Building a TPCRM Program: Where to Start
Today's organizations have become increasingly reliant on third-party vendors to help them grow and sustain their business. Whether engaging with an outside marketing company to help drive online campaigns, working with an external logistics company that handles product storage and order fulfillment, or utilizing various cloud-based services, third-party vendors have become an integral part of modern-day business operations.
However, this increased reliance on third-party services and solutions has led to more cyber risk exposure due to quickly expanding digital footprints. As our reliance on third-party solutions grows, businesses need to prioritize their efforts in recognizing and effectively managing their cyber risk profile in and outside their organization.
This article will discuss the importance of implementing a Third-Party Cyber Risk Management (TPCRM) program and how your organization can get started on the right foot.
What is TPCRM?
TPCRM, or "Third-Party Cyber Risk Management," is a process that helps organizations identify, assess, and mitigate the cyber risks associated with third-party relationships. This often begins by conducting third-party risk assessments to identify potential threats and vulnerabilities. Then, businesses can work with their third-party vendors to develop mitigation plans that address these risks.
Understanding the Components of Cyber Risk
Cyber risk profiles can be different for every organization, as the susceptibility to attack will vary based on industry vertical, size, location, and other business characteristics. However, when it comes to understanding the scope of third-party cyber risk, multiple components need to be considered and maintained.
Components of cyber risk can include:
- Threats - These are the actors, events, or conditions that have the potential to cause harm to an organization's information systems and data.
- Assets - These are the information assets or systems that need to be protected from threats.
- Vulnerabilities - These weaknesses in systems or processes can be exploited by threats to gain unauthorized access to assets.
- Inherent Risk - This is the likelihood that a threat will exploit a vulnerability to cause harm to an organization's assets before any protective steps are taken.
- Residual Risk - This is the remaining risk after mitigating controls have been put in place and should be continually monitored.
- Controls - These security measures are put in place to prevent, detect, or mitigate vulnerabilities and reduce the impact of cyber incidents. Examples are passwords, software patching, and email monitoring systems.
When addressing the components of cyber risk, there are various tools and solutions businesses can implement to mitigate the severity of the exposure successfully.
Some of the more common tools include:
Governance Risk and Compliance Tools
GRC, or "Governance, Risk, and Compliance," tools help businesses manage third-party risk by providing a centralized platform for third-party risk assessments, contract management, and vendor performance monitoring. By having all third-party risk data in one place, businesses can more effectively identify and mitigate potential risks.
GRC tools can also help businesses automate the TPRM process by providing templates for risk assessments, contract reviews, and performance evaluations. The automation offered by GRC tools can save an organization valuable time and resources that can be better spent on other priorities. However, while Governance Risk and Compliance tools can help to gather information effectively, they don't provide the data insights or cyber intelligence that organizations need to take action.
Security Rating Tools
Security rating tools provide third-party risk management teams with external third-party data on an organization's cyber security posture. Data obtained can be used to assess and compare the cyber risk of different third-party vendors. The challenge around security rating tools is that they provide only limited information about a third party's systems and processes, so security ratings can't provide on their own a complete picture of a system.
Vendor Risk Management Platforms
Vendor risk management platforms are tools that help organizations manage their supply chain and vendor risk. They provide visibility into the components, software, and hardware used within an organization's environment.
Vendor risk management (VRM) platforms help organizations to mitigate the risks associated with their supply chain by identifying products and components that have vulnerabilities, poor security practices, or high-risk vendors. VRM platforms also provide visibility into which of an organization's suppliers are using good security practices, so that it can reward them for their efforts and continue working with them.
The challenge associated with VRM platforms is that they a difficult to mine actionable data from. While dashboards can show you the number of vulnerabilities it has identified, many times they don't let you extrapolate on the data, making it difficult to determine what to do next.
Why Is a TPCRM Strategy So Important?
Unfortunately, third-party cyber risk is all too real for businesses. In the last decade, there have been numerous high-profile data breaches that third-party vendors have caused. These attacks have resulted in the loss of sensitive data, reputational damage, and financial losses for businesses across various industries.
Some of the most notable third-party data attacks and breaches include:
The SolarWinds Breach
In 2020, SolarWinds, a third-party vendor that provides IT management software to businesses, was the victim of a sophisticated cyber attack. The attackers were able to insert malicious code into SolarWinds' software updates, which were then downloaded and installed by SolarWinds' customers. This gave the attackers backdoor access to the networks of SolarWinds' customers, including major organizations such as Microsoft and the U.S. Department of Defense.
The Attack on Colonial Pipeline
In May 2021, Colonial Pipeline, the largest refined products pipeline in the United States, was the victim of a cyberattack that led to a shutdown of its operations. The hacker group DarkSide compromised Colonial Pipeline's network and encrypted data on their systems, demanding a ransom payment in exchange for decryption keys. Colonial Pipeline decided to pay the ransom, which amounted to $75 million. However, even after paying the ransom, it took them nearly a week to get their operations up and running again. During that time, gas prices rose by 20 cents per gallon, and there were shortages reported in several states.
The Hack of Accellion FTA
In December 2020, Accellion, a third-party provider of file transfer services to many large organizations, announced a data breach in which attackers gained access to and exfiltrated customer data from its File Transfer Application (FTA) product. This event is notable not just for the scale of the attack - involving over 150 organizations, including some high-profile names such as Kroger, Singtel, University of Colorado, and more - but also because it appears that the attackers specifically targeted FTA users with well-crafted spear-phishing emails that allowed them to gain initial access to Accellion servers.
Communicating the Importance of TPCRM to Primary Stakeholders
One of the challenges in third-party cyber risk management is getting buy-in from primary stakeholders. Many businesses view TPCRM as an added cost and an unnecessary burden. However, as the SolarWinds and Colonial Pipeline breaches have shown, the costs of a third-party data breach can be much higher than the cost of implementing a TPCRM program.
When communicating the importance of TPCRM to primary stakeholders, it's crucial to understand how a third-party data breach can impact each individual and where the benefits of a TPCRM program will be most felt.
For CEOs, the value of a TPCRM program lies in its ability to protect the reputation and bottom line of the business. A third-party data breach can result in significant financial losses, damage to the business's reputation, and loss of customer trust. Therefore, when communicating the importance of TPCRM to CEOs, it's important to highlight how a TPCRM program can help mitigate these risks.
CISOs have an essential role to play in third-party cyber risk management. They are responsible for protecting the network and data of the organization, and a third-party breach can put all of that at risk. In addition, CISOs are often tasked with managing the budget for cybersecurity initiatives. TPCRM can be seen as an extension of existing security programs and investments, and as such, it can be easier to justify the cost of a TPCRM program.
An enterprise's board of directors is interested in projects that help modernize and transform the business to improve performance and increase revenue. TPCRM can be positioned as a way to improve the security posture of the company and protect against third-party risks that could jeopardize performance. Also, when board members are made aware of the potential reputational damage and financial losses that can result from a third-party data breach, they may be more likely to support TPCRM initiatives.
For legal teams, the value of TPCRM lies in its ability to help the business comply with data privacy regulations. Many data privacy regulations, such as the EU General Data Protection Regulation (GDPR), have strict requirements for how companies must protect the personal data of customers and employees. A TPCRM program can provide important insight into the third-party vendors that have access to this data and help the business ensure that these vendors are taking adequate steps to protect it in alignment with specific compliance requirements.
Building a TPCRM Program
TPCRM programs are vital for organizations that are continuing to rely on third-party vendors for essential business services. When done correctly, a TPCRM program can help protect the reputation, bottom line, and compliance posture of a business while also providing essential insights into the overall value of third-party vendor relationships and how they can be improved.
CyberGRX provides a centralized platform that allows you to manage third-party risk across all of your business partners, including vendors, customers, and suppliers. CyberGRX can help you save time and resources by automating third-party cyber risk management processes while also providing valuable insights into your third-party vendor relationships.
To learn more about how CyberGRX can help you manage your third-party cyber risk, request a demo today.