Why Managing Third-Party Cyber Risk IS Your Job By Will Durkee, CISSP, ITPM

Why Managing Third-Party Cyber Risk IS Your Job

By Will Durkee, CISSP, ITPM

The Equifax breach has already provided lessons on many fronts: the devastating effects of lax security, the role of corporate culture in securing an enterprise, and the importance of well-planned and tested incident response. Now, there’s a new lesson – the impact of third-party cybersecurity risk.

Equifax just confirmed that despite the intense international focus on the company since early September, it has suffered another breach of its online systems. "The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content," Equifax said in a statement.

The revelation highlights the very real fact that third-party connections to corporate networks can create vulnerabilities to be exploited. It also demonstrates that even if a third party is the source of a breach or attack, the company itself will still suffer negative attention, and possibly reputational and financial loss. 

Supply chain assurance in today’s globally-sourced and increasingly connected environment requires the management of emerging risks, especially cyber threats. With the internet of things (IoT), move to the cloud, and increasing reliance on third parties for products and processes, ALL supply chain professionals have a stake in recognizing and mitigating cyber risk. Did the department that secured the website tracking solution for Equifax involve Procurement, Legal, IT, or Risk decision-makers? Does Equifax assess the security posture of third-party vendors or require them to meet corporate security standards? Does it have a governance plan to monitor and mitigate problems? If Equifax is like many businesses, it does not. 

According to the Data Risk in the Third-Party Ecosystem survey released by Ponemon/Opus in September, fewer than half of 15,300 respondents said managing outsourced relationship risks is a priority in their organization and 57 percent said they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach. More than half of companies have experienced a data breach involving a vendor, while at the same time, the average number of third parties with access to confidential or sensitive information has increased by 25 percent. 

A Way to View Third Party Cyber Risk

The numbers demonstrate that as core business functions become decentralized and critical dependencies expand beyond the sphere of your control, you must posture yourself in a way that allows you to minimize both your susceptibility to and the impact of cyber threats. Recognizing this plus the dynamic nature of the threat environment, my company views cybersecurity risk through a three-part framework: 

1. What you can control.

2. What you can influence.

3. What you cannot control.

Although the services and products of third parties fall outside of what you have direct control over, you do have the ability and the responsibility to influence – to shape the security environment in a manner that protects your organization from risk. By identifying aspects of third parties’ security posture that align with or are in conflict with your company’s security, you shift from viewing third parties as a potential vulnerability, to recognizing them as an active participant in the improvement of your security posture and lowering potential risk across the enterprise.

In the Ponemon survey, 63 percent of respondents said they don’t have the internal resources to evaluate third parties. There are economical and scalable solutions in the marketplace that help to assess and score vendor cyber risk, providing insight into your most crucial suppliers. The time to get started on incorporating third-party cyber risk into an overall enterprise risk management strategy is now. The maturity of your organization’s security posture is meaningless if those connected to your digital ecosystem have exploitable vulnerabilities.

Will Durkee, CISSP,ITPM, is the Director of Security Solutions at cybersecurity assessment and consulting firm TSC Advantage, which has partnered with CSCMP to offer education and a free pilot program to use the Secure Halo™ platform to assess the security posture of up to 10 current or potential suppliers/vendors.  Visit CSCMP.org to learn more about TSC Advantage and the free pilot program available for corporate members or contact Burt Blanchard at bblanchard@cscmp.org.