Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/2/2020
10:00 AM
Doug Clare
Doug Clare
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Best Practices to Manage Third-Party Cyber-Risk Today

Bold new thinking is needed to solve the rapidly evolving challenge of third-party risk management.

Just five years ago, many companies focused their cyber defense efforts almost entirely on their own organizations. Today, they are increasingly concerned about third-party risks, with good reason.

According to Ponemon Institute's "US Cost of a Data Breach Study," third-party organizations accounted for 42% of all breach cases, dropping only slightly from 44% of all cases in 2008. These remain the costliest form of data breaches due to additional investigation and consulting fees. With the number of connected third parties increasing, and an explosion of cyberattack techniques and risk vectors, third-party risk management (TPRM) best practices are quickly evolving in surprising new ways.

One of those surprises is that enterprise cyber-risk teams are not taking responsibility for breaches that may occur. At a recent Cyber Series event, sponsored by the US Chamber of Commerce and FICO, Chris Wallace, director of cyber-risk at T-Mobile, described his bold approach: "My team gets to walk a line between business and security," he said. "Their mantra is, 'We take a risk-based approach to prioritizing and dealing with issues.' Everyone walks away from the discussion with a consensus on the next steps for doing business. That's my goal — to ensure that we have a common ground, and everyone understands what they're getting into."

Slot Vendors into Categories Based on Risk
Although T-Mobile is a large, well-resourced enterprise, a best-practice TPRM process will have the same basic elements, regardless of an organization's size: 

  • First, build a framework for third-party categorization, to identify which partners need a deeper assessment based on their role in the organization's business activities, and the size and criticality of the relationship.

  • Develop workflow to address the intersection of risk and criticality. Working from the categorization framework, risk managers can use cybersecurity risk quantification tools to create portfolios of third parties. In this way, cyber-risk and business impact/criticality can be considered together.

  • Establish a cadence to frequently assess high-impact suppliers, through an analytic approach that combines business criticality and risk.

  • Ensure appropriate risk transfer, typically achieved through insurance. A simple approach considers the intersection of supplier risk and criticality, and requires insurance from suppliers where additional protection is indicated. Risk mitigation is also an option, either by increased third-party controls or additional controls at the organization.

All vendors, and even the same type of vendors, are not alike in a properly executed TPRM program. For example, a media company that is shooting an ad about a product that has already been publicly announced will have a different risk profile than a media company working on a video regarding information that hasn't yet been made public. Clearly, stricter control sets should be applied to certain vendors.

Qualitative Assessment Is Key
Unlike the traditional "check the box" approach, today's TPRM best practices include both qualitative and quantitative assessment of business partners. "These measures complement each other," T-Mobile's Wallace said at the Cyber Series event. "There's always a push in risk management to make risk black and white, with hard data that shows what's good and what's bad. A risk model needs to blend the two. With a foundation of hard data and facts — such as who has access to certain data, how many people have it, and where data is going to and coming from — vendors should take more of an analyst's approach to looking at it further."

"For any vendor," he continued, "an analyst can further assess risk by looking at security risk scores or comparing the risk scores of similar businesses that organizations have worked with in the recent past. All of this information is used to build a third-party risk model and threat profile that takes into account both subjective information and objective measurements and balances this piece to allow us to be more hands-on in forming a judgment."

Though it has a vendor ecosystem numbering in the tens of thousands of partners, the best practices T-Mobile is following can benefit organizations of any size.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Doug Clare is Vice President of fraud, Compliance, and Security Solutions at FICO. In this role, Doug heads FICO's fraud, financial crime, and cyber-risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27314
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
CVE-2019-18630
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
CVE-2021-25344
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
CVE-2021-25345
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
CVE-2021-25346
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.