Third party risk has long been an important concern for Governance, Risk, and Compliance (GRC) executives. After all, every company depends upon a vast ecosystem of partners, suppliers, contractors, and other third parties for the day-to-day operation of its business. Any one of them might present a risk to the organization.
Such risks are both varied and complex. Strategic risk results from adverse business decisions. Operational risk is the risk of loss from failed processes, technology, or people. Reputation risk arises from negative public opinion. Transaction risk comes from problems with products and services. Credit risk is due to third parties not paying their bills on time. And lest we forget, compliance risk is the risk arising from not following laws, rules, or regulations.
Any of these risks may involve third parties – and in fact, third parties exacerbate any organization’s risk profile, as they are outside the control of the organization.
The GRC Context for Cybersecurity Risk
When the interactions with a third party are electronic – and in today’s digital business climate, most of them are – then cybersecurity risk becomes part of the GRC challenge as well.
However, cybersecurity risk isn’t a risk category separate from the ones listed above. In fact, all of the third party risks on our list might be cybersecurity risks, especially as organizations proceed with their digital transformation efforts.
The result: third party risks expand every organization’s cybersecurity threat surface. A threat surface consists of all the different points or the ‘attack vectors’ where an attacker can attempt to penetrate or exfiltrate data from an environment.
Don’t let the word surface fool you, however. The term dates from the days when organizations relied on their firewall-based perimeters for security – as though they could put a bubble around their companies, deflecting attacks at its surface.
Today, third party risks have popped the bubble for good, as the threat surface is now varied, complex, and dynamic. In fact, third parties have extended the threat surface in three fundamental ways:
- Targeting less secure, ostensibly low-risk parts of the network. The notorious 2013 attack on retailer Target brought this attack vector into the public consciousness, when a hacker compromised a heating and cooling contractor’s system and then moved laterally within Target’s network in order to exfiltrate valuable data.
- Exploiting the value chain. Transactions with both suppliers as well as customers in both B2B and B2C contexts are increasingly electronic. Furthermore, in some industries, relationships along this value chain are becoming increasingly intimate. For example, vendor-managed inventory in retail puts suppliers in privileged roles on internal retail store networks.
- Poking holes in the digital ecosystem. If you view the source of any corporate home page – especially those of transactional, B2C companies – you’ll find dozens of third party widgets, tags, plug-ins, and ads. All an attacker needs to do to compromise the main site is to find a weakness in one of these ecosystem add-ins.
Clearly, the only way to manage third party risk overall is to manage this modern threat surface. And yet, earlier generation cybersecurity tools that presume that the organization stops at the corporate perimeter are simply ineffective.
LookingGlass Cyber Solutions offers a next-generation threat intelligence, mitigation, and prevention solution that the vendor has built from the ground up to deal with third party and enterprise risk.
To accomplish this difficult task, LookingGlass leverages big data approaches to collecting and analyzing vast quantities of threat-related information in real-time. This analysis then feeds its threat response capabilities and threat intelligence services.
The Intellyx Take
Expanding cybersecurity threat detection and mitigation to third party attack vectors reduces more than cybersecurity risk – it reduces third party risk overall.
In today’s increasingly digital business environment, the distinctions between the more technical conversation of cybersecurity and the business-oriented GRC discussions are becoming blurred.
For example, New York State’s new cybersecurity regulations – formally known as Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) – requires a wide range of different types of financial services firms to tighten their cybersecurity practices.
This regulation went into effect on March 1, 2017, immediately impacting New York-centric industries like banking and equities markets, but in fact, driving increased cybersecurity efforts for any company doing business in the state.
This regulation focuses in large part on third party risk, and brings the worlds of cybersecurity and GRC together into a single business context.
The bottom line: third party risks have transformed cybersecurity risk, and mitigating such risks aren’t simply the domain of the CISO anymore. The entire C-suite must now take notice – and take action.