Third-party data breaches are on the rise, but at the end of the day, organizations are going to be held accountable for the (mis)management of their customers’ data. Take the Kaseya cyberattack for instance. Hackers breached Kaseya’s VSA RMM (remote monitoring and management) technology, giving them access to clients of several Managed Service Providers that used Kaseya’s services for their business. The other glaring example of third-party breaches is that of Marriott and General Electric – both of which led to a loss of customer data.
Ponemon Institute reports that while many businesses continue to outsource critical business processes to third-parties, 63% of organizations don’t have visibility into the level of access and permissions for both internal and external users and are in the dark about the extent of
- access to their network
- when they are in their network, and
- why they are in their network
Without the correct controls, both technical and contractual, with their vendors, inadequate Third-Party Risk Management (TPRM) is equivalent to inviting a data breach home.
Why is it happening?
Traditional TPRM is limited to spreadsheet-based, point-in-time, manual processes. 82% of organizations still use spreadsheets to log, assess, and manage third parties. While this was barely making ends meet about a decade ago; the advancements in the digitization of businesses no longer makes this process time or energy-efficient. Today, 51% of organizations are not assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential information. Do the remaining 49% of organizations have visibility of the true and real-time cyber risk posture of their third-party network and data?
What should you do?
TPRM needs to be in alignment with the enterprise’s cybersecurity strategies. Assessing only your direct third-party contractor is inefficient. Organizations need visibility towards their nth party ecosystem – monitoring each of their SaaS applications, individual risk postures, and independent policies – with the same diligence they monitor subsets of their own business. A time-tested best practice is to take data-driven control of nth party cyber risks via granular monitoring and real-time auditing of third-party access using machine-learning enabled platforms. A predictive model of threat detection enables businesses to track suspicious activity and detect incidents before they turn into breaches.
This is possible through real-time, Machine Learning-enabled quantification of the cyber risk posture of every third-party in the network, both immediate and extended.
According to Gartner, the ideal flow of third (nth) party assessment would begin with a formal evaluation and written report; however, it needs to be supplemented with Security Rating Services ensuring a 360-degree coverage. Going beyond the basic outside assessment, the vendors’ policies (via questionnaires) and outside-in assessments, and a real-time assessment of the third-party’s critical systems (inside-out) including their cloud-security posture
The preliminary steps to kickstart the automation of TPRM are:
- Streamline assessment periods:
An organization has an average of 5800 third-party vendors. A standard operating procedure should be defined to categorize vendors into three tiers based on their size and the level of critical data access available to them.
Tier 1 vendors with high cyber risk should be assessed in real-time, followed by
Tier 2 vendors that should be assessed daily, and
Tier 3 vendors, with the lowest cyber risk, should undergo weekly assessments.
- Assess the entire digital footprint of all third-parties through a non-intrusive, outside-in risk assessment
Email Security: for DNS settings that identify and avoid incoming phishing/fraudulent emails
DNS Security: for common unsecured configurations and vulnerabilities
Application Security: for misconfigurations and vulnerabilities
Network Security: for misconfigurations and vulnerabilities
System Security: for insecure configuration
Breach Exposure: for identification of inadvertent/intentional exposure of potentially sensitive information through a data breach of your vendor organization
Compromised Systems: to detect systems and applications involved in malicious and/or unusual activity
Cyber Reputation: to identify threats that may damage an organization’s brand reputation and eventually affect its revenue
- Use digital business risk quantification to their advantage.
Such platforms continuously run automated machine-learning-backed scans to monitor the real-time cyber risk posture of all their business’s critical third parties. To simplify the procedure, they can use a consistent risk metric such as their breach likelihood. Risks posed by an enterprise’s third-party network are denoted as
Critical: Root-level compromise of servers or infrastructure devices with devastating consequences.
High: Elevated privileges and significant data loss, or downtime, indicating high priority remediation
Medium: Exploitation provides limited access but should not be ignored.
Low: Very little impact and low priority security alarms.
Informational: Security gaps that do not need immediate remediation.
Risk quantification enables organizations to know the likelihood of being breached through all or each of their third-party suppliers, in real-time and on a single, unified (all-in-one) dashboard. The inner working of such a model utilizes the power of a Bayesian Network and Machine learning-based risk quantification engine that takes signals from end-points, employees of the vendors, their applications, continuous domain vulnerability assessment, and integrates all of it in the form of the financial impact a breach through an nth party will have on the business.
An organization’s cybersecurity strategy needs to adapt to the security needs of the present and the future. At a time where third-party vendors are becoming as essential as innate business functions, it is time for enterprises to adopt a dynamic and comprehensive TPRM strategy. As Bill Gates said, “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.”
The author is Saket Bajoria, Chief Product Officer, Safe Security.