Instagram, Marriott and General Electric all have one thing in common this year, they have experienced data breaches as a direct result of their third-party vendors. As a direct result of their selection of third-party vendors, these large organizations have suffered at the hands of threat actors. This stark reality has been eluded to in previous Packetlabs articles regarding the trend by which threat actors target managed service providers (MSPs) as a means to gain access to one or more of their clients. In the last few years, this attack vector has become increasingly attractive to threat actors as it allows them to hide their true motives and targets, in stealth, which provides them with a significant advantage in achieving their objectives.
Defining the Third-Party Sources
In everyday commerce, a “third-party source” refers to a supplier, or service provider, who is not controlled by either the seller, or first-party, or the customer, the second party, in a business transaction. The third-party source acts independently of the first two parties. Sometimes, there are multiple third-party sources engaged in any given transaction, between the first and second parties.
In Information Technology, a third-party source refers to a supplier of software which is independent of the supplier and customer of the product or service, for example, a payment vendor such as a credit card provider or a financial institution.
In e-commerce, third-party source refers to a seller who publishes products on a marketplace, without this marketplace to own or physically carry those products. When an order comes in, a third-party source seller has the item on hand and fulfills the request. A well-known example of third-party sources are e-merchants participating in Amazon’s fulfilled-by-merchant (FBM) program.
New Sources, New Risks, New Challenges
From suppliers to software providers to service providers, progressively more, we are seeing businesses extend their risk profiles by engaging third parties as a means to gain a competitive advantage. As some have deemed this trend the ‘rise of the extended enterprise’ – companies relying on a network of third-party vendors to provide them with organizational value and a competitive advantage must come to terms with the reality that this effectively extends the risk vectors for a given organization. Thus, a process of third-party risk management is essential for business continuity and organizational integrity.
Over the past several years, the use of third-party vendors (TPV) has increased exponentially, even more so in the last year with COVID-19 pandemic placing new demands on organizations. More frequently, companies outsource even primary functions to improve efficiencies and financial savings. However, in doing so, organizations risk exposing themselves to new risks. Going forward, the greatest challenge for organizations will be to provide and enable the appropriate supervision and management of these third-party risks TPVs inherently bring along with them.
The Mastercard Report
Recently, Mastercard’s RiskRecon and the cybersecurity research firm Cyentia Institute organized and issued a new report analyzing third-party risk management programs (TPRM), learning that organizations are using a countless array of vendors, however, their true understanding of each ones’ cybersecurity posture remains a significant challenge.
The “State of Third Party Risk Management” report examined 154 third-party risk management professionals and discovered that they evaluate a median of 50 vendors every year, with most enterprises reporting having a TPRM program for about five to six years. More than 60% said managing such risk has become a developing priority for their organization. According to respondents, 31% of vendors are considered a significant risk factor in the event of a breach. As a consequence, 79% of organizations have developed, formal programs in place to manage these third-party risks.
“In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide,
Kelly White, CEO and co-founder of RiskRecon.
RiskRecon CEO, Kelly White, notes that, in a progressive manner, third-party risk teams are adopting risk management strategies aimed at protecting their internal enterprise. The strategies involve the rapid procurement of analytics and objective data that will allow each vendor to evaluate the quality of each third-party vendor’s risk management processes. For example, instead of simply taking a vendor’s word that they are adequately secure in their risk posture, purchasing vendors are procuring security rating assessments, such as penetration test reports, to objectively assess the security posture of each potential vendor. This allows them to gain a greater understanding of the inherent risks involved in conducting business with third-party vendors.
To emphasize the significance and heavy reliance on TPRM programs, respondents to the survey were split into categories. Nearly one-third of organizations assess fewer than twenty-five vendors per year, another third assessing between fifty and one-hundred vendors per year, and lastly, the final third assessing over one-hundred vendors per year. Amongst these organizations, the average response indicates that nearly one third of third-party vendors would pose a significant threat if their operations were breached. In fact, although only 10% of respondents indicated their organizations had suffered a breach as a direct result of a third-party compromise, over 30% preferred not to answer. Their hesitation speaks for itself.
Due to the rise in frequency of data breaches, two-thirds of respondents indicated that TPRM programs were becoming a top priority for their organizations and nearly 80% said their company had instituted a formal program designed to tackle the concern.
Third-party Risk Assessment Management
A rather frightening form of Third-party Risk Assessment involves the use of questionnaires, and surveys, which poses further risk and conflict of interest. In fact, the study indicates that 84% of respondents said they used questionnaires as the main risk assessment method and another 69% indicated the use of documentation review. The obvious concern with questionnaires is the honesty and integrity of the respondent’s answers. For over 80% of respondents, at least 75% of their third-party vendors pass these questionnaires, however, only 33% of respondents said they believed responses vendors provide to TPRM questionnaires.
“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,”
Wade Baker, partner and co-founder of Cyentia Institute
Based on the understandable apprehension to accept the results collected through these surveys, many organizations are investing in the leverage of more objective measures of assessment data, such as penetration testing and other unbiased measures that can provide an organization with significantly more confidence in their third-party vendor security.
Logically, managing third-party risk is an enduring process. There are incredible benefits to be gained from incorporating the extended enterprise. Today’s competitive business environment demands it. Great control and assessment must go hand-in-hand, mitigating risk while enhancing rewards, and positively impacting your organizations’ bottom line, and ultimately, preserving its reputation.
If your organization operates as a third-party, in business transaction, contact us today to learn more about how Packetlabs can help to enhance, mitigate and demonstrate the security posture of your service offerings!