Just five years ago, many companies focused their cyber defense efforts almost entirely on their own organizations. Today, they are increasingly concerned about third-party risks, with good reason.
According to Ponemon Institute's "US Cost of a Data Breach Study," third-party organizations accounted for 42% of all breach cases, dropping only slightly from 44% of all cases in 2008. These remain the costliest form of data breaches due to additional investigation and consulting fees. With the number of connected third parties increasing, and an explosion of cyberattack techniques and risk vectors, third-party risk management (TPRM) best practices are quickly evolving in surprising new ways.
One of those surprises is that enterprise cyber-risk teams are not taking responsibility for breaches that may occur. At a recent Cyber Series event, sponsored by the US Chamber of Commerce and FICO, Chris Wallace, director of cyber-risk at T-Mobile, described his bold approach: "My team gets to walk a line between business and security," he said. "Their mantra is, 'We take a risk-based approach to prioritizing and dealing with issues.' Everyone walks away from the discussion with a consensus on the next steps for doing business. That's my goal — to ensure that we have a common ground, and everyone understands what they're getting into."
Slot Vendors into Categories Based on Risk
Although T-Mobile is a large, well-resourced enterprise, a best-practice TPRM process will have the same basic elements, regardless of an organization's size:
- First, build a framework for third-party categorization, to identify which partners need a deeper assessment based on their role in the organization's business activities, and the size and criticality of the relationship.
- Develop workflow to address the intersection of risk and criticality. Working from the categorization framework, risk managers can use cybersecurity risk quantification tools to create portfolios of third parties. In this way, cyber-risk and business impact/criticality can be considered together.
- Establish a cadence to frequently assess high-impact suppliers, through an analytic approach that combines business criticality and risk.
- Ensure appropriate risk transfer, typically achieved through insurance. A simple approach considers the intersection of supplier risk and criticality, and requires insurance from suppliers where additional protection is indicated. Risk mitigation is also an option, either by increased third-party controls or additional controls at the organization.
All vendors, and even the same type of vendors, are not alike in a properly executed TPRM program. For example, a media company that is shooting an ad about a product that has already been publicly announced will have a different risk profile than a media company working on a video regarding information that hasn't yet been made public. Clearly, stricter control sets should be applied to certain vendors.
Qualitative Assessment Is Key
Unlike the traditional "check the box" approach, today's TPRM best practices include both qualitative and quantitative assessment of business partners. "These measures complement each other," T-Mobile's Wallace said at the Cyber Series event. "There's always a push in risk management to make risk black and white, with hard data that shows what's good and what's bad. A risk model needs to blend the two. With a foundation of hard data and facts — such as who has access to certain data, how many people have it, and where data is going to and coming from — vendors should take more of an analyst's approach to looking at it further."
"For any vendor," he continued, "an analyst can further assess risk by looking at security risk scores or comparing the risk scores of similar businesses that organizations have worked with in the recent past. All of this information is used to build a third-party risk model and threat profile that takes into account both subjective information and objective measurements and balances this piece to allow us to be more hands-on in forming a judgment."
Though it has a vendor ecosystem numbering in the tens of thousands of partners, the best practices T-Mobile is following can benefit organizations of any size.
- Third-Party Cyber-Risk by the Numbers
- Security Ratings Are a Dangerous Fantasy
- Cyber Resilience Benchmarks 2020
- Assessing Cybersecurity Risk in Today's Enterprise
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"