Why choose between slow and inaccurate in Third Party Cyber Risk Management?

Organizations have to grant access to their systems or hand over data to their third parties so they can provide their services. This results in a significant increase in their surface for cyber-attacks. 67% of organizations surveyed by Forrester experienced a third-party risk incident in 2021 (ref.).

As every organization has to manage cyber risks resulting from internal resources, it is crucial to also keep in mind the risks resulting from their third parties. Recent cyber incidents and analyst reports underline the increasing need to consider these external risks in modern cyber risk management programs.

Nevertheless, the management of risks related to third parties can be different from the management of internal risks:

• Organizations typically have much less insight into processes, controls, or security measures implemented by their third parties.
• Implementing additional or changing existing measures is even more difficult since there are additional commercial, strategic, or contractional aspects that need to be considered.

To get insight, there are,in general, two approaches an organization can follow to evaluate the cyberrisk resulting from a third party:

1. “Inside-Out”: The risk is determined based on information provided by the third party itself. This is typically based on assessments to evaluate the implementation status of security controls.
2. “Outside-In”: The risk is determined based on publicly available data from sources such as social media, the Dark Web, or scans of public IP addresses. The third party is not involved directly. There are providers on the market that gather this information and provide the results to their customers.

Both approaches have value, but when used only by themselves, there are significant disadvantages.

• An assessment necessary for the “Inside-Out” approach takes a considerable amount of time and resources from both sides and might slow down the organization’s agility. Additionally, it is expensive for both sides due to the manual nature of the assessment and validation processes.  In addition, many organizations use bespoke or customized assessments, causing rework for the third party.
• The “Outside-In” approach only takes a subset of publicly available information into consideration without allowing the third party to contribute to the accuracy and validation of the process. Additionally, this information might be inaccurate, if, for example, the ownership of IP address ranges changed, or the third party heavily relies on cloud services.

But what can organizations do about this? Is it really necessary to choose between “slow” and “inaccurate”? The good news is: No, organizations don’t have to choose. There are many ways to optimize.

First of all, there are many ways to reduce the effort resulting from “Inside-Out” Assessments.

• It’s always important to tailor the scope or level of detail. This could be based on the criticality of a third party or based on the type of service they provide.
• There are providers on the market that offer an exchange-based approach for third party assessments. So, the provider performs an assessment for a particular third party only once and shares these results among multiple customers. This will reduce both the cost and time necessary to conduct an assessment and will free up resources to focus on analyzing and mitigating the risks.

Secondly, organizations can combine the two basic approaches and use an “Outside-In” approach to prioritize assessments. So, they can focus their time and effort on the critical risks that might harm their business.

• One option is to use publicly available information as a starting point in the prioritization effort. Once critical and high risk third parties are identified, organizations can determine which companies require deeper assessment.
• Some providers offering an exchange-based approach for third party assessments offer predictive assessments. Using their exchange database built on standardized assessments, they can predict how a third party will respond to an assessment by comparing answers from companies similar in size, industry, geography, and other identifying firmographics.

And finally, organizations can define a level of risk they accept in respect to preventing an event from occurring. For a customer it is close to impossible to prevent a highly targeted attack like to one carried out via SolarWinds back in 2020. For these kinds of attacks, it makes much more sense to strengthen an organization’s cyber resilience by integrating a specific third party view into existing measures to detect, deal with and quickly recover from a cyber-attack.

This is the first issue of our CISO READ whitepaper on third party cyber risk management (TPCRM). There will be another one containing recommendations on how to integrate TPCRM into existing processes like purchasing, ISMS or Vendor Risk Management in general. Stay tuned.

If you want to have a chat with us about the topic, reach out to us. We are happy to help improving your process and come up with ideas.