Managing third-party cyber security risk in today’s highly connected businesses isn’t easy. Security and risk management teams are pulled in competing directions as they respond to the demands of regulators – echoed by the Board – to comply with legislation. Simultaneously they need to monitor and mitigate emerging risks that don’t appear on a regulator’s checklist but could have a critical impact on the business. The tension between competing risk agendas stretches in-house resources to breaking point and raises the possibility that, when new risk surfaces in the supply chain, the business is busy looking the other way.
Part of the problem is measurability. It is easier to understand, measure and demonstrate compliance with regulations than it is to understand the complex issues of devolved cyber risk in the supply chain. It is hard to put a value on the actions that prevent a breach from happening in the first place, whereas it is simpler to point to the penalties avoided when regulatory compliance is achieved. This can lead organisations to focus attention on the compliance side of the balance rather than on the deeper challenge of identifying vulnerabilities in the extended supplier ecosystem.
As a result, actions do not always genuinely reduce risk for the organisation. Also, an unhelpful assumption remains that some supply chain cyber risk, especially that coming from the long tail outside an organisation’s tier one vendors, is inevitable and unavoidable.
Attempts to resolve the tension and make third-party cyber security management more quantifiable have only partly succeeded. Security ratings, for example, which deliver an objective benchmark of a vendor’s security posture, are helpful to a point. But they need to be viewed in the context of the vendor’s relationship to your business – a vendor might achieve a relatively good rating, but if there is zero tolerance in the business for that risk, good might not be good enough.
And it is also worth considering that even if a partner has a good cyber security rating, it doesn’t mean they won’t get breached, in the same way that compliance with regulations is no guarantee of protection. So, what is the way forward? How can organisations gain genuine, actionable insight into the risk in their supply chain while also satisfying regulatory requirements, using the resources they have? It’s a case of knowing where to look and what to look for.
Where to look: beyond tier one vendors
The issue most businesses face when managing supply chain risk is scale. With thousands of existing vendors and new ones coming onboard every week, the size of the task is immense. That’s when businesses settle for the theory that the biggest vendors represent the biggest risk and devote resources to assessing and monitoring tier one suppliers. However, this is a dangerous assumption. The aggregate risk from vendors outside tier one more than outweighs those big suppliers. In fact, attackers know that big brands have better security; they are much more likely to target the lower tier, less well-defended partners that can give them a route into the targets they’re looking for. Yet those lower tier partners are typically relegated to annual point-in-time compliance questionnaires, leaving a significant blind spot between assessments.
A classic example of this third-party risk and scale problem was the 2017 NotPetya attack. In this attack the servers of Ukrainian software company Linkos Group, vendors of accounting package M.E.Doc, were hacked and trojan software injected. This went on to infect M.E.Doc customers, ultimately crippling multinational companies from shipping giants Maersk to food producer Mondelēz and many more. At the time this attack was assumed to be highly sophisticated and a situation where the victims could have done little to prevent it. But that is not wholly true; the attack was bold, but not complex. Where the real danger emerged was in the fact that Linkos was simply not important enough in any of those large companies’ hierarchy of suppliers to be the focus of cyber risk scrutiny. If it had been, a simple scan likely could have identified its security failings and the potential risk it posed.
Scaling a risk program to cover the long tail of the vendor ecosystem and flag material risks that may have previously been beneath the radar has to be done in an intelligent way, acknowledging that information overload is a key problem. The data is obtainable and automated systems can gather it, but its sheer volume is unmanageable – if you have a team of six risk managers and an ecosystem of 10,000 vendors, a 100-page report on each vendor is almost as bad as no data at all. Add to this the high volume of false positive alerts generated by automated systems and the problem becomes even more untenable.
Ultimately, data must be viewed and prioritised through a lens that takes into account the business’s risk appetite and sector-specific risks, the frameworks and regulations with which it must comply, and the importance and extent of each vendor’s links to the organisation. Here, knowing what to look for is key to identifying and prioritising risk.
What to look for: trends and exceptions
It is not possible to analyse the detail of absolutely everything that is happening through the vendor ecosystem. Instead identify the important emerging trends and exceptions and focus on what they mean for your business. At BlueVoyant we ask clients to identify a set of critical factors and key indicators, including business-specific issues and regulatory requirements, that we use to carry out thematic investigations across the ecosystem – informed by external threat detection datasets - to identify where risk lies. We map this to the organisation’s frameworks and reporting requirements, so the data has context for the business. The results make sense of the data and allow us to advise clients on how they can efficiently triage risk alerts, eliminate false positives and prioritise actions so they focus resources where they will have greatest impact – both in terms of reducing organisational risk and satisfying compliance demands.
Ultimately, we do the heavy lifting of data collation and analysis and present the outcomes in the context of the genuine risk posed to the business, together with recommended actions and the facility to implement and manage those actions to achieve resolution, if required. This means risk managers can unify and satisfy competing risk agendas and deliver clearly evidenced value back to the business in terms of risks resolved, rather than drowning in a deluge of data.
This approach, which looks beyond tier one vendors and analyses threat data in context closely aligned to the business, is key to modernising third-party cyber risk management and making it achievable by more businesses.
Ewen O’Brien, Head of Third-Party Managed Cyber Risk Service, BlueVoyant