Data security risk through third parties is a pervasive problem few organisations are managing well, according to consultancy firm Booz Allen Hamilton.
There is a growing list of examples of data breaches that can be traced to third-party suppliers, from the Target breach in 2013 to more recent cases such as insider trading by hacking newswire services.
“Even the US Internal Revenue Service [IRS] data breach was due to the compromise of a feature on its website that was hosted by somebody else,” said Drew Wilkinson, senior associate and cyber risk expert at Booz Allen Hamilton.
“The problem is pervasive, but failure to deal with it is due to some pretty basic failings, such as organisations not knowing all their suppliers,” he told Computer Weekly.
According to Wilkinson, many organisations do not know which third-party supplier contracts are active, what information suppliers have access to and what the most critical data assets are.
“Organisations should spend time securing the most valuable data and knowing who has access to it,” said Wilkinson.
Monitoring third parties
Beyond that, he said, few organisations are managing third-party and supply chain cyber risks on a regular and ongoing basis.
“A lot of effort is put into setting up the initial relationship, but organisations typically select a supplier that is low-risk to begin with and there is no provision for monitoring how or if that changes,” he said.
Wilkinson said organisations need to recognise a lot can change after a supplier is first selected, which means low-risk suppliers can become high-risk over time.
“This is not a back-office operation that can be set once and work well for the next five years – you have to continually re-evaluate and re-assess as things change,” he said.
According to a Booz Allen Hamilton report, the majority of third-party risk incidents at an organisation are likely to occur in an existing relationship.
These existing relationships are often under-managed due to poorly understood key risk indicators, difficulty in obtaining relevant and timely information and limited relationship manager dedication or training, the report states.
As part of a continuous monitoring process, organisations should question whether a supplier is still the best choice available, whether a supplier’s performance is meeting expectations, whether cyber controls been as effective as originally assessed and whether changes in the organisation’s operations or external regulations have created new requirements.
“Make security controls a requirement for suppliers that have access to highly sensitive information and require them to adhere to the same data handling processes and procedures as the organisation,” said Wilkinson.
However, Wilkinson emphasised the same requirements should apply to all suppliers, citing an example of a financial services firm that had excluded legal services from its general procurement process in the interests of saving time.
“But because this was not part of the general procurement process, contracts with legal firms were not subjected to any of the company’s standard cyber security reviews, which is extremely risky considering the sensitive nature of company data normally handled by legal firms,” he said.
Typically, companies struggle to obtain the information they need and translate that into risk decisions aligned with corporate risk appetite.
However, according to Wilkinson, it is possible to mitigate cyber and other risks from suppliers by making third-party risk management an integrated function of the business.
Collaborate against risk
In addition to ensuring that the same diligence performed at the time of hiring a supplier is continued on a regular basis, there are several ways of mitigating third-party risk.
First, organisations need to follow the hackers’ example and work collaboratively to share information about risks internally with other departments and externally with industry peers.
“Attempting to hide information breaches by not talking about incidents is likely to make the same thing happen again,” said Wilkinson.
He recommends organisations join local and international information sharing and analysis centres (Isacs) or community level equivalent to raise the awareness of risks.
“Sharing information about attack methods can help whole industries be better at avoiding, detecting and responding to cyber threats,” he said.
Next, orgnisations can improve their assessment process by incorporating historical performance from an independent source, rather than relying on supplier self-assessments of things such as data security controls.
Continuous external data feeds can reduce the difficulty and cost of acquiring meaningful data and allow relationship owners to make operating decisions while knowing the risk consequences, according to the Booz Allen Hamilton report.
Wilkinson said other common challenges include the tendency of organisations to focus on process compliance instead of risk management, a poor understanding of inherent risk due to limited resources to monitor and manage risk and a failure to recognise that risk management can only be as good as the organisation’s ability to operate it.
“Companies often make significant investments in a risk methodology and supporting process that is not sustainable or even operable. The emphasis is on designing the process rather than operational efficiency.
“It is important to consider who will perform assessments, the related operating budget and the acceptable performance standards, such as assessment cycle time, into the methodology and process design,” he said.
Just as automakers started treating their suppliers as being integral to the business, Wilkinson said other industries need to ramp up the trend of treating suppliers as part of their own organisation or an extension of the team and involving them in processes from the design stage.
“We are seeing this mainly in the financial sector, but also in the retail, life sciences, pharmaceutical and energy sectors as organisations begin to understand the value of their data,” he said.
Finally, Wilkinson advises organisations to use technology to their advantage to provide the right information at the right time so risk owners can apply their limited time to making decisions, rather than performing research or other administrative tasks.
According to the Booz Allen Hamilton report, organisations can use open-source technology with learning algorithms to identify discreet supplier risk events from across the internet and social media.
These risk events can be categorised by risk type, tracked over time and summarised in a simple review for risk owners to take decisive actions, the report said.
Big data analytics can also be used to tackle the challenge of aggregating information from multiple sources, risk domains or business units into an enterprise level view of risk by finding commonality between disparate sources without “cleaning” or normalising all the source data, saving significant time and cost, the report said.
Educating users about risk
Wilkinson believes many organisations still have a long way to go in understanding that the world is changing and information security is becoming increasingly important.
“Twenty years ago, there was no training on how to protect data and there was no need for a chief information security officer. But people are becoming more educated on this issue and education is one of the things that will help prevent third-party cyber risk in the future,” he said.
The problem, he said, is that even where there are groups of people in organisations who understand the threats and set the policies, it is left up to users to execute those policies.
“Users do not always understand the dynamics of threats that are changing all the time or what information might be valuable to attackers,” he said.
Wilkinson believes information security risks need to be understood by everyone in an organisation so users, including those who are managing third-party supplier contracts, can become an effective first line of defence.