Third-party risk management needs analytics, forecasting and layered defense
A ripple effect of cyber issues poses risks to businesses dealing with third-parties
Add bookmark
Ripple attacks in the industry are increasing as organizations become entangled in a web of vendors beyond the third-party to include fourth, and even fifth parties.
Organizations today are not just facing risk from external parties such as proprietary software vendors, but also the people they engage. In the financial sector, for instance, investors and clients, who have very close touch points to the business, pose a risk-based challenge as they are not internal users.
This according to Ash Hunt, group head of information security at Sanne Group, speaking to CS Hub ahead of his participation in the Third Party Risk Management 2022 Digital Summit.
Hunt maintains that analytics and forecasting are key defense mechanisms against the impact of cyber-attack ripple effects that can be triggered by external parties working with organizations.
Register here for the Third Party Risk Management 2022 Digital Summit.
Evolving challenges
These ripple effects are forcing organizations to completely re-engineer perceptions around having a stake in external parties’ security postures, says Hunt.
“That is much easier said than done,” he said. “There's a step change where I think previously it was very much focused on issuing one due diligence questionnaire and hoping that is sufficient, now it needs to focus more of an analytical position where you’re actually conducting risk analysis.”
This extensive analysis includes forecasting and exploring where an organization’s greatest vulnerabilities may be. Each touchpoint to an organization is likely to have different risk and loss exposure depending on how close the touchpoint is to an enterprise's network.
The growth in the number of mergers and acquisitions have also had an impact on third-party risk, according to Hunt.
This is because with every merger, every acquisition, organizations have an “almost ever-expanding” portfolio of technical risks that need to be mitigated.
“The challenge [with external risk] has certainly become more complex than in previous years,” Hunt said.
Trusted catalogue
Tooling for this category of risk is difficult because ultimately organizations are trying to access elements, they do not have direct control over when it comes to external parties.
“Even to the extent of detection and monitoring it is very difficult,” Hunt explained.
“I think the challenge is not having enough transparency [on your external parties],” he noted, adding that organizations need a trusted catalogue of external parties.
“I guarantee most organizations don’t have that. It all comes down to having a robust governance process over how your managed those vendors as an organization.”
This vetting process could be safeguarded by a central service management platform under the technology department or it could be handled by a dedicated vendor management team. Ultimately there needs to be sufficient oversight regarding onboarding and managing external parties.
Risk management, as well as procurement and governance processes, must be considered as part of the overall management of third parties and ought to be approached as another form of loss scenario businesses consider, Hunt noted.
As the level of risk can vary depending on how critical the service is an external party is providing, organizations should look to evaluate the ultimate loss exposure for each partner.
Creating a package
Hunt has suggested building a layered defense workflow between third-parties and the rest of the business network through a “jump-start package”.
Organizations could set up a dedicated inbox, like a basic services portal, to bring any third-party into a specific place of the network as a defined external party.
By managing external party’s business interactions in a closed off part of the network both the organization and the vendor have a secure way of operating in alignment with relevant compliance requirements and policies.
