The benefits of a diverse, interconnected supply chain are compelling. Agility, speed, and cost reduction all weigh on the positive side of the equation. It prompts businesses to pursue close, collaborative relationships with vendors, often numbering in the hundreds or thousands.
On the negative side is the Pandora’s box of cyber risk, opened when enterprises expose their networks to third parties. In our modern interconnected working world, most businesses have an extended ecosystem of partners. It only takes one of those to have cybersecurity vulnerabilities to bring a business to its knees. The challenge facing today’s enterprise is working out which one!
It is complicated by several factors:
- The escalating global threat environment
- Increasing regulatory focus on cyber liability
- The high number and diversity of partners in the business ecosystem
- Exponential growth in data and alerts and the tension between risk management
- Business agility that pressurizes in-house teams to onboard new partners at speed.
They add up to a cyber risk management challenge which threatens to overwhelm all but the most highly resourced companies. As a result, breaches originating in third parties are common and costly. A Ponemon Institute/IBM study found that breaches being caused by a third party was the top factor that amplified the cost of a breach. It added an average of US$370,000 to the breach cost, increasing it to $4.29m.
A dive into the factors affecting the third-party cyber risk environment exposes the extent of the cyber risk management problem, and some of the questions businesses need to address.
An escalating global threat environment amid rapid digital transformation
Every business today operates in a global cyber threat environment growing in scale and sophistication. Attack tools, that were previously accessible only to a small cohort of advanced cybercriminals, can now be purchased in commoditized form. It allows millions of low-skilled attackers, to launch attacks to destructive effect.
Cybercriminals have also recognized the potential of exploiting partner ecosystems to attack high-value targets with strong external cyber defenses. They compromise smaller, less well-defended partners and use stolen credentials to infiltrate the ultimate target. It allows them to disrupt, destroy or steal valuable data. This tactic is increasing in frequency and means cyber risk can come from any partner who might inadvertently become an accessory to cybercriminals.
According to the Verizon 2020 Data Breach Investigations Report, while differences between small and medium-sized businesses (SMBs) and large organizations remain, the movement toward the cloud and its myriad web-based tools, along with the continued rise of social attacks, has narrowed the dividing line between the two. As SMBs have adjusted their business models, the criminals have adapted their actions to keep in step and select the quickest and easiest path to their victims.
Despite these growing risks, reliance on digital information exchange with third-parties continues to increase. Organizations are pursuing digital transformation objectives, and this has been accelerated by the impact of COVID-19. Organizations have rapidly implemented digital workflows and software-based authorization systems as manual, paper-based processes have become off-limits. Digital networks have never been more important, and this has increased cyberattack opportunities.
Monitoring and mitigating third-party cyber risk in this environment is a 24/7 challenge. It has left businesses playing catch-up to the latest emerging threat.
Regulation adds complexity and tension
Regulators are responding to the growing impact of cyber breaches on businesses and consumers. It has seen a raft of data privacy regulations implemented around the world. They establish the level of protection individuals can expect, and the liability of companies, which must safeguard data. Accompanying this is the cyber-focused frameworks applying to specific sectors, such as finance and healthcare. They set the rules around the procurement and management of third-party services like cloud infrastructure.
These regulations place a further onus on compliance teams to manage cyber risk in a way that demonstrates adherence to key regulations. It often raises the tension between activities undertaken for compliance purposes, and those that are genuinely effective at reducing cyber risk, an issue we’ll explore in a future article. The situation is amplified by the scale and diversity of modern third-party ecosystems.
Which partners are a risk?
The days when big companies simply worked with a few similar-sized partners that had a comparable approach to security are gone. Today’s multitude of partners can be any size, in any location. Partners are chosen for their innovation, efficiency or specific expertise, not for the size of their security budgets. It makes managing their cyber risk even more important, but also much more difficult.
It is a Herculean task to identify and monitor cyber risk across this large, heterogeneous group. Bringing new partners onstream is made more difficult by the lack of available resources.
A lengthy vendor list means businesses struggle to work out where to start. Most organizations default to focusing on tier 1, or top 100 suppliers. It raises questions such as:
- How are these suppliers identified?
- Are they the ones where the most money is spent?
- Are they the ones who provide the most mission-critical products or service?
- How much cyber risk comes from an entity based in an unstable political region?
Even if they restrict evaluation and monitoring to an arbitrary ‘top tier’, in-house teams face a heavy due diligence burden. Organizations are stuck in a cycle of tick-box, point-in-time compliance activities such as vendor surveys and annual site visits. These are labour-intensive and time-consuming. In a post-COVID-19 world, site access is likely to be limited and physical inspections are going to become much harder to complete.
On top of those limitations, the fast-changing threat environment means new cyber risk can emerge from any supplier, at any time. The aggregate cyber risk from the full vendor ecosystem is typically higher than the cyber risk from any single tier-one vendor. Companies must have continuous visibility into risk across their entire extended ecosystem. With it, they can’t gain the assurance needed to satisfy internal risk appetite and external regulatory requirements.
Prioritizing risk in the context of the business
Organizations that have progressed to a data-driven approach, using third-party risk scoring products together with objective external insights such as threat intelligence, still face problems. For example, security ratings offer an independent benchmark. These are still not useful without the context of the entity’s relationship with your organization:
- How essential is the product or service they are supplying?
- What regulations are involved?
These factors will influence tolerance for cyber risk. Therefore, if a company is of low importance in an unregulated area, a lower security rating may be acceptable. Integrating context and tolerance with external data feeds takes time and resources that few businesses have.
In-house teams monitoring security software also face an unending stream of alerts – again lacking context. They often don’t have the bandwidth or expertise to analyze and respond to every alert and piece of data relating to third-party cyber risk. Triaging incidents and focusing on addressing material issues while maintaining continuous visibility into the whole ecosystem, means new threats aren’t overlooked.
Managed cyber risk services help manage third-party cyber risk
In the face of the complex environment described above, it is clear that organizations need help to manage third-party cyber risk effectively. A managed cyber risk service supports in-house teams by:
- Doing the heavy lifting of data collection and analysis in the context of the organization’s risk tolerance.
- Recommending and executing the actions required to remediate problems.
Experienced cybersecurity analysts help organizations cut through the noise and get continuous visibility across the whole vendor ecosystem, not just the top tier. It means they can work out which partners constitute genuine breach risk.
Third-party cyber risk is a growing concern as businesses continue down the path of digitization in a high-intensity threat environment. The costs of a breach are high, but the scale of vendor ecosystems means full visibility into cyber risk is often beyond the capabilities of in-house teams. The businesses best able to protect their organization and meet regulations will be those that seek external expertise to triage and manage incidents based on cyber risk tolerance and business context, freeing their in-house teams to focus on true cyber risk management.
BlueVoyant is an expert-driven cybersecurity services company whose mission is to proactively defend organizations of all sizes against today’s constant, sophisticated attackers and advanced threats. Led by CEO, Jim Rosenthal, BlueVoyant’s highly skilled team includes former government cyber officials with extensive frontline experience in responding to advanced cyber threats on behalf of the National Security Agency, Federal Bureau of Investigation, Unit 8200 and GCHQ, together with private sector experts. BlueVoyant services utilize large real-time datasets with industry leading analytics and technologies.