Managing increased risk of data breaches through third parties with increased data sharing
Haydn Brooks, CEO, Risk Ledger
Below is an insight into what can be expected from Haydn’s session at Vendor & Third Party Risk Europe 2023.
The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.
What does the current cybersecurity landscape amongst third parties look like?
I’m optimistic about the outlook for third-party cybersecurity. Supply chain security has become a hot topic lately, and rightly so. There have been many high-profile breaches that have made the headlines, which, although every single breach is unfortunate and one breach is too many, they all serve a purpose to raise awareness. We can already see that companies are allocating more resources and placing higher emphasis on securing supply chains and enhancing third party risk management (TPRM) programs. The change in the threat perception, and the increase urgency are having a positive impact on improving the overall security in the supply chain.
There is also an increasing awareness among suppliers that their security posture is having a direct business impact, namely that it can both hinder or aid their ability to win and keep clients. This is another reason to further justify and drive increased investment in the area. What has also helped are new technology tools, which make it easier for SMEs to implement meaningful controls and enhance their security.
There are, however, many areas in which significant improvements are still needed to further increase the resilience of our supply chains. Companies rarely run security assurance against more than 10% of their immediate third-party suppliers. This is not least due to the significant costs associated with most TPRM programs. Risks further down the supply chain in 4th, 5th and through to Nth parties are relatively underappreciated risks that can also directly impact an organization.
Since a potential recession has been on the cards, we have been seeing companies tighten their budgets in several areas, security included, which is of great concern due to its potential to create a significant uptick in supply chain incidents moving forward.
How can we ensure maturity of vendor cybersecurity practices?
When you work with a supplier, you are entering into a working relationship that requires a level of trust. Currently, companies are focusing on auditing and punishing their suppliers which in a worst-case scenario can lead to an almost adversarial relationship between them. This in turn can have a detrimental impact on both parties’ security. As a result, the supplier might be encouraged to hide problems from the client in order to avoid punishment or even lose the business. Clients are then left with a very opaque view of their ‘real’ security maturity, and also encounter a greatly reduced ability to actually help suppliers improve their security posture when unaware of their challenges.
We need to adapt and move to a new methodology that promotes collaboration and trust allowing suppliers to be more open to sharing security data without fear of reprisal. Clients can better help their suppliers improve their security whilst simultaneously being able to implement internal controls themselves to minimize possible impacts of potential supplier attacks. We call this new methodology Defend-As-One. Defend-as-One looks to change the still common view of the supply chain being your biggest exposure to risk, to regarding it as your biggest source of actionable information to better defend your organization.
How can we ensure effective handling and treatment of data?
First of all, know what data you have and where it is actually going. You cannot have a handle on the security of your data if you don’t know who you are sharing it with. This means having a full and comprehensive supplier inventory (and working with procurement to maintain it) and understanding what data each one of those suppliers handles on your behalf.
In addition, ensure that each supplier handling data is meeting your security expectations. To ensure this, you need to ask questions and engage with them – you can audit them through questionnaires, or you can collaborate with them on a platform. Perhaps the most important question to ascertain early on is: how do they think about security? Is it a priority? What controls do they have in place?
Once you have a full inventory of suppliers and some level of assurance that they protect the data you share with them, then the next step is to make sure you are able to monitor your supply chain for problems that may occur in order to be able to react to them quickly so as to prevent them from impacting your organization.
How can we gain visibility across the entire supply chain?
Although full visibility should be the goal, it is a hard goal to meet, and so we shouldn’t let aspirations of perfection get in the way of good outcomes – right now we have very little visibility, so any extra visibility would help!
There are broadly only two ways of achieving significant breakthroughs with regard to greater visibility across the entire supply chain, and thus a more in-depth understanding of existing risks. The first is by using a data mapping tool that connects data pulled from the open web to try and infer what your supply chain looks like. Such tools might look at IP addresses in packet headers and try to generate an organizational map that reveals and visualizes interdependencies within your supply chain.
The second option is to use a platform. By joining a network of clients and suppliers all working together to defend-as-one on our platform, you not only gain unparalleled and continuous insight into your own suppliers but also further down the supply chain beyond third parties. This will allow you to understand where you sit within your supplier ecosystem and how different incidents may impact your organization given those interdependencies.
Beyond third parties, what are some of the biggest vulnerabilities within the supply chain?
The most interesting one to me, and one that has emerged only in the past 10 years, is systemic risk, or concentration risk. To use the financial sector as an example, concentration risk means finding out who the key organizations are in the wider financial sector supply chain ecosystem that are so important (based on interdependencies) that if they were to have a major cybersecurity incident, this would not just affect a few immediate clients, but threaten to bring the entire sector to its knees. The answer at the moment, is that we simply don’t have this answer yet. There are intricate and far from obvious interdependencies in the wider supply chain ecosystem for different industries, including critical national infrastructure, that can cause a security incident in one company to have far-reaching knock-on effects on other companies and potentially entire industries as a whole.