‘It Comes Back To You’: Evaluating Third-Party Cyber Risk Management
By: Dan Gunderman
Like many facets of cyber security, third-party risk management is both crucial and subject to frequent change. Achieving high maturity and a stable, resilient security posture is the chief concern of today’s CISO or members of the enterprise team.
For many of them, however, the risk extends far past their grasp – and into the boardroom, and wider, into the third-party spectrum. That is, the vendors and contractors who conduct business with the enterprise – and may have privileged access accounts or other weapons at their disposal. What governs these practices? Do rolling password changes effectively do away with this issue?
The answer is no. Risk management is complex and convoluted – and extends far beyond the security operations center (SOC). There are different tiers of maturity, of course, and each enterprise has differing resource wells. Yet there should still be an underlying goal: optimal security for the network that’s in place, monitored by the security team that’s also in place.
To understand the current risk landscape, however, the Ponemon Institute conducted exhaustive research into maturity, resiliency and company mindset with regard to risk. The 2017 Third Party Data Risk study led with the following statistic: 56% of respondents experienced a third party data breach – a stat that rose 7% over 2016.
According to the research, on average U.S. companies pay $7,350,000 per breach in fines, remediation costs and loss of customers. A whopping 57% of respondents do not have an inventory of all the third parties with which they share sensitive information. The same percentage was unsure if third parties’ policies would prevent a data breach.
A miniscule total of just 17% of respondents felt they’re highly effective at mitigating third-party risks. That number fell from 22% in 2016.
Despite the staggering statistics, there is an internal movement occurring alongside the rise in breaches and third-party activity. And that is acknowledgment within the boardroom. Five percent more respondents now have an owner of their third-party risk program, the study points out.
From 2016-17, 15% more respondents said their boards are more involved in third-party risk management programs.
Similarly, the 2017 Vendor Risk Management Benchmark Survey conducted by consultancy company Protiviti determined that: “Organizations in all industries are making progress in improving how they manage vendor and third-party risks.”
“The study…also found that 71% of insurance companies, including healthcare payers, said they will change their high-risk relationships over the next 12 months,” the findings suggest, “with nearly half of all respondents (48%) saying it has become imperative from a risk and regulatory standpoint to assess vendors’ contractors.”
Perspectives From The Security World
Chief Revenue Officer at CyberGRX, Scott Schneider, told the Cyber Security Hub that in ensuring data security in a third-party setting – somewhat at the network’s periphery – understanding where your data resides is a significant first step.
He said, “In addition to the data that you control, which of your third parties – including vendors, subsidiaries, service providers, joint marketing partners, call centers and cloud providers – have access to sensitive data?”
Schneider said that in addressing network gaps, the identification process continues: Who has access to data or your facilities, or even network? He advocated “due diligence” on each of the third-party controls, developing a closed loop process with the third-party ecosystem and embracing the more modern approach of continuous visibility of a third party’s security posture.
Expanding on this, national cyber security expert and the Director of Information Security Services at Integral Partners, Kayne McGladrey, told the Cyber Security Hub that, “If you’re breached by a third party, nobody cares that it’s the third party’s fault. It comes back to you.”
He continued: “It’s your fault for not having adequate controls. And the single easiest third-party control is around onboarding and off-boarding third-party accounts.”
Even if you’re rotating passwords, monitoring privileged access, auditing, etc., McGladrey said you must know, empirically, who’s accessing your network.
McGladrey said that one strong issue surrounding third-party access is shared accounts. That means, when outside contractors access enterprise data, they’re logging in with the same account.
“The way to get around that,” McGladrey told the Cyber Security Hub, “is to institute named accounts for vendors with third-party access… Have onboarding and off-boarding be both a legal agreement and a well-thought-out process. If an employee at a third-party organization leaves, or is suspended, their access should be immediately revoked.”
McGladrey continued: “The bottom line is, if somebody leaves, the account should not work any longer on third-party networks to which that account had access – especially if he/she was terminated for cause.”
Upon a third-party breach, a capable organization would identify compromised accounts, lock them down and mitigate/limit the damage that the end-users sustain.
McGladrey said much of this hinges on early identification. If not, it’s almost as if you have a house “built in sand.”
Be Sure To Check Out: Cyber Security: Who's In Charge?