Companies need to step up efforts to manage third-party risks

Organizations can no longer afford financial, reputational fallout from breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Third-par­ty risk—the notion that a con­trac­tor or a sup­pli­er could inad­ver­tent­ly expose the first-par­ty orga­ni­za­tion to a net­work breach—is a tan­gi­ble and grow­ing con­cern.

How­ev­er, while many com­pa­nies are cog­nizant of third-par­ty risk, actu­al­ly address­ing this emerg­ing con­cern is not yet a high pri­or­i­ty in the com­mer­cial sec­tor.

It should be, espe­cial­ly among small and medi­um-size orga­ni­za­tions that soon may have to prove their cyber­se­cu­ri­ty fit­ness in order to win con­tracts from first-par­ty busi­ness cus­tomers.

Mike Patterson, Rook Security vice president of strategy
Mike Pat­ter­son, Rook Secu­ri­ty vice pres­i­dent of strat­e­gy

In the per­fect world, any com­pa­ny that wants to do busi­ness with you should put forth their secu­ri­ty pol­i­cy and pos­ture to you and defend it,” says Mike Pat­ter­son, vice pres­i­dent of strat­e­gy at Rook Secu­ri­ty, a man­aged secu­ri­ty ser­vices provider.

A Ponemon Insti­tute sur­vey recent­ly found that the major­i­ty of the 600-plus respon­dents agreed that third-par­ty risk was both seri­ous and has been sig­nif­i­cant­ly grow­ing in their orga­ni­za­tions. In fact, the aver­age cost of respond­ing to secu­ri­ty inci­dents that result­ed from third par­ties was $10 mil­lion.

On the oth­er hand, Ponemon found that only a third of those orga­ni­za­tions had for­mal pro­grams in place to man­age third-par­ty risks, and only about a quar­ter of them pur­chased cyber insur­ance to reduce the eco­nom­ic impact of third-par­ty risks.

Relat­ed: Small busi­ness guide to shop­ping for cyber insur­ance

Mean­while, anoth­er sur­vey by Soha’s Third Par­ty Advi­so­ry Group found more than 60 per­cent of data breach­es can be linked direct­ly or indi­rect­ly to third-par­ty access. Yet of the 200-plus sur­vey respon­dents, only 2 per­cent con­sid­ered that access a top IT pri­or­i­ty in the con­text of secu­ri­ty.

Secu­ri­ty expec­ta­tions grow

Secu­ri­ty experts note that first-par­ty orga­ni­za­tions in a busi­ness-to-busi­ness trans­ac­tion are increas­ing­ly demand­ing proof of robust infor­ma­tion secu­ri­ty prac­tices from third-par­ty sup­pli­ers.

That means third-par­ty contractors—including those that sup­ply legal, account­ing and mar­ket­ing services—should def­i­nite­ly expect to be chal­lenged about their infor­ma­tion secu­ri­ty prac­tices, going for­ward, Pat­ter­son says.

Third par­ties should be pre­pared for this kind of scruti­ny,” he says. “Secu­ri­ty can be used as a way of get­ting more clients and rev­enues, not just pro­tect­ing clients and rev­enues.”

Igno­rance a fac­tor

First-par­ty orga­ni­za­tions also are con­tribut­ing to the prob­lem. Some 56 per­cent of respon­dents to the Ponemon sur­vey didn’t even know what kind of high-val­ue assets and intel­lec­tu­al prop­er­ty their orga­ni­za­tions placed into the hands of third par­ties.

The Ponemon poll was spon­sored by Shared Assess­ments, a third-par­ty risk man­age­ment pro­gram of the San­ta Fe Group.

Charlie Miller, Santa Fe Group senior vice president
Char­lie Miller, San­ta Fe Group senior vice pres­i­dent

I think that there is a lot of infor­ma­tion that is yet to be under­stood in the third-par­ty risk space—there’s an upward learn­ing curve in terms of what some of the threats (are) and what the impact of those threats are on the insti­tu­tion,” says Char­lie Miller, senior vice pres­i­dent at the San­ta Fe Group.

With aware­ness low, crim­i­nals are tak­ing advan­tage of sup­ply-chain weak­ness­es, which, Pat­ter­son notes, is not hard to do. Ven­dors fre­quent­ly send out news releas­es or list their cus­tomers on their web­sites so “smart attack­ers know who the third par­ties are,” he says.

With out­sourc­ing con­tin­u­ing to rise, the prob­lem is going to get worse before it gets any bet­ter, observes Haseeb Bud­hani, co-founder and CEO of Soha Sys­tems. That’s because first-par­ty com­pa­nies are not treat­ing their con­trac­tors as a sep­a­rate class of users when it comes to access, he says.

Haseeb Budhani, Soha Systems co-founder and CEO
Haseeb Bud­hani, Soha Sys­tems co-founder and CEO

The risk is much high­er with third par­ties because they don’t work for you and may not be fol­low­ing the same poli­cies that you enforce for your employ­ees,” Bud­hani says. “And hack­ers look for those types of users, like con­trac­tors, and tar­get them to get into net­works.”

Soha’s sur­vey also found that to enable access, an aver­age of five to 14 soft­ware or hard­ware com­po­nents were involved.

It’s clear that the com­plex­i­ty involved is the biggest imped­i­ment to a good solu­tion to a secure envi­ron­ment,” Bud­hani says.

His­tor­i­cal­ly, the rela­tion­ship between the first and third par­ty was large­ly about con­trac­tu­al governance—having the right con­tract lan­guage to ensure a ven­dor would indem­ni­fy the com­pa­ny in the case of breach lia­bil­i­ty, says Bri­an Bran­ner, exec­u­tive vice pres­i­dent at Risk­An­a­lyt­ics, a cyber risk man­age­ment and secu­ri­ty com­pa­ny.

Ven­dors get hard­er look

Though intro­duc­ing secu­ri­ty fit­ness as a con­trac­tu­al com­po­nent is in the ear­ly devel­op­ment stage, some first-par­ty com­pa­nies are begin­ning to assess ven­dors’ abil­i­ty to pro­tect sen­si­tive infor­ma­tion.

Some of the larg­er (com­pa­nies) will even go as far as phys­i­cal vis­its, not just ask­ing ques­tions on an appli­ca­tion or assess­ment,” says Bran­ner, who leads insur­ance car­ri­er and bro­ker­age nego­ti­a­tions.

Some busi­ness con­tracts now require the ven­dors to not just car­ry a cyber insur­ance pol­i­cy, but also to have spe­cif­ic pro­vi­sions. He cau­tions that it’s easy to buy cyber risk poli­cies online if the busi­ness’ rev­enues are under $25 mil­lion, “but it’s not going to be a good pol­i­cy.”

With first-par­ty orga­ni­za­tions mov­ing toward requir­ing spe­cif­ic cyber­se­cu­ri­ty pro­vi­sions, third-par­ty ven­dors need to be more dili­gent as they nav­i­gate the var­i­ous plans.

Small and medi­um-size busi­ness­es also are more like­ly to rely on cyber cov­er­age in oth­er insur­ance poli­cies, but Pat­ter­son sees a decrease in the over­lap between cyber and pro­fes­sion­al and gen­er­al lia­bil­i­ty poli­cies.

Insur­ers are try­ing to push as much cyber as pos­si­ble out of gen­er­al lia­bil­i­ty umbrel­la into ded­i­cat­ed policies—but we’re a cou­ple of years off [from fig­ur­ing it out],” he says.

In the mean­time, Bud­hani expects to see more pres­sure on ven­dors and con­trac­tors to address their secu­ri­ty risks.

We are mov­ing toward an inflec­tion point, but aware­ness hasn’t reached a crescen­do yet,” he says. “In the next year or so, I would expect this to be a big­ger problem—and then we’ll get to a point of enforc­ing bet­ter prac­tices as an indus­try.”

More sto­ries relat­ed to secu­ri­ty risks:
Third-par­ty ven­dors are the weak links in cyber­se­cu­ri­ty
Cyber insur­ance ris­es to meet increas­ing secu­ri­ty chal­lenges
Com­pa­nies tap into cyber insur­ance to man­age busi­ness risk

 


Posted in Featured Story