The world is more digitally connected than ever before. In fact, the United States experienced a 159% increase in remote employment between 2005 and 2017, even before organizations began asking employees to work remotely as part of their Coronavirus protection strategies.
Organizations recognize that their third-party business partners can contribute to their data breach risks. However, those third-parties also outsource work to vendors which further exacerbates the already disconcerting visibility issues associated with the supply chain. With more employees throughout the supply chain working remotely, organizations need better insight into who their fourth-party vendors are and find a way to mitigate the risks associated with those, often invisible, risks.
What are the risks organizations face from fourth-party vendors?
Organizations have the ability to communicate with their third-party vendors. They hire them, engage in due diligence, establish contractual obligations, and can maintain governance over their security controls.
However, most organizations rely on their third-party vendors when it comes to the fourth-party vendors in the ecosystem. A May 2018 Compliance Week article notes the following findings from a survey with 102 respondents:
- 33% had limited or no visibility into fourth-party/Nth party risks
- 15% “didn’t know” how third-parties manage fourth-parties
- 7% encourage but don’t require third-parties to manage their vendors
- 13% took an active role in assessing fourth/Nth parties
Third-parties continue to pose a third-party data breach risk, but organizations need to not only monitor their own third-parties but also take a more active approach in managing the risks that their vendors’ third-party partnerships pose.
Why are fourth-party cybersecurity risks so difficult to manage?
When you stop and think for a moment, all data breaches arise from a similar set of circumstances. Whether your organization, your third-party’s organization or your fourth-party’s organization experiences a data security incident, similar causes led to all of the weaknesses.
However, unlike your own vendors, you likely have little or no contact with your fourth-party vendors. Mitigation strategies that work for third parties often become untenable when digging deeper into the supply chain.
You don’t know your fourth-party vendors
The first step to mitigating third-party data security risk is to “know your vendors.” While organizations may struggle with this, they have resources such as their IT asset list or their vendor payment records. Unfortunately, when trying to determine fourth-party risks, they lack these resources. Even if you can get a list of vendors that third parties use, the number of organizations in the supply chain rapidly becomes overwhelming.
According to research, 182 vendors access an organization’s IT systems every week. If you have 182 vendors and each of those vendors contracts with 182 additional third parties, you are connected to 33,124 potential fourth parties. That’s a lot of monitoring, too much for most organizations to manage.
You can’t report the risk internally
Assuming you have a minimum of 33,124 third- and fourth-party vendors to monitor, you can’t effectively report the risk to senior-level executives and your Board of Directors. The information overload and time it takes to continuously monitor all of these attack vectors overwhelms people and increases your cybersecurity costs exponentially.
You can’t cut ties with fourth-parties
Your contracts are with your vendors, not their third-party business partners. Since those fourth parties have limited responsibility to you and you have limited visibility into their security controls’ effectiveness, you lack the protections and control. You can consider holding your vendor accountable, but you still need to monitor their monitoring. In short, it becomes a complex web of relationships, reporting, and governance.
How to mitigate fourth-party risk effectively
With the proliferation of privacy and cybersecurity regulations requiring documentation over continuous monitoring strategies, organizations find themselves struggling. With an increasingly distributed workforce, organizations need to understand their fourth-party risks in new ways.
Find the connections using publicly available information
Creating a third-party risk monitoring strategy that incorporates a full view of vendor risk can also provide visibility into these traditionally invisible fourth-party connections. For example, if you create a third-party vendor monitoring profile that can monitor access to the vendor’s network, you gain insight into the fourth parties who access that network.
Use easy-to-read visualizations
The sheer influx of information arising from fourth-party risk monitoring can be overwhelming. However, an organization that can monitor its third-party vendor risk can more easily manage the depth of information necessary.
For example, if your risk is tied to your third-party ecosystem, then your third-party risk is also tied to the way that your vendors manage their third parties. With all this information, you need at-a-glance visibility into your riskiest third parties so that you can more deeply investigate where their risks come from.
Understand the third-party risk indicators for fourth-party risk
Once you know which vendors pose a greater risk, you need to look into what security controls impact your organization and how those potentially indicate a fourth-party data breach risk.
Patching cadence, or how regularly a vendor applies security patches, may not indicate a fourth-party risk because it relates to an organization’s processes around their own systems, network, and software. However, endpoint security might give insight into vendor third-party devices that pose a risk which gives you an opportunity to talk to your vendor about their management of this risk. Additionally, reviewing web application security for your third-party vendors can give insight into your vendors’ third-party - or your fourth-party - risks.
Report on important risk metrics
Identifying potential fourth-party risk via third-party risk monitoring gives you a way to compare vendors’ security across your ecosystem. If your service level agreements (SLAs) discuss ensuring vendor risk management, then being able to compare third-parties to each other gives you a way to show metrics across your fourth-party ecosystem.
For example, if Vendor A has a problem with web-application security and Vendor B does not, the lack of Vendor A’s vendor risk monitoring increases your organization’s fourth-party risk. You can review these comparisons and give better benchmark reporting to senior leadership and your Board of Directors by using the easy-to-read risk scoring.
SecurityScorecard enables robust fourth-party vendor risk management
SecurityScorecard’s security ratings platform enables robust fourth-party vendor risk management by enabling organizations to create vendor profiles that provide visibility across ten groups of risk factors, including DNS health, network security, IP reputation, endpoint security, web application security, hacker chatter, leaked credentials, and social engineering. Our easy-to-read A-F rating system provides a high-level view of your security and your vendors’ security while also allowing you to dig deeper into the individual risk factors, if necessary.
Although your fourth-party vendors appear disconnected from your own IT environment, the reality is that the risk they pose to your vendors needs to be incorporated as part of a holistic vendor risk management program. The interconnected IT ecosystem needs to be continuously monitored to ensure governance over your cyber risk and meet evolving compliance needs.