By Scott Schneider, Chief Revenue Officer, CyberGRX
With the increasing pressure of disruptive technologies – Uber vs. taxis, Netflix vs. Blockbuster, Amazon vs. Walmart, Airbnb vs hotels, YouTube vs cable TV, Spotify vs. Best Buy – organizations must be nimble to compete in a global marketplace. Speed and agility are paramount to survival and growth.
This shift in business economics is driving increased acceleration of outsourcing. Today’s businesses outsource many key business processes to third parties – payroll, software development, office cleaning, legal representation and more. These third parties allow the business to focus on their core competency and deliver products and services to the market better and faster. But with convenience and speed comes increased cyber risk.
Cyber attackers – characterized by greed, speed and convenience – are in tune with this trend. Why attempt to breach a large organization with great people, processes and security technologies when an attacker can attack a smaller, less resilient firm and ride in on a trusted connection?
According to the 2016 PWC Global State of Information Security Report, “third-party contractors are the biggest source of security incidents outside of a company’s employees.” And with the increase of third party regulatory scrutiny, organizations are scrambling to mitigate risk from this increasing vector.
Today, organizations perform hundreds or even thousands of cyber risk assessments on each other that range from self-questionnaires to on-site reviews. These reports are static and provide very little visibility into the changing cyber posture of their third parties over time. They’re merely a snapshot in time that, in most cases, are shoved into a repository and never looked at again – a compliance exercise at best.
To make the problem worse, these third parties spend a significant amount of time and money responding to these cyber assessments. For example, I recently spoke with a small company in Texas with just over 100 employees spending north of $200k annually to assure their up-stream business partners that they are secure and can be trusted.
The process is not only inefficient – it’s also ineffective. So where is the balance between leveraging outsourced resources that contribute to scale and growth and reducing inherited cyber exposure that a third party may introduce? This is certainly not the first time that speed and risk have collided. Enter Third-Party Cyber Risk Management (TPCRM).
Globally-dispersed, highly-networked and digitized businesses face new security and resiliency risks from their digital ecosystem at a rapidly growing rate. As a result, they have established third-party risk management programs – in many cases in the early stages of development – to better identify, assess, mitigate and oversee the risks created by vendors, partners and customers in their digital ecosystem.
But preventing cyber risk from thousands of third parties is not a simple or easy problem to solve. How can one company prevent cyber risk from a completely separate company? A company where they have no true visibility, oversight or control?
Third Party Cyber Risk – A Growing Challenge
- Financial services respondents ranked assessment of security capabilities of third-party vendors as the top challenge to their information security efforts. – The PwC Global State of Information Security Survey 2016
- In a June of 2016 Ponemon Institute survey , 55% of small- and medium-sized businesses experienced a cyberattack in the last 12 months, with 41% saying they were impacted by third-party mistakes.
- Approximately 66% of companies extensively or significantly rely on third-party vendors . According to The Institute of Internet Auditors Research Foundation (IIARF) survey , another 34% moderately used third parties. Collectively, just 1% of respondents used very few vendors.
- The average company’s network is accessed by 89 different vendors each week.
Evolution of Third Party Cyber Risk Management
TPCRM has evolved to be complex and expensive, more bent on compliance than risk mitigation. There are three major factors driving TPCRM program enhancement today.
Business leaders want to know:
- How do we reduce the number of attacks that originate from a third party? — Fortune 500 companies typically have between 10,000 and 80,000 third parties. It only takes one, like a mechanical contractor, to be compromised and allow the attackers to ride in on a trusted connection.
- How do we move from a compliance based program to a risk management stance? — The majority of TPCRM programs are geared toward compliance and are not risk-based approaches. This compliance slant prevents organizations from truly working to identify and mitigate real issues based on actual threats and countermeasures. Most organizations are largely searching for ways to get their assessments completed to avoid regulatory findings.
- How do we reduce costs associated with TPCRM?— A few years ago when TPCRM became part of most security and risk organization’s strategy, budget was easy to come by. Leaders said, “Fix the problem at all costs.” Today, business leaders are looking for ways to address the growing third-party risk problem while simultaneously searching for economic efficiency.
The challenges for an organization to create an effective and efficient TPCRM program are not trivial. To understand and implement a successful TPCRM strategy, companies must:
- Fully understand their cyber exposure with their entire third party portfolio to understand dynamic inherent risk.
- Properly tier their third parties to ensure appropriate due diligence is performed consistently, continuously and according to policy.
- Understand the controls their third parties actually have in place vs. relying solely on self attestation questionnaires.
- Correlate threat intelligence with control gaps to dynamically reprioritize and re-tier third parties.
- Collaborate efficiently with third parties to ensure rapid remediation of mitigation steps.
- Enable their third party portfolio to scale their business services rather than completing hundreds of spreadsheets.
The answer is not singular and must include best practices involving people, process and technology. The one thing that is clear is that a model more like S&P or Moody’s for financial credit ratings should exist in the the cyber assessment market to benefit both customers and their third party ecosystem.