The current cybersecurity landscape requires an agile, data-driven risk management strategy to deal with the ever-expanding third-party attack surface.
When a business outsources services by sharing data and network access, it inherits cyber risk from its vendors through their employees, processes, technology, and that vendor’s third parties. The typical company works with an average of nearly 5,900 tierswhich means companies face a huge amount of risk no matter how well they hedge their own bases.
For example, 81 individual third-party incidents led to more than 200 publicly disclosed breaches and thousands of ripple effect breaches throughout 2021, according to a report by Black Kite.
The current outside-in approach to managing third-party risk is inadequate. Instead, the industry needs to move toward a new approach to third-party risk management by initiating conversations beyond outside-in assessments. Specifically, companies must establish zero-trust principles for all vendors, assess risks on external and internal assets with inside-out assessments, and measure cyber risk in real time.
The “never trust, always verify” zero-trust principle has been widely adopted to manage internal environments, and organizations should extend this notion to third-party risk management.
To combat this, companies need to view suppliers as subsets of their business.
The imminent threat
The amount of critical data and information a company shares with its suppliers is staggering. For example, a company can share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers to share with insurers, and allow marketing agencies to access customer data and personally identifiable information (PII).
That’s just the tip of the iceberg, and most companies often don’t know the true size of the iceberg. In a survey conducted by the Ponemon Institute, 51% of companies surveyed say do not assess the cyber risk posture of third parties before allowing them access to confidential information. Additionally, 63% of companies surveyed said they lack visibility into what data and system configurations vendors can access, why they have access, who has permissions, and how data is stored and shared.
This vast network of companies sharing real-time information results in a vast attack surface that is becoming increasingly difficult to manage. To overcome this challenge, companies are using cybersecurity initiatives such as questionnaire-based onboarding surveys and security assessment services in their third-party risk management strategies.
While these tools have definite use cases, they also have serious limitations.
Cybersecurity assessment services are a fast and cost-effective approach to third-party risk assessments. Their simplicity – representing a provider’s cyber risk as a score, like credit scores in financial services – makes them a popular choice, despite the limitations.