Today’s Cybersecurity Landscape requires a flexible and data-driven risk management strategy to handle the expanding attack surface of third parties.
When a company outsources services by sharing data and network access, it inherits cyber risk from its suppliers over their people, processes, technology and that supplier’s third parties. The typical enterprise works with: on average almost 5,900 third partiesmeaning that companies face a huge amount of risk no matter how well they cover their own bases.
For example, 81 individual third-party incidents led to more than 200 publicly disclosed breaches and thousands of ripple-effect breaches by 2021, according to a report. report by Black Kite.
The current outside-in approach to managing third-party risks is inadequate. Instead, the industry needs to move to a new approach to third-party risk management by starting conversations that go beyond outside assessments. Specifically, companies must establish zero-trust principles for all suppliers, assess external and internal asset risk with inside-out assessments, and measure cyber risk in real time.
The zero-trust principle of “Never trust, always verify” has been widely applied to manage internal environments, and organizations should extend this understanding to third-party risk management.
To counter this, companies must view suppliers as subsets of their business.
The Impending Threat
The amount of data and business-critical information a company shares with its suppliers is staggering. For example, a company may share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers for sharing with insurers, and give marketing agencies access to customer data and personally identifiable information (PII).
This is just the tip of the iceberg and most companies often don’t know how big the iceberg really is. In a survey conducted by Ponemon Institute, 51% of the companies surveyed said they do not assess the cyber risk exposure of third parties before gaining access to confidential information. In addition, 63% of the companies surveyed said they lack visibility into what data and system configurations vendors access, why they access it, who has permissions, and how the data is stored and shared.
This vast network of companies sharing information in real time results in a massive attack surface that is becoming increasingly difficult to manage. To address this challenge, companies are using cybersecurity initiatives such as questionnaire-based onboarding surveys and security assessment services in their third-party risk management strategies.
While these tools have clear use cases, they also have serious limitations.
Cybersecurity assessment services are a fast and cost-effective approach to third-party risk assessments. Their simplicity — scoring a vendor’s cyber risk, such as credit ratings in financial services — makes them a popular choice, despite its limitations.