover attacks, says Ariel Weintraub, CISO at MassMutual. Threat actors frequently use compromised credentials and data sourced from third-party or even fourth-party breaches to gain access to other victims’ environments.
“A third party might be attacked while hosting a company’s data or an attacker targets the third party first and then uses that to reach your IT systems,” says Michael Orozco, a cybersecurity analyst for MorganFranklin. He says that due diligence and ongoing monitoring of vulnerabilities throughout the vendor lifecycle will help reduce that risk.
Implementing a defense-in-depth approach to limit a third party’s access to an organization’s network is critical to preventing adversaries from gaining an escalation of privilege, Weintraub says. As such, companies must fully vet all third-party vendors before allowing them access to their systems to ensure that they’ve implemented the proper security protocols. “Third parties are always a concern when it comes to who has our data; that’s why we are continually assessing new and existing third parties in a matter commensurate with cyber-risk to the company.”
Financial risk from incident costs, lost business
The cost of intrusions can be incredibly expensive and cybersecurity insurance does not always cover breaches if companies aren’t protecting their systems in the right way, says Jay Pasteris, CISO and CIO at the managed services firm GreenPages.
“The financial impact is what you’re going to lose, but you’re also going to have reputational damage to the organization,” he says. “You’re going to lose customers. You’re going to lose the confidence of new customers, you’ve lost the confidence of existing customers, therefore, you’re losing a revenue stream…. And it’s a lot of money to replace an existing customer. So that financial impact adds up really fast.”
Reputational damage, loss of customer trust
While a breach may not have occurred within the four walls of a company, a breach at a third-partyservice involving the client company’s data or its customers, that company may have to make a statement or notify individuals as a result. “Due to this downstream impact, the reputational impacts may far exceed the financial damage,” Weintraub says.
Negative publicity from a service provider’s breach can injure a company’s good name or standing, and unfavorable public perception of a business can begin with issues that originate with a third party in their vendor list. Customer complaints about a service provided by a third party are a good indication there’s a potential problem, Orozco says. “Customers don’t see that your assembly, your product, your services, your ability to interact with them is supported by third parties,” he says. “They only see your name, your brand, and your inability to satisfy the commitment [you’ve made to them].”
Many organizations take proactive measures to ensure that their third parties are effective data custodians. However, when a third party comes with its own vendor supply chain, things get much more complicated, Weintraub says. “As you continue down the line of your vendors and your vendors’vendors, it can be difficult to have insight into all these entities and the maturity of thethird-party risk programs that are protecting sensitive data at the level of rigor that you expect,” she says.
Geopolitical risk
The war in Ukraine has highlighted the need for organizations to monitor political developments very closely and be prepared to act in volatile situations, according to McBlain. Organizations need assurance that all supplier, partner, and joint venture activities in jurisdictions subject to sanctions have ceased.
“However, the war in Ukraine and the associated sanctions of Russia and Belarus are not the only geopolitical risks to take into consideration,” she says. “Suppliers with operations in countries prone to regime volatility, such as military coups, violent uprisings, and oppression of minorities in a systemic manner, require careful and continuous monitoring.”
Political volatility often comes with a proliferation of nation-state cyber espionage. Organizations need to ensure that their third-party vendors thoroughly vet their contractors for connections to governments known to engage in such acts, Weintraub says. “Third parties may unknowingly hire freelance IT teleworkers that have been dispatched by nation-states to generate revenue for the country’s authoritarian regime or gain access to corporate networks,” she says. “Although they may not engage in any malicious cyber activity while performing their jobs, they may use their privileged access to enable malicious cyber intrusions from inside. This makes detection of malicious activity difficult.”
Regulatory compliance risk
Third-party vendors also expose organizations to compliance risk when they violate governmental laws, industry regulations, or companies’ internal processes. Vendor non-compliance could subject the companies hiring them to massive monetary penalties.
For example, organizations need to check that their third-party vendors are in compliance with theSOC2 auditing standard. SOC2 aims to ensure that third parties protect their customers’ sensitive data from unauthorized access. Organizations must also ensure that third parties comply with privacy and security laws, such as the European Union’sGeneral Data Protection Regulation (GDPR)and theCalifornia Privacy Rights Act (CPRA), requirements, he says.
“Compliance is a huge risk,” says Pasteris. “You may be in compliance and have the necessary controls in place, but all of a sudden you add these third parties into the mix and if you’re not evaluating [whether they have controls in place], you could be breaching your compliance stance.”
Related content
- newsPalo Alto Networks announces new SD-WAN features for IoT security, compliance support Palo Alto Networks is introducing advanced URL filtering to help prevent unknown and evasive man-in-the-middle (MitM) and SaaS platform phishing attacks.By Michael Hill15 Mar 20235 minsIoT SecurityInternet of ThingsVendors and Providers
- feature8 things to consider amid cybersecurity vendor layoffs Cybersecurity vendor layoffs raise several issues for CISOs and customers, not the least of which are security- and risk-related factors. Here are 8 things to consider if your security vendor has announced significant staff cuts.By Michael Hill01 Dec 202212 minsBusiness OperationsVendors and Providers
- featureBuild a mature approach for better cybersecurity vendor evaluation Establishing a thorough, well-planned in-house strategy for assessing cybersecurity vendors and their products is a hallmark of an organization’s maturity and can avoid hassles, headaches, and unnecessary expense.By Deb Radcliff15 Nov 20228 minsSoftware ProvidersIT ManagementVendors and Providers
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
