The benefits of a diverse, interconnected supply chain are compelling. Agility, speed, and cost reduction all weigh on the positive side of the equation, prompting businesses to pursue close, collaborative relationships with vendors, often numbering in the hundreds or thousands.
On the negative side is the Pandora’s box of cyber risk, opened when enterprises expose their networks to third parties. In our modern interconnected working world, most businesses have an extended ecosystem of partners and it only takes one of those to have cyber security vulnerabilities to bring a business to its knees. The challenge facing today’s enterprise is working out which one!
This is complicated by several factors: the escalating global threat environment; increasing regulatory focus on cyber liability; the high number and diversity of partners in the business ecosystem, an exponential growth in data and alerts and the tension between risk management and business agility that pressurises in-house teams to onboard new partners at speed. They add up to a cyber risk management challenge which threatens to overwhelm all but the most highly resourced companies. As a result, breaches originating in third parties are common and costly – a Ponemon Institute/IBM study found that being caused by a third party was the top factor that amplified the cost of a breach, adding an average of $370,000 to the breach cost and increasing it to $4.29m.
A dive into the factors affecting the third-party cyber risk environment exposes the extent of the cyber risk management problem and some of the questions businesses need to address.
An escalating global threat environment amid rapid digital transformation
Today every business operates in a global cyber threat environment growing in scale and sophistication. Attack tools that were previously accessible only to a small cohort of advanced cyber criminals can now be purchased in commoditised form and launched by any of millions of low-skilled attackers, to destructive effect.
Cyber criminals have also recognised the potential of exploiting partner ecosystems to attack high value targets with strong external cyber defences by compromising a smaller, less well-defended partner and using stolen credentials to infiltrate the ultimate target to disrupt, destroy or steal valuable data. This tactic is increasing in frequency and means cyber risk can come from any partner who might inadvertently become an accessory to cyber criminals. According to the Verizon 2020 Data Breach Investigations Report, while differences between small and medium-sized businesses (SMBs) and large organisations remain, the movement toward the cloud and its myriad web-based tools, along with the continued rise of social attacks, has narrowed the dividing line between the two. As SMBs have adjusted their business models, the criminals have adapted their actions to keep in step and select the quickest and easiest path to their victims.
Despite these growing risks, reliance on digital information exchange with third parties continues to increase as organisations pursue digital transformation objectives, and this has been accelerated by the impact of COVID-19. Organisations have rapidly implemented digital workflows and software-based authorisation systems as manual, paper-based processes have become off-limits. Digital networks have never been more important, and this has increased cyber attack opportunities.
Monitoring and mitigating third party cyber risk in this environment is a 24/7 challenge where businesses are usually playing catch-up to the latest emerging threat.
Regulation adds complexity and tension
In response to the growing impact of cyber breaches on businesses and consumers, a raft of data privacy regulations has been implemented around the world establishing the level of protection individuals can expect and the liability companies must safeguard data. Accompanying this are the cyber-focused frameworks applying to specific sectors, such as finance and healthcare, setting rules around the procurement and management of third-party services like cloud infrastructure.
These regulations place a further onus on compliance teams to manage cyber risk in a way that demonstrates adherence to key regulations. This often raises tension between activities undertaken for compliance purposes, and those that are genuinely effective at reducing cyber risk, an issue we’ll explore in a future article. The situation is amplified by the scale and diversity of modern third-party ecosystems.
Which partners are really a risk?
Gone are the days when big companies simply worked with a few similar-sized partners that had a comparable approach to security. Today’s multitude of partners can be any size, in any location. They are chosen for their innovation, efficiency or specific expertise, not for the size of their security budgets. This makes managing their cyber risk even more important, but also much more difficult.
Identifying and monitoring cyber risk across this large, heterogenous group – and adding to it rapidly as new partners are brought on-stream – is a Herculean task that is rarely matched by the resources available.
Faced with a lengthy vendor list, businesses struggle to work out where to start, and most organisations default to focusing on tier 1, or top 100 suppliers. This raises the question of how these suppliers are identified? Are they the ones where the most money is spent, or the ones who provide the most mission-critical products or service? How much cyber risk comes from an entity based in an unstable political region?
Even if they restrict evaluation and monitoring to an arbitrary “top tier”, in-house teams face a heavy due diligence burden. As a result, many organisations are still stuck in a cycle of tick-box, point-in-time compliance activities such as vendor surveys and annual site visits. These are labour-intensive and time-consuming. Plus, in the post-COVID-19 world site access is likely to be limited and physical inspections are going to become much harder to complete.
On top of those limitations, the fast-changing threat environment means new cyber risk can emerge from any supplier, at any time. The aggregate cyber risk from the full vendor ecosystem is typically higher than the cyber risk from any single tier one vendor. Therefore, without continuous visibility into risk across their entire extended ecosystem, companies can’t gain the assurance needed to satisfy internal risk appetite and external regulatory requirements.
Prioritising risk in context of the business
Organisations that have progressed to a data-driven approach, using third party risk scoring products together with objective external insights such as threat intelligence, still face problems. For example, security ratings offer an independent benchmark, but this is not useful without the context of the entity’s relationship with your organisation: how essential is the product or service they are supplying, and what regulations are involved? These factors will influence tolerance for cyber risk. Therefore, if a company is of low importance in an unregulated area, a lower security rating may be acceptable. Integrating context and tolerance with external data feeds takes time and resources that few businesses have.
In-house teams monitoring security software also face an unending stream of alerts – again lacking context. They often don’t have the bandwidth or expertise to analyse and respond to every alert and piece of data relating to third party cyber risk. They need to triage incidents and focus on addressing material issues, while maintaining continuous visibility into the whole ecosystem so new threats aren’t overlooked.
In the face of the complex environment described above it is clear that organisations need help to effectively manage third party cyber risk. A managed cyber risk service supports in-house teams by doing the heavy lifting of data collection and analysis in the context of the organisation’s risk tolerance, then recommending and executing the actions required to remediate problems. Experienced cyber security analysts help organisations cut through the noise and get continuous visibility across the whole vendor ecosystem, not just the top tier, so they can work out which partners constitute genuine breach risk.
Third party cyber risk is a growing concern as businesses continue down the path of digitisation in a high-intensity threat environment. The costs of a breach are high, but the scale of vendor ecosystems means full visibility into cyber risk is often beyond the capabilities of in-house teams. The businesses best able to protect their organisation and meet regulations will be those that seek external expertise to triage and manage incidents based on cyber risk tolerance and business context, freeing their in-house teams to focus on true cyber risk management.
Author: Ewen O’Brien, Head of 3rd Party Cyber Risk Services, BlueVoyant
 Verizon 2020 Data Breach Investigations Report, accessed at https://enterprise.verizon.com/resources/executivebriefs/2020-dbir-executive-brief.pdf