Cyberattacks have always been around, but recently they've been on the rise, especially when it comes to third-parties. What is the best way to safeguard your company against these risks? Pat Moran gives five practical steps on the best way to manage third-party cyber-security plans.
Cyberattacks and data breaches are rarely out of the news, and when they do occur, they have wide-ranging impacts. In response to an ever-evolving cyberthreat landscape, many Irish firms have made significant investments to strengthen their cybersecurity capabilities. I’ve seen clients deploying new technologies, developing new capabilities, and implementing new security processes, all to increase the cyber-resilience of the organisation.
However, focusing on what's inside your company is only part of the challenge. Any firm's security posture is only as strong as its weakest link. And very often, the weakest link exists outside your organisation.
While it's not a new concept, more and more firms are engaging with third parties to reduce costs, enhance performance or avail of a specific skill set that they don't have. The term 'third party' can be used interchangeably with 'vendor', 'supplier', 'partner' or 'outsourced provider'. Regardless, they mean the same thing: an increased risk of cyberattacks for your organisation.
The COVID-19 crisis has only reinforced how dependent most organisations are on an interconnected ecosystem of third parties to run their business. We've seen firms across all sectors struggling to get visibility on the resilience of their supply chain to ensure that the lights can be kept on. Suppliers are facing the same challenges of getting their workforce connected securely, adhering to security policies and maintaining a culture of cybersecurity awareness. All of this is against the backdrop of a heightened threat landscape. Opportunistic cyber-thieves are looking to take advantage of the uncertainty created by the crisis.
When you're operating in an interconnected environment with third parties, the attack surface is expanded for cybercriminals to launch an attack.
You can outsource almost everything but accountability
PwC’s Global Economic Crime and Fraud Survey 2020 highlights that one in five respondents identified vendors and suppliers as the source of their most disruptive external fraud. Half of the respondents lacked a mature third-party risk management programme and 21% had none at all. This highlights the size of the challenge faced by firms. And when a third party has an incident that impacts the security of your customers' data or impacts your ability to deliver a service, your customers don't see the distinction. You can't outsource accountability.
To compound the matter further, all of the above is happening in the face of the pressures of reducing costs and improving efficiency, along with increased regulatory expectations.
To navigate some of the above challenges, below are some practical steps your organisation can establish to manage the risk of cyberattacks caused by engaging with third parties.
1. Establish your operating model
Developing your operating model and framework is the foundation of effective third-party risk management. The operating model should outline the governance and reporting requirements over your third parties, how to determine the criticality of each third party, and what technology can be leveraged. For mature or regulated entities, a centralised program likely already exists, but the security team should be active participants. For less mature organisations, the security team might be the driver.
2. Identify your inventory
Creating a complete and accurate inventory of your third parties is a prerequisite for effective risk management of your supply chain, including your fourth and fifth parties (also referred to as chain outsourcing).
3. Plan before you engage
Before you bring a prospective third party on board, invest time in understanding their security posture. Do they meet your minimum security expectations and standards? If not, do they have other mitigating plans or processes that will give your organisation more comfort?
Not all products or services lend themselves to outsourcing, so make sure to develop a robust planning process, where assumptions can be challenged, to ensure that outsourcing or engaging a third party is not outside the risk tolerance of the firm. Security requirements should be baked into contracts and service level agreements.
4. Monitor, monitor, and then monitor some more
The most time- and resource-consuming activity is typically your ongoing monitoring and governance. The security team should be included in weekly or monthly operational meetings for critical third parties, and risk assessments should be performed at least once a year for all your third parties. Tooling and ratings services are now common on the market to support this.
5. Exit gracefully
With all the right intentions and robust processes in place, surprises still happen. Be prepared with a backup plan if services cannot be provided by a third party, or if you need to exit the arrangement with little notice.
Pat Moran is a Partner in PwC.