Effective Steps to Reduce Third-Party Risk


Posted on by Phil Won

To start rolling out your third-party risk mitigation strategy, let’s begin by taking a step back to the definition of what risk actually is and ask which assets are most valuable in your organization, and what is the potential fallout if they are compromised? Taking stock of your internal assets may be a simpler exercise than attempting to account for each and every third-party connection out of the gate and is a helpful place to start by assessing the inherent risk within your organization. Once you understand the value of your various information and systems, you can take the first steps to reducing the exposure of the most vital assets to both third-parties and other cyber threats.

Make Third-Party Risk Management a Priority

The next step would be to make third-party risk and relationship management a priority within your organization. Your entire risk mitigation strategy doesn’t need to happen overnight, but it does need to start somewhere. Simply by regularly involving senior leadership or boards of directors on incremental steps taken to protect sensitive information and systems from third-party breaches can help to reduce risk. In the November 2018 research report of third-party risk by the Ponemon Institute, 53 percent of organizations that had not experienced a third-party breach regularly reported on third-party risk mitigation, compared to only 25 percent of those that had been breached. This is likely attributable to illuminating the problem, rather than sweeping it under the rug, which could lead to increased funding and other resources necessary to adequately address the scope of the problem.

Create an Inventory of Third-Parties with Access to Your Company/Data

Once you have some transparency and buy in, you may be in a better position to create a complete inventory of all third-party connections to your systems and digital assets. Again, like on social networks, to reduce risk, it’s vital to vet and keep track of your connections, limit what you share and how you share it. Creating this comprehensive inventory of third-party connections involves a full assessment across your entire organization. You can’t secure what you can’t see, and unauthorized or unknown connections are unfortunately very common. 45 percent of companies that had not been breached had created an inventory, compared to only 22 percent of those who had been breached. Not every organization has the resources or time to accomplish a full accounting of their connections, but any assessment is better than nothing. Remember that cybersecurity is incremental and a process, not a destination.

Prioritize Connections by Risk

Take the list of third-party connections and prioritize them by risk, according to what they have access to and the potential fallout of a breach and focus on securing the highest risk connections first. Apply the Least Privilege principle, making sure they only have access to the systems and data that are absolutely necessary. If no connection is needed, eliminate it! The fewer connections you have, the less there is to protect. If data sharing is only for monitoring or accounting purposes, consider using a higher security mechanism such as a data diode to share the data one-way. This effectively eliminates the connection into your organization just as if you had severed it completely. If external access is required, make sure to segment your network so the areas that are accessed by third parties don’t provide an open door to the rest of your organization.

Vet the Security & Security Practices of Third Parties

If your organization can afford the resources, it is highly recommended to vet the security and security practices of your vendors, customers, and other third-party connections. The simplest and least expensive option is to submit each of the connected organizations a questionnaire, or attestation, of their security practices. Such a questionnaire can be included in onboarding processes or required as a part of a service level agreement. Although the answers may be subjective or qualitative, it is far more helpful to get an account directly from the organization rather than relying on vague contractual language that they will follow security procedures to the best of their ability. Remember, any breach of your organization ultimately comes back to you, no matter how it happened.

Of course, an even better and more accurate method would be to go onsite at the third party and assess their security yourself, but that often requires more time and resources that many organizations can afford. It also requires an uncommon level of expertise, and a willingness from the third party to allow you onsite and into the gritty details of their security, which very few organizations are wont to do. As an alternative, more organizations are turning to independent risk scoring.

Often similar in style to a credit rating, these independent security ratings are based on objective and quantitative data. This repeatable, unbiased assessment allows organizations to build a baseline of acceptable security and risk, and to measure improvements to security over time. These security ratings bypass the need to “take their word for it” on their security, and can provide a compelling selling point for those third parties in their other relationships over competitors. While the most expensive option, utilizing an independent security ratings firm does not typically require any additional personnel or other resources.

Once you have formally assessed the security of your third-party connections, you can return back to the previous step and reprioritize your security resources based on where they are needed the most. Or if you have the resources, you can begin to develop and automate a zero-trust strategy.

Third-party connections and breaches are not going away any time soon, so there’s no time like the present to develop and maintain a strong risk mitigation plan. Your reputation depends on it! 


Contributors
Phil Won

Product Manager , Owl Cyber Defense

Security Strategy & Architecture

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs