To compete in a global marketplace full of disruptors, organizations are rapidly expanding their reliance on outsourcing, cloud providers and other services that speed up time to market.
But with agility also comes cyber risk. As companies have maintained focus on their own defenses, cyber criminals have realized third parties are the attack path of least resistance.
And if their success continues, your data, intellectual property and trade secrets are at risk. But how do you leverage the speed of outsourcing and simultaneously protect your data and trade secrets?
The vast majority of third party cyber risk management market programs we encounter lack scale, speed and efficiency. These programs are based on archaic processes like sharing spreadsheet based questionnaires and manual processes.
But according to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees.
So why are organizations still using a cobbled together process of GRC tools, external consultants, spreadsheets and internal resources?
At CyberGRX, we believe security and risk professionals do not have appropriate tools to fight the third party cyber battle. A cobbled together process of GRC tools, assessment services and “shared spreadsheets” is no match for a sophisticated adversary.
In a January 2017 report, SurfWatch Labs found “the percentage of cybercrime linked to third parties nearly doubled over the past year – and that only includes publicly disclosed breaches.”
Here are three trends driving organizational need to improve today’s third party cyber risk management process:
1. Explosive Growth in Outsourcing and Growing Consumption of Third Party Services.
Organizations are relying on third-parties to improve the way systems function. And for good reason. Deloitte’s 2016 Global Outsourcing Survey found that businesses outsource to reduce costs and drive innovation. And all indicators suggest that outsourcing is here to stay. The average Fortune 500 company has over 20,000 different vendors in 2016. In 2017, companies are expected to bring on even more third parties and will continue to do so into the foreseeable future.
Yet, cybersecurity professionals have not been able to keep up with this explosive growth. According to a survey by PwC, 74% of respondents didn’t have a full inventory of third parties that handle confidential data. Part of this stems from how companies define “insiders”.
Insiders should be classified as anyone with physical or remote access to an organization’s assets. In the past, organizations could simply view “insiders” as employees. But many third parties have also become “insiders” as they are entrusted with sensitive data that hackers would love to get their hands on. Some examples being:
- Manufacturing partners entrusted with intellectual property.
- HR vendors entrusted with employee data.
- Banks entrusted with company finances.
- Call centers entrusted with customer data.
- Law Firms entrusted with legal documents.
Businesses need to broaden their view of insiders and take appropriate steps to ensure cybersecurity.
2. Bad Guys are Targeting Third Parties
Last year, third party cyber attacks reached a tipping point. Businesses worldwide lost more than $400 billion to hackers. Statistics show that third parties were the source for at least 50 percent of these incidents:
- In a recent Deloitte survey of 170 organizations, 87 percent of the respondents said they have faced a disruptive third-party incident in the last two to three years.
- 55% of small- and medium-sized businesses experienced a cyber-attack in the last 12 months, with 41% saying they were impacted by a third-party mistake. (Ponemon Institute survey, June 2016)
- Over 50% of all breaches come from third-party vendors (PWC)
- 80 percent of data breaches originate in supply chains (TechNewsWorld)
- 63% of the 450 data breaches studied in the 2013 Trustwave Global Security Report were linked to a third party component of IT system administration.
- Ponemon and Verizon studies have estimated 50% or more of corporate breaches occurred through third parties.
3. Regulatory Pressure From Every Angle – Regardless of Industry
Regulators, across all industries, are required to examine businesses on their compliance to cyber security laws. Some of the most common laws being, PCI, NERC, FISMA, HIPAA, SOX and GLBA. Recent trends in outsourcing and cybercrime have forced industry regulators to put pressure on organizations to better manage third party cyber risks.
For example in 2013, the Office of the Comptroller of the Currency issued “Third-Party Relationships: Risk Management Guidance.” In this bulletin, the OCC clearly states that that banks must have a complete understanding of new third parties. According to the OCC:
“A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
These types of guidelines have been adopted across all industries. Yet, most organizations have not been able to keep up with the complexity regulators require. Organizations must ensure that their third-parties comply with vague standards, complete different auditing frameworks , and implement various “best practices.” All while doing their best to limit use of internal resources. Most find this to be a wasteful and complex approach to managing third-party cyber risks, desperately in need of simplification and improvement.
To repair the current broken process used by many organizations today, businesses need to focus on four areas:
- Understand your inherent risk from each third party
- Perform analytics on your portfolio of assessments to understand which pose the most relative risk to your organization
- Work collaboratively with your third parties to mitigate risks that pose the most risk to your organization
- Monitor your third parties for changes in their business and cyber posture including expansions, divestitures, breaches and new attacks that may alter your exposure
For Third Parties: Get assessed once and share with many. Utilize a risk exchange to scale your response capabilities to drive scale and shake out costs.
Digital ecosystems will continue to grow. Bad guys will continue to prey upon the path of least resistance – third parties. It’s up to you to ensure your organization takes a comprehensive and risk based approach – rather than focusing solely on compliance.