It is not uncommon for organizations to have hundreds of third-party relationships. And, a comprehensive security program is no longer exclusive to the digital operations of a business. As supply-chain attack methods strengthen in demonstrated ease and obfuscation, security professionals are beginning to take on the responsibility of knowledge around the risks of their business vendors. However, implementing a strategy to address third-party cyber risk can feel challenging for organizations with limited budgets and lean security teams, yet it is imperative to take proactive measures to mitigate the risks associated with third-party relationships.
In this article, we will discuss effective strategies for organizations dealing with limited resources to productively tackle third-party risk management (TPRM), including risk prioritization.
Understanding Your Data and Assets
The first step in developing your TPRM program is to perform an internal audit of all of the data and assets you are trying to safeguard. After all, you can’t protect it if you don’t know that you have it in the first place. We call these data points crown jewels.
Your crown jewels will include a complete list of all critical data and sensitive assets curated within your organization and how it is managed. In the past, it was simple to locate data as it was all on local hardware servers at headquarters. But now it is likely there is data spread across various cloud servers, sharing sites, and other hybrid solutions, and while this is great for efficiency and scalability, it can be difficult to grasp where all the data streams are coming and going.
Understanding where your data is stored, how it is processed, and who it is shared with is the precursor to risk prioritization. After you identify the crown jewels, you can then prioritize them using criteria such as their value to a threat actor, the likelihood of a compromise to access this data, and the level of impact a loss of this information would have on your organization.
Scoping Your Third Parties
Once you have a handle on your data locations and the value of your assets, the next step should be planning to assess your third parties. The challenge here is your third parties likely exceed available staff resources. Attempting to assess each vendor prior to understanding their business relationship with your organization is not managing your limited resources well. Risk prioritization, working from a top-down approach, is key to performing a security review of the right third parties.
When asked how other businesses categorize and prioritize which vendors they will assess, Kasi Gupta, Information Security Manager at Juniper Networks advises, “Identify your critical vendors first. That may be 10-20% of your overall vendors. Spend your energy assessing the critical vendors on a regular cadence.”
Once your team has an understanding of its internal data scope, leverage this to identify who your critical third parties are. You can use business impact questions to help narrow this down. This analysis helps determine the criticality of business activities and predicts the consequences of business disruption. Once you’ve completed your analysis, you can begin looking at potential loss scenarios and where to focus your resources to mitigate. By knowing which of your vendors are processing, transmitting, and storing your crown jewels, you develop a shorter list of vendors for a deeper risk assessment–and you’re well on your way to achieving your risk prioritization goal.
However, this doesn’t mean you should overlook the risks with your remaining vendors.
Gupta also notes, “For those who are not your critical vendors, you can use a simplified assessment questionnaire that vendors respond to every 3 years or so. This will help to identify if there is any scope creep. Chances are that a few vendors may have become critical to your organization as they provide additional services.”
Adopting a Triage Approach
Now comes the fun part. You’re now in a position where you can begin conducting a thorough vendor risk assessment of in-scope third parties. Vendors should be required to answer a more detailed questionnaire that would include evaluating the potential impact of a security incident and determining the likelihood of such an incident occurring.
When inquiring with other organizations about how they rank vendors for assessment, Maxine Thompsett, Global Head of Security Assessments at Zurich Insurance stated, “Apply scoring to the questions to determine the risk level. If you are using CyberGRX to supplement your assessment onboarding, you can also provide the level of CyberGRX tiering and align the questions to the CyberGRX business impact questions. The risk level output should then be aligned to the questionnaires.”
Once the potential risks have been identified, prioritize them with the most critical risks being addressed first, while lower-priority risks can be managed over time.
That said, be mindful of any low risks that could have a high impact. These low likelihood / high impact risks are often referred to as "black swan" events as they are rare and unexpected, but can have a significant impact on the organization if they do occur. The potential impact of such a breach could be significant in terms of financial losses, reputational damage, and legal repercussions. Unanticipated and consequential events carry enormous impacts, and contingency plans should be in place to reduce the impact they will cause if they occur. Third-party risk management should be a collaborative exercise with stakeholders to determine which cybersecurity risks the organization is willing to accept.
Tying It All Together
Despite significant investment in evaluating third-party cyber risk, most assessments result in no action. Too often, there is a disconnect between the analysis findings and the ability to communicate what actions the organization should take next.
Risk prioritization strategies aren’t limited to your existing third parties either. These same strategies can be incorporated as you engage, vet, and onboard new third parties. By developing repeatable processes, you’ll help systematize your third-party risk management program into your organization’s business processes. For example, the evaluation process can include requisites to complete an assessment to screen third parties before their operations are evaluated. Legal can include contractual clauses for certain scenarios, such as requirements for encryption standards, notification of breaches, and remediation of identified control gaps.
And to make your job easier, CyberGRX recently launched Portfolio Risk Findings, the only tool on the market that enables you to view your entire third-party portfolio against your preferred framework, such as HIPAA, NIST, PCI-DSS, GDPR and more– so you can quickly see unmet controls and your riskiest vendors. To see how your third parties stack up, book a personalized demo now.
Risk identification and prioritization is never a one-and-done process, but by following these strategies, companies can effectively manage third-party risks while also protecting their bottom line.
About the author: Brianna Groves is a Security Engineer with over 5 years of experience at CyberGRX. Brianna is dedicated to protecting company and client data from cyber threats with a focus on preventing data breaches and monitoring for malicious activity. Brianna utilizes her technical skills and knowledge to ensure the security of her business ecosystem and her passion for offensive security drives her to constantly seek out new vulnerabilities and exploit techniques, allowing her to stay ahead of potential threats and effectively mitigating risk. Brianna is a self-taught professional, holding two cybersecurity certifications, Security+ and Certified Ethical Hacker (CEH). Brianna's passion for staying ahead of the latest security trends and techniques allows her to effectively mitigate risk and maintain the highest level of security for their organization, making her a valuable asset to the CyberGRX team.