Posted on Nov 22, 2016
Since the massive Target data breach in December 2013, third party security stopped being an afterthought and started becoming one of the top security priorities for CISOs and Risk Departments. As a response, Third-Party Risk Management (TPRM) underwent a transformation in early 2014, and has continued through 2016 to keep up with today’s modern risks. With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before. Meanwhile third-party usage has significantly increased by large organizations and enterprises. Many critical business services such as HR functions, data storage, and modes of communication are the responsibility of cloud-based third-parties. Without a modern TPRM program, many of these third-parties are left behind regarding risk management, putting organizations in a risky position.
Over 60% of data breaches can be linked either directly, or indirectly, to a third-party but TPRM programs don’t often take a risk-first perspective when it comes to risk management. Security and Vendor Risk departments are often solely focused on compliance, which is important, but doesn’t get at the heart of the risk posed by your third-parties. To shift the approach of your TPRM program to measure true risk, you’ll need to make some adjustments in how you manage third-parties in 2017.
In this article, we’ll outline three major TPRM challenges and the solutions you and your organization can take in order to bolster your TPRM program as we move into the new year.
With the rise in SaaS companies serving organizations and enterprises, businesses are now using cloud-based third-parties more than ever. Gartner predicted that SaaS sales will nearly double by 2019, and that SaaS applications will make up 20% of the growth rate in all public cloud services, a $204B market. Last year, Forrester had already predicted that enterprise spend on software would reach $620B by the end of 2015.
As businesses engage in IT and infrastructure digital transformation, this need to manage vendors is more pronounced. Over 60% of respondents from a Ponemon Institute’s survey on Third-Party Risk Management believe that the Internet of Things increases third party risk significantly and 68% of respondents believe the same is true for cloud migration.
However, as more third-parties are onboarded, they’re often not managed to the level of risk these third-parties carry. Or they may not be managed at all due to a lack of resources. This creates unmanaged risk. If these third-parties have access to your network, your employees’ PII, or your customer’s, sensitive data, shouldn’t they be subject to rigorous risk management assessments?
Unfortunately, as the number of third-parties swell to the hundreds, it’s often not feasible for every vendor to be assessed in a critical fashion. That’s why having an automated process for assessing vendors is a way to ensure you’re minimizing unmanaged risk from new or existing vendors. Automating your TPRM process is one of the major steps towards having a mature TPRM department capable. It’s benefits include:
By automating the TPRM process, you’re creating a standardized structure that can be applied to all third-parties, whether existing or onboarded. You can automate your TPRM process by finding new technologies or tools that will automate the assessment and information gathering-process for your third-party vendors to ensure that you’re optimizing your resources and spending your and your staff’s time on what is most impactful.
Third-parties are often assessed through questionnaires, onsite assessments, or via penetration tests, each with their own advantages and disadvantages. Onsite assessments and penetration tests are often resource-intensive, requiring time, money, and staff in order to carry out the assessments as needed. These kind of assessments cannot be applied to all third-parties, and rather, should be reserved for the most risk-critical third parties.
That leaves questionnaires to fill the void for most of the other third-parties. However, questionnaires are self-reported, which makes using a ‘trust, but verify’ approach to risk management difficult to accomplish. In a 2016 Deloitte Study on Third Party Risk Management, 93.5% of respondents expressed moderate to low levels of confidence in their management and monitoring mechanisms. With numbers like that, it’s easy to see why TPRM programs need increased attention. Without a way to independently verify the security posture of your third-parties, you can only rely on the word of your third-parties who are, for obvious reasons, incentivized to report positively.
Organizations should find independent third-parties that can provide risk-based assessments of their third-parties to validate that the findings from questionnaires are accurately reflecting the state of third-parties. There are a number of security solutions that provide risk-first third-party assessments. To find the right solution, you should research whether or not those solutions are accurately assessing third-parties, can facilitate communication between you and third-parties, and are also focusing on key security areas that are indicative of a potential breach.
The assessment methods mentioned in the previous section all have one glaring flaw in common - they assess third-parties at a single point in time. Many times, the information gathered by assessments is outdated by the time it falls into your hands. The modern speed at which hackers are developing new methods of attacks and exploiting discovered vulnerabilities are too fast for these point-in-time assessments and annual reviews to provide any real insight into the security posture of a third party.
A PWC Third Party Risk Management report on the finance industry noted that 58% of respondents that monitor third parties on an ad hoc basis experienced a third-party service disruption or data breach compared to only 37% of respondents that regularly monitor third-parties. Without having a way to know the security posture of your third-parties on-demand, then you’re managing risk with a blindfold on for most of the year, given the nature of the fast-moving threat landscape.
By only having point-in-time information that is quickly outdated, your ability to react to new vulnerabilities, or worse, a potential third-party security incident, is negligible. However, implementing a continuous monitoring process into your third-party risk management, is a way to increase your reaction time and visibility into the security posture of your critical third-parties. Through continuous monitoring, you’re bolstering the security of your third-party by keeping them consistently accountable, which in turn, minimizes your overall risk to a potential security incident.
We covered how to implement continuous monitoring in your TPRM program in part 2 of our How to Revamp Your VRM Program article series. Start by establishing a central TPRM office if you don’t already have one, prioritize and identify your most risk-critical and business-critical vendors, and then define your third-parties’ security controls and processes that you’ll monitor on an ongoing basis. If you have the resources, look for tools and solutions that offer continuous monitoring for your third parties.
Updating your TPRM program doesn’t have to be a complete overhaul of your department. Instead, you should define the aspects that are most critical necessary to update and most pressing from a risk-first perspective. The three we chose here will have the most dramatic changes in a TPRM program, reducing your unmanaged risk, and increasing your reaction time should a security incident occur.
By automating aspects of your TPRM program, utilizing independent third-party assessments, and implementing continuous monitoring, you’re not far from having a mature TPRM program that can easily assess any new third-party as it comes, confident that you’re taking risk-first perspective and are keeping your organization safe.
[Request a demo below to see how SecurityScorecard's security ratings and continuous risk monitoring platform provides on-demand security intelligence for all your third-party vendors, and facilities communication between you and your third-parties to resolve issues as they appear throughout the business relationship.]
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.