Let’s say you are getting ready to go on a long trip. You buy a new alarm system, install tamper-proof windows, and install a fancy digital lock. Finally, you consider giving a spare key to your neighbor for good measure. Now, at this point, would you give it to a neighbor who leaves his own door unlocked, has been recently robbed, or is likely careless with your key? Instinctively, you would prefer giving it to a neighbor who will keep his own home secure, is not a target for burglars, and will handle your trusted key carefully. If you’ve ever gone through this process, you already have an idea of the importance of third party risk. Third party risk management entails mitigation of risks associated with third parties and can include suppliers, vendors, customers, joint ventures, and other external organizations.
Often you will hear cybersecurity professionals discuss the “attack surface” – essentially portions of the infrastructure an adversary can attack. Third party risk is a portion of the attack surface that extends outside of the company. Unlike the traditional components of an attack surface: servers, endpoints, routers, etc. a chief security officer has few options to directly contain threats affecting third parties. There is also an issue of volume – many companies use dozens or even hundreds of third parties.
Protecting a potentially large threat surface while having little opportunity for direct interaction with the third parties may seem like a tough situation. But the key thing to keep in mind is the goal – and that is to mitigate the risk – not necessarily eliminate it. This is often why you hear third party risk management discussed in terms of a “framework” or “program.” Whatever you decide to call it, managing this sort of risk boils down to three key items: who, what, and where.
Who. Key here is identifying who are the third parties and how your business depends on them. Ensuring a formal process to qualify third parties so that they are tracked is an important step toward managing third party risk. Just as good security officers should have a way to understand the devices accessing the network, they should also have an accurate list of third parties.
What. The next question is what risks does a given third-party pose. Risk can be thought of as the product of threat and vulnerability. For threat, how much of a target is the third party, and who normally targets them? What is the normal method for attack? On the vulnerability side, one needs to understand what a third party does to mitigate such threats through surveys and assessments – hence completing the picture of risk. Understanding of risk for individual third parties should not only be done in an initial assessment, but should also consist of ongoing monitoring and/or periodic re-assessment.
Where. Finally, understanding how each third party interacts with the company. For example, does the third party have access to customer data – and if so, is it limited? Other key questions include understanding what parts of the corporate network a third party can access. Answers to the “where” question are critical, as they can shed light on ways in which a security officer can work to mitigate exposure.
Modern businesses are becoming increasingly reliant on third parties – they offer great opportunities to decrease costs and increase efficiency. However, they also bring an associated element of risk. Fortunately, by carefully understanding, tracking, and analyzing the “who,” “what,” and “where” of third party risk, one can take actions to mitigate these threats. Next week, we will continue this series by discussing the major components of a third party risk management strategy.
Disclosure: the author is CEO of CYR3CON, a cybersecurity company that specializes in identifying cyber-threats in their earliest stages, leveraging both human analysts and advanced machine learning capabilities. In 2017, CYR3CON was named finalist in PwC’s Cybersecurity Day, the Arizona Technology Council’s “Startup of the year”, and MD5 Starts Austin in addition to winning a Defense Innovation Challenge award.