It’s Time to Rethink Third-Party Risk Assessment

Share This Post

COMMENTARY

December marked the third anniversary of one of the industry’s most headline-making data breaches, SolarWinds. While the immense cost and recent legal filings from this highly damaging 2020 supply chain attack put a spotlight on the importance of third-party risk assessment, bad actors continued to exploit third-party software.

According to Forrester Research’s 2022 security survey, supply chains are the top breach cause. For example, the number of organizations impacted by the MOVEit supply chain hack is close to 3,000 — and that number is growing. It’s time to re-examine your current third-party risk assessment program and adopt new best practices to reduce your risk. 

The Rise of SaaS Subscriptions

Third-party risks have never been higher. Industry analyst firm Gartner recently revealed that, despite increased investments in third-party cybersecurity risk management over the past two years, 45% of organizations experienced third-party-related business interruptions. How did we get here? According to Gartner, 60% of organizations work with more than 1,000 third parties. On average, organizations use over 370 software-as-a-service (SaaS) applications; the average department now uses 87 SaaS applications. With every new application, the attack vector increases. The scale of the problem is enormous.

In the past, enterprise software procurement was a long, drawn-out process with a lot of oversight. While sometimes tedious, long enterprise sales cycles provided an opportunity for proper due diligence, so organizations didn’t onboard too many third-party systems. With the proliferation of SaaS, it’s easier for organizations — and individuals — to add new software subscriptions than ever before, sometimes with little oversight or risk assessment.

The volume and velocity of SaaS subscriptions is one of the biggest reasons why organizations have so many third-party vendors now. The decision-making power to purchase and onboard these applications is increasingly decentralized; from individual employees who just want to participate in a software free trial to authorized team members. Third-party solutions are being brought into an organization through many avenues, which has only increased the security challenge and made risk assessment more difficult.

With the emergence of productivity-enhancing tools powered by AI, we can expect the SaaS sprawl — and associated third-party risk — to rise. Moreover, there is a growing demand among employees for innovative, consumer-grade products. While organizations might prefer to consolidate their vendor relationships, employee demand for top-tier products could counteract this effort, continuing the momentum in vendor onboarding.

A Path Forward for Better Third-Party Risk Assessment

One of the biggest myths about third-party risk assessment is that it’s a one-time activity. Many organizations mistakenly treat it as a checkbox exercise, conducted only during the initial vendor onboarding process. This approach overlooks the dynamic nature of risk, failing to account for changes over time in the third-party’s business practices, security posture, or the regulatory environment.

To increase efficiency while reducing risk and to improve third-party risk assessment, organizations should take the following steps:

  • Classify vendors based on the level of risk they pose. Focus more intensive assessments on higher-risk vendors while applying streamlined processes for lower-risk ones. 

  • Shift from periodic reviews to continuous monitoring of third-party risks using real-time data feeds. This helps to promptly identify and respond to emerging risks. 

  • Develop standardized procedures and templates for risk assessment to ensure consistency, reduce redundancy, and speed up the assessment cycle. Create a system that automatically reminds you when a vendor is due for risk assessment.

  • Ensure third parties comply with international data privacy laws and regulations, which can vary significantly by region. 

  • Evaluate third-party preparedness to respond to security incidents or operational disruptions.

  • Consider fourth-party risks posed by the subcontractors or partners of an organization’s third-party vendors, which can significantly impact the risk landscape.

  • Assess the robustness of the third-party’s supply chain against disruptions and their impact on the organization’s operations.

  • Expand risk assessment programs to match business growth and an increasing number of third-party relationships. 

  • Implement advanced technologies like AI and machine learning for automated data collection and analysis, and utilize AI to help develop the right questions to ask your vendors. Embrace cutting-edge technology and automation processes to combat the magnitude of the challenge and rapidly secure at scale.  

Conclusion

As organizations continue to onboard new vendors, supply chain and other third-party risks will continue to climb. By continuously evaluating and updating your organization’s third-party risk assessment program, you can significantly improve your security posture and hopefully make sure your company doesn’t have the next headline-making incident. 

https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt998aabe7fc2549e3/64f175d1613b5e0e0ef07b64/Risk_Andriy_Popov_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.