Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/2/2020
10:00 AM
Doug Clare
Doug Clare
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Best Practices to Manage Third-Party Cyber-Risk Today

Bold new thinking is needed to solve the rapidly evolving challenge of third-party risk management.

Just five years ago, many companies focused their cyber defense efforts almost entirely on their own organizations. Today, they are increasingly concerned about third-party risks, with good reason.

According to Ponemon Institute's "US Cost of a Data Breach Study," third-party organizations accounted for 42% of all breach cases, dropping only slightly from 44% of all cases in 2008. These remain the costliest form of data breaches due to additional investigation and consulting fees. With the number of connected third parties increasing, and an explosion of cyberattack techniques and risk vectors, third-party risk management (TPRM) best practices are quickly evolving in surprising new ways.

One of those surprises is that enterprise cyber-risk teams are not taking responsibility for breaches that may occur. At a recent Cyber Series event, sponsored by the US Chamber of Commerce and FICO, Chris Wallace, director of cyber-risk at T-Mobile, described his bold approach: "My team gets to walk a line between business and security," he said. "Their mantra is, 'We take a risk-based approach to prioritizing and dealing with issues.' Everyone walks away from the discussion with a consensus on the next steps for doing business. That's my goal — to ensure that we have a common ground, and everyone understands what they're getting into."

Slot Vendors into Categories Based on Risk
Although T-Mobile is a large, well-resourced enterprise, a best-practice TPRM process will have the same basic elements, regardless of an organization's size: 

  • First, build a framework for third-party categorization, to identify which partners need a deeper assessment based on their role in the organization's business activities, and the size and criticality of the relationship.

  • Develop workflow to address the intersection of risk and criticality. Working from the categorization framework, risk managers can use cybersecurity risk quantification tools to create portfolios of third parties. In this way, cyber-risk and business impact/criticality can be considered together.

  • Establish a cadence to frequently assess high-impact suppliers, through an analytic approach that combines business criticality and risk.

  • Ensure appropriate risk transfer, typically achieved through insurance. A simple approach considers the intersection of supplier risk and criticality, and requires insurance from suppliers where additional protection is indicated. Risk mitigation is also an option, either by increased third-party controls or additional controls at the organization.

All vendors, and even the same type of vendors, are not alike in a properly executed TPRM program. For example, a media company that is shooting an ad about a product that has already been publicly announced will have a different risk profile than a media company working on a video regarding information that hasn't yet been made public. Clearly, stricter control sets should be applied to certain vendors.

Qualitative Assessment Is Key
Unlike the traditional "check the box" approach, today's TPRM best practices include both qualitative and quantitative assessment of business partners. "These measures complement each other," T-Mobile's Wallace said at the Cyber Series event. "There's always a push in risk management to make risk black and white, with hard data that shows what's good and what's bad. A risk model needs to blend the two. With a foundation of hard data and facts — such as who has access to certain data, how many people have it, and where data is going to and coming from — vendors should take more of an analyst's approach to looking at it further."

"For any vendor," he continued, "an analyst can further assess risk by looking at security risk scores or comparing the risk scores of similar businesses that organizations have worked with in the recent past. All of this information is used to build a third-party risk model and threat profile that takes into account both subjective information and objective measurements and balances this piece to allow us to be more hands-on in forming a judgment."

Though it has a vendor ecosystem numbering in the tens of thousands of partners, the best practices T-Mobile is following can benefit organizations of any size.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Doug Clare is Vice President of fraud, Compliance, and Security Solutions at FICO. In this role, Doug heads FICO's fraud, financial crime, and cyber-risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.