Take calculated risks. That is quite different from being rash. – George S. Patton
Risk is an inherent component of every business relationship. Every supplier, vendor, affiliate, partner and customer exposes your company to hazards. In many cases, the potential impact is small and normal business processes provide reasonable assurance that the risk is managed. In a few cases, the potential impact is catastrophic. In our modern, connected world, recognizing and managing third-party cybersecurity risk is critical and cannot be achieved without analytics.
Using Analytics to Recognize Third-Party Cyber Risk
In the cybersecurity area, there is no universal method to reliably identify every high-risk third party. Many companies use other measures as a proxy for risk, like scores on a cybersecurity assessment or compliance with some regulatory framework. However, these approaches fail in two key areas. First, the measure may not capture information relevant to understanding cybersecurity risk. It may be good to know that your offsite data storage vendor is compliant with the PCI-DSS standard but that reveals nothing about the risk of using their services to store data. Additionally, these approaches fail to consider the nature of the relationship between the third party and the company. Cybersecurity scores and compliance reports don’t address how the third party and the company interact with each other.
A better approach starts by understanding the interactions between a company and a third party. If the relationship can be described by answering a few simple questions, then analytics can help turn qualitative responses into a categorical assessment of risk. Our solution captures the scope of a relationship across eight areas: Business Process, People, Digital Identities, Applications, Data, Devices, Networks and Facilities. For example:
Define the level and criticality of the third party’s access to sensitive data. This includes the level of impact to the business if the data was compromised.
- [Least] The third party has no access to sensitive data
- [Minimal] The third party has access to minimally sensitive data such as internal business white pages or training information. There would be minimal impact to the business if the data was compromised
- [Moderate] The third party has access to moderately sensitive data such as company proprietary information. There would be a moderate impact to the business if the data was compromised
- [Significant] The third party has access to highly sensitive information such as regulated data or confidential company information. There would be a significant impact to the business if the data was compromised
The answers to these eight questions enable us to run a simple analytic to categorically assess the potential impact of a third party on a company.
In the figure below, the x-axis provides an estimate of impact derived from the answers to the eight scope questions. Low impact third parties are unlikely to cause serious harm to a company. High impact third parties have the potential to cause very serious harm to a company.
With the addition of some additional data, analytics can go a step further by estimating the likelihood that a third party will suffer a cyber incident. For instance, we assemble an estimate of this likelihood by looking at four different datasets:
- Historical cyber incidents are analyzed to understand the types of attacks that have been successful in the past against companies in the same industry.
- Threat intelligence is analyzed to understand the type and volume of attacks currently being directed against companies in the same industry.
- Scans of internet-facing systems provide insight into the information technology maturity of the third party.
- Responses from the third party to questions about the size, complexity, and interdependence of their enterprise provide insight into the third party’s attack surface.
In the figure above, the y-axis provides an estimate of likelihood. Low likelihood third parties are unlikely to have a cyber incident.
Using Analytics to Manage Third-Party Risk
Once a company understands the potential impact that third parties in their ecosystem who suffer an incident will have, reasonable decisions can be made about managing that risk. Third parties that have both high impact and high likelihood are logical candidates for additional scrutiny. We would recommend a detailed cybersecurity assessment for third parties in this category. Third parties with low impact probably don’t need any additional scrutiny. Existing risk management processes are probably sufficient. For third parties that lie between these two extremes, other measures may be appropriate and should be tailored to the particular situations of the company and its third parties.
No human endeavor is without risk. This is particularly true for modern businesses where companies depend on a wide variety of third party products and services. Analytics provide a way to recognize and manage risk by identifying the third parties that need the most scrutiny.
Identifying third parties that need additional scrutiny is the first step. Dealing with the outcome of the additional scrutiny is the next task. Ecosystem-level views of risk, prioritization of mitigation and remediation efforts, and tracking remediation progress are all important components of a third-party risk management program. Future articles will address the use and utility of these analytics.
VP of Analytics, CyberGRX