Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/2/2020
10:00 AM
Doug Clare
Doug Clare
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Best Practices to Manage Third-Party Cyber-Risk Today

Bold new thinking is needed to solve the rapidly evolving challenge of third-party risk management.

Just five years ago, many companies focused their cyber defense efforts almost entirely on their own organizations. Today, they are increasingly concerned about third-party risks, with good reason.

According to Ponemon Institute's "US Cost of a Data Breach Study," third-party organizations accounted for 42% of all breach cases, dropping only slightly from 44% of all cases in 2008. These remain the costliest form of data breaches due to additional investigation and consulting fees. With the number of connected third parties increasing, and an explosion of cyberattack techniques and risk vectors, third-party risk management (TPRM) best practices are quickly evolving in surprising new ways.

One of those surprises is that enterprise cyber-risk teams are not taking responsibility for breaches that may occur. At a recent Cyber Series event, sponsored by the US Chamber of Commerce and FICO, Chris Wallace, director of cyber-risk at T-Mobile, described his bold approach: "My team gets to walk a line between business and security," he said. "Their mantra is, 'We take a risk-based approach to prioritizing and dealing with issues.' Everyone walks away from the discussion with a consensus on the next steps for doing business. That's my goal — to ensure that we have a common ground, and everyone understands what they're getting into."

Slot Vendors into Categories Based on Risk
Although T-Mobile is a large, well-resourced enterprise, a best-practice TPRM process will have the same basic elements, regardless of an organization's size: 

  • First, build a framework for third-party categorization, to identify which partners need a deeper assessment based on their role in the organization's business activities, and the size and criticality of the relationship.

  • Develop workflow to address the intersection of risk and criticality. Working from the categorization framework, risk managers can use cybersecurity risk quantification tools to create portfolios of third parties. In this way, cyber-risk and business impact/criticality can be considered together.

  • Establish a cadence to frequently assess high-impact suppliers, through an analytic approach that combines business criticality and risk.

  • Ensure appropriate risk transfer, typically achieved through insurance. A simple approach considers the intersection of supplier risk and criticality, and requires insurance from suppliers where additional protection is indicated. Risk mitigation is also an option, either by increased third-party controls or additional controls at the organization.

All vendors, and even the same type of vendors, are not alike in a properly executed TPRM program. For example, a media company that is shooting an ad about a product that has already been publicly announced will have a different risk profile than a media company working on a video regarding information that hasn't yet been made public. Clearly, stricter control sets should be applied to certain vendors.

Qualitative Assessment Is Key
Unlike the traditional "check the box" approach, today's TPRM best practices include both qualitative and quantitative assessment of business partners. "These measures complement each other," T-Mobile's Wallace said at the Cyber Series event. "There's always a push in risk management to make risk black and white, with hard data that shows what's good and what's bad. A risk model needs to blend the two. With a foundation of hard data and facts — such as who has access to certain data, how many people have it, and where data is going to and coming from — vendors should take more of an analyst's approach to looking at it further."

"For any vendor," he continued, "an analyst can further assess risk by looking at security risk scores or comparing the risk scores of similar businesses that organizations have worked with in the recent past. All of this information is used to build a third-party risk model and threat profile that takes into account both subjective information and objective measurements and balances this piece to allow us to be more hands-on in forming a judgment."

Though it has a vendor ecosystem numbering in the tens of thousands of partners, the best practices T-Mobile is following can benefit organizations of any size.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Doug Clare is Vice President of fraud, Compliance, and Security Solutions at FICO. In this role, Doug heads FICO's fraud, financial crime, and cyber-risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.