It is eight years since the infamous breach that affected Target stores. I think with a company name like that, being a data breach victim was inevitable. As Brian Krebs wrote about the breach, the initial intrusion into its systems was traced back to network credentials that were stolen from a third-party vendor. The vendor in question was a refrigeration, heating, and air conditioning (HVAC) subcontractor that had worked at several Target locations, where attackers used network credentials stolen from the HVAC vendor.
The story of the Target breach is that a corporate network is only as strong as its weakest link. When it comes to technology, you can outsource responsibility, but you can never outsource liability. And when a firm has a third-party vendor, they need to ensure that the vendor does not introduce levels of liability that can’t be tolerated.
In Cybersecurity and Third-Party Risk: Third-Party Threat Hunting (Wiley), author Gregory C. Rasner has written a helpful guide that provides the reader with an excellent overview of third-party risk issues and how to create a program to manage them. Having a third-party risk management (TPRM) program to identify and reduce risks relating to the use of third parties (including vendors, suppliers, partners, contractors, service providers, and more) is a crucial part of a company’s risk management program.
For those who need assistance, the book shows how to create a third-party risk management program to mitigate risk associated with third-party relationships and how to comply with their corporate policies. Such a program is critical as every firm relies on services from and engages in business relationships with third parties. But whenever one engages with an external third party, that third party can and will introduce risks to the organization.
An effective third-party risk management program will enable a firm to identify, monitor, manage, and report risks associated with these third-party relationships per corporate policies and laws.
The book shares a potentially frightening statistic in that the average company has nearly 600 vendors who have access to customer personally identifiable information (PII). And on average, nearly 100 vendors can access a company’s network on a weekly basis. Since they have access to your network and its associated data, performing due diligence on third parties is crucial.
Two areas where the book shines bright are on the topics of offboarding and cloud computing. While it is crucial to have a program to onboard vendors, it is equally essential to ensure that when their term ends, vendors are offboarded. In too many organizations, once a vendor is approved, they can be in the directory and have network access to eternity. And that is an unacceptable risk.
Cloud computing also has its unique set of requirements. Far too many people think the cloud is inherently secure, which is a dangerous thought. The cloud and software supply chains are just as insecure on-prem as they are in the cloud.For those looking to create a TPRM program, Cybersecurity and Third-Party Risk is a valuable read. For those who have an existing TPRM program, they may want to reappraise the efficacy of their program after reading the book, given it has some of the best practices for the current state of third-party risk.