Managing your organization’s third-party cyber risks

We know that cyber security incidents result in financial, reputational and legal damage, and as a result, cyber security has found a place on the agenda of management teams and boards. Yet, those risks are constantly expanding.

Third-party vendors that provide in many cases specialized products and services to your organization have also increased in number over time. Multiple third-party vendors exist today, which can include call centres, ecommerce providers, collection agencies, outsourced information technology (IT) or software solution providers, paper shredders, amongst many others. These vendors may have suppliers, who in turn also have suppliers—so third-party vendors result in expanded ‘nth parties’.

These vendors typically have access to the organization’s information or network in some manner, which could provide access to your IT systems, operational technology (OT) systems, software and applications, or even your most sensitive data. Multiple third-parties can be connected to your systems, and are collecting, aggregating or storing this data. They expand your organization’s supply or value chain, but also your risk profile.

Many of the risks that organizations face today can emerge from these third-party or nth-party vendors. The expansion of access points through vendors increases weak links in the value chain—something attackers are constantly scanning and looking for. Whether it is through your network, or an extended vendor’s link back to you, they can find an entry point and cause damage.

In the age of digital disruption, third-party vendors tend to be smaller in size, and more nimble. Yet, they may not have the same level of preparedness and guards in place, and can be easy targets. Having a robust third-party risk management program is vital to mitigate these risks and improve outcomes for your organization.

31% of vendors are considered a material risk in the event of a breach

• https://www.riskrecon.com/state-of-third-party-risk-management-report

The breach of information that took place at Target in 2013 was one of the first cases in the media to highlight the risks that third-party vendors can bring.

A vendor had access to the Target network, but because Target did not adequately secure access, threat actors found a way to enter the environment and access payment card information. The loss for Target from that incident is reported to be close to US$300 million.

Some newer incidents have also been reported in the media, including for some well-known technology firms through their vendors. There has also been an incident with attackers accessing finance and payroll directories of a large and well-known organization by finding a weak link in the supply chain, and then uploading the folders to the cloud.

If technologically advanced organizations have weak links through their vendors that attackers can exploit, they definitely exist in other organizations. Today, it’s often not a question of whether threat actors will attack an organization, it is a question of when they will attack.

How well you are prepared, and how difficult and expensive you make it for the attackers, will determine how much you deter or reduce the impact of such attacks.

The point of discussing some of these risks and real-life examples is to establish that all risk cannot be eliminated. Across all organizations, it’s no longer a question of if but rather when an organization is breached through a weak link internally or in their value chain. However, the point is to minimize risks through robust third-party risk management (TPRM) programs, without the programs becoming too cumbersome.

The main objective of a TPRM program is similar to the current COVID-19 vaccine. It may not eliminate all risk of disease, but it significantly reduces the risk of extreme disease and outcomes.

In the case of TPRM, a robust program won’t entirely eliminate the likelihood of a breach, but it reduces the extreme outcomes an organization can suffer.

Whether you are establishing a TPRM program due to regulatory requirements, to reduce your risks, or both, a basic step-by-step approach is outlined below:

1. Develop the assessment framework you will use. This could include:
   1. Regulatory requirements such as those from the Office of the Superintendent of Financial Institutions (OSFI), Payment Card Industry (PCI) amongst others
   2. Standards or policies you are trying to align with such as ISO 27001/2
   3. External assessment criteria such as contraction requirements or reputational impact
   4. The ‘crown jewels’ in your organization it is most important to protect
2. Conduct workshops with business stakeholders to identify your third-party service providers
3. Develop standard reporting templates to ensure consistency across vendor evaluation
4. Identify and recommend tools across the board, such as risk-based third-party cyber security assessment tools to help quantify the risk
5. Review your program with the right stakeholders, and adjust it as necessary
6. Perform third-party risk assessments based on risk levels of vendors—high, medium, and low risk levels, with vendors at high risk levels requiring more depth and frequency in/of the assessment
7. Collect information from vendors
   1. Notify and engage your vendors since having open communication and understanding can lead to greater cooperation
   2. Execute an assessment plan of your third-party through questionnaires or passive risk tools
   3. Gather information from vendors using an adaptive and agile approach, through self assessments, clarification questions, evidence gathering, and if needed, additional testing
8. Analyze the results you obtain from vendors, identify gaps, rate your vendors, and try to build in improvements if needed

With the fast-evolving cyber security and third-party risks your organization faces, it’s important to think of your TPRM program as a marathon, and not a sprint. It’s better to get started right away, but continually adjust and plan for the long term, rather than treat it as an intensive one-time exercise.

If you’re looking to learn more about how you can decrease your risk with third-party vendors, contact us for a free assessment and we will help you roadmap your path forward. Reach out to our team to get started.

Request a free consultation to identify your third-party cyber risk profile.

Eugene Ng, CISSP, is MNP’s Cyber Security Leader for Eastern Canada. A member of the firm’s Enterprise Risk Services team, Eugene identifies security technology, products and services that give clients a competitive advantage.