The Expert View: addressing third-party security risk

The security risk from third parties is growing, and the problem is particularly acute for regulated industries, said Don Goldman of Panorays, introducing a TEISS Breakfast Briefing at London’s Goring Hotel. He said that the Covid-19 pandemic had increased the rate at which businesses were moving to the cloud and adopting software-as-a-service solutions, which in turn had increased the amount of data being shared.

Goldman told attendees at the briefing – all senior risk and security experts from a range of businesses – that the amount of third parties was rapidly outstripping many organisations’ ability to make certain that they were properly secure. It is a challenge that is only going to become more concerning in the coming years.

The risks of big tech

Most businesses are equipped to properly assess top-tier third parties. But some attendees pointed out that even this can be difficult. The major cloud providers often work with standard contracts and are unwilling to respond to specific inquiries or make allowances for specific requirements. There is often no scope for a full audit, which can be a challenge for regulated industries.

More of a problem, said one attendee, is that regulators expect companies to have a viable exit plan in the event of a problem with a cloud provider. However, contracts typically don’t make it easy to exit a cloud service and, though most claim to use standard platforms and programming languages, there are often variations that make it difficult to change services.

Even so, attendees noted that major cloud providers are typically well-secured and very responsive in the event of a breach. It’s likely that their systems are more secure than those of many of their customers. Problems are more likely to emerge with smaller third parties, where security expertise is more scarce and available protections are less mature.

Dealing with start-ups

Furthermore, businesses might be working with a lot of these small third parties. Goldman said he had dealt with companies that had relationships with thousands of third parties, and that there was no way they could all be assessed. The situation is understandable: companies want to benefit from the agility and innovation of small start-ups. These newcomers may offer unique technological capabilities or niche features that are unavailable from big providers.

As start-ups, though, they will inevitably lack the expertise available at a major tech company. Very often there isn’t anyone at the company who can answer security questions, said one delegate at the briefing. What’s more, these start-ups are often built on the cloud themselves, so they have their own third parties. There are layers of potential risk involved.

This is today’s technological landscape, though, and it was agreed that changes must be made to accommodate it. Almost unanimously, attendees wanted to see greater collaboration between government, law enforcement and the private sector to reduce cyber-attacks.

Greater law enforcement efforts will only go so far when cyber-criminals are constantly evolving their attacks. Delegates at the briefing said that governance must change to accommodate the new operating model. Within any organisation new processes are needed to manage third-party risk, and these must be set out ahead of time, not developed as a crisis rages.

A change in process

Rather than auditing suppliers, many attendees wanted to focus on software that monitors infrastructure in real time and offers analysis of how services are performing. This has the benefit of being current and forward-looking, while auditing is necessarily a retrospective exercise.

Regulators need to change too, attendees argued. Too often they are focused on whether a company has filled out the right form or sent the correct questionnaire. But attendees were united in their belief that questionnaires are overlong and unhelpful. Instead, they argued that conversations were more useful to help companies understand their risks and how they are mitigated.

With start-ups and other small third parties, attendees recommended forming partnerships, working closely with the supplier to help them improve their controls and create a service that is a better fit for major customers. Businesses can act almost as incubators in this context, attendees said.

But those at the briefing were keen to emphasise that a focus on technical concerns and system controls only goes so far. They said companies must approach third-party risk with common sense and not allow a box-ticking mentality to dominate.

To learn more about Panorays, the leader in automating third-party security management, visit panorays.com