Operations
5/2/2016
07:24 AM
Charlie Miller
Charlie Miller
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How To Succeed At Third-Party Cyber Risk Management: 10 Steps

Organizations are failing -- and badly -- assessing the risk of attacks and data breaches from vendors and supply chains, according to a recent Ponemon Institute study. The solution starts at the top.

From corporations to universities and large retail stores to small-to-medium businesses (SMBs), today’s organizations do not always have the structure and appropriate processes necessary to reduce risks associated with third-party vendors and ultimately avoid security attacks and data breaches. In fact, while 75% of senior executives and board members recently surveyed believe third-party risk is serious, and 70% believe third-party risk in their organization is significantly increasing, surprisingly only 26% of respondents believe that their organization’s third-party risk assessment of controls is effective.

The Shared Assessments Program recently sponsored a study conducted by the Ponemon Institute, surveying 617 board members and senior executives. Tone at the Top and Third-party Risk, (Registration required.) looks at the increase in cyberattacks and outlines best practices to reduce risk, which include an involved senior management team and a positive tone at the top. "Tone at the Top" is used to describe an organization's control environment, as established by its C-suite and board. As tone at the top affects the organization risk appetite enterprise-wide, management must be committed to a culture and environment that embraces honesty, integrity and ethics, leading employees to be more likely to uphold those same values. 

Third-party risk is clearly on the rise within a continually changing threat landscape that includes the rapid growth in new technologies, such as IoT and migration to the cloud. Successful assessments and best practices executed by an organization could prevent an enterprise from spending the currently reported, approximately $10 million on average annually to respond to security incidents, in addition to reputation loss, brand damage, theft of assets, and loss of worker productivity. 

According to the Tone at the Top and Third-Party Risk study:

  • 78% of respondents believe cyberattacks will have a significant impact on their risk profile, followed by IoT (76%), cloud computing (71%), mobility and mobile devices (67%), and big data analytics (51%).
  • Organizations are failing when it comes to third-party risk assessment. Just 18% of respondents said that their company assesses the cyber risks of third parties.
  • Just 29% of respondents indicate they have a formal third-party risk management program in place, while 44% have an informal program and 27% have no such program.
  • Only 31% say their companies have metrics in place to measure the effectiveness of risk management activities.

So what does all of this data mean? As major security issues stemming from third-party and supply chain relationships continue to grow, those at the highest level of organizations must lead by example. Setting a positive tone and creating formal programs to manage third-party risk will ultimately help companies avoid becoming the next victim of an incident. The following are 10 steps an organization can take to implement a strong third-party risk management program that will not only save time and money, but also improve the effectiveness of risk planning, third-party assessments, and improve the overall risk management environment.

Step 1. The CEO and boards of directors should be responsible for establishing a positive tone at the top. As shown in the Ponemon research, a positive tone at the top can improve relationships with third parties and reduce risks.

Step 2. The CEO and boards of directors should become more proactive in the third-party risk program. This should include working with management to establish the vision, risk appetite, and strategic direction for third-party relationships.

Step 3. An organization should communicate its values to employees and other stakeholders through training and policies to ensure enterprise wide adoption.

Step 4. Make the business case for dedicating more resources to third-party risk management by estimating the potential costs to your organization due to negligent or malicious third parties.

Step 5. Assess the potential threats posed by technologies such as the use of cloud and IoT in third parties. The results of such assessments should involve recommendations as to what technologies and personnel are needed to minimize the threats.

Step 6. The risk of cyberattacks to sensitive and confidential information, ensure they have appropriate technologies to reduce and mitigate threats.

Step 7. Third-party risk management programs should incorporate metrics that reveal the vulnerabilities created by the third parties in your organization’s supply chain.

Step 8. While companies in the research space have fairly mature risk management programs, it is not clear whether such programs incorporate a strategy for managing third-party risk. Such a strategy should incorporate the people, process, and technologies for managing the risk.

Step 9. Assign accountability for the third-party risk management program to ensure the objectives of the risk management program are accomplished.

Step 10. Become involved in a consortium or council dedicated to best practices in addressing third-party risks. 

The state of third-party risk management is only going to continue to rise with the emergence of new technologies, therefore, instilling the importance of a positive tone at the top is crucial for all businesses. Improvement of your organization's relationship with third parties and educating all employees should be one of the top risk management objectives to protect your company, employees and customers.

Related Content:

Charlie Miller is senior vice president with the Santa Fe Group where his key responsibilities include managing and expanding the Collaborative Onsite Assessments Program and facilitating regulatory, partner and association relationships. Charlie has vast industry experience, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.