Third parties: The risk management blind spot

December 10, 2020

Safeguarding an organization from cybercrime has become vastly more challenging given how digitized and, as a result, interconnected the world has become. Adding complexity to this already daunting scenario is the fact organizations have become perimeter-less, often finding they are compelled to grant access to internal systems and data to non-employees (contractors, partners, “things”). And at times, the number of those non-employees with access to sensitive information is greater than actual employees.

While providing access for third-party, non-employees is critical to meeting business objectives, it oftentimes has the unintended consequence of exponentially increasing an organization’s attack surface, increasing labor costs, and creating massive operational efficiency challenges for IT and HR departments.

Most enterprises make great efforts to monitor and manage cyber risk within their IT systems, but they struggle to extend that vigilance to third-party risk. In fact, data shows 59% of all data breaches can be traced to third parties, and only 16% of organizations say they can effectively mitigate third-party risks.

Third-Party Security Limitations and Challenges

One might think third-party governance systems, sometimes used for vendor assessments, could be used to manage the identity and access management aspects of the vendor relationship. However, most security vendors do not consider identity to be part of third-party management. Yet, organizations realize the risk of third parties the moment they provision access, whether or not it is measured, mitigated, or even known.

Today, it’s common practice for risk management teams to assess a third party’s risk controls by evaluating responses to a Standardized Information Gathering (SIG) questionnaire. Unfortunately, these vendor security assessments based on SIG answers may give the organization false confidence in a vendor’s actual security posture.

Additionally, onboarding processes that are usually automated for employees are often highly manual for third-party users. Manual processes may meet the minimum needs of smaller organizations, but for larger organizations or those in highly regulated industries (e.g., healthcare, financial services), these manual processes are time-consuming, costly, difficult to audit, and most importantly, error-prone -- expanding the potential for additional risk associated with third-party users.

Another area of risk is the overlapping ownership of third-party identity risk management. The Chief Risk Officer (CRO) or Chief Information Security Officer (CISO) is usually responsible for identifying, monitoring, and mitigating internal and external risks. In practice, third-party identities are often loosely managed via ad hoc processes, sometimes involving a collection of spreadsheets, databases, and tools. Many CRO/CISOs share the burden of managing these identities with other cross-functional teams and stakeholders that are not well equipped to manage risk, such as:

Human Resources: Centralized and focused on managing full-time employees
Procurement: Focused on managing contracts
IT: Focused on managing technology assets and access to those assets

Additionally, onboarding and account recertification responsibilities can sometimes fall to separate teams. The HR team handles onboarding, while account recertification may be handled by IT. The CRO/CISO may have limited visibility into the activity of other teams.

Mitigating Third-Party Risk

As organizations increasingly grant access to data and systems to an ever-expanding number of third-party users, and manage these users across multiple departments, it becomes imperative to prove these third parties are, in fact, who they claim to be. To minimize the risks third parties can present, organizations must improve the granularity, transparency, consistency, and agility of their third-party risk management effort.

Risk management teams can best ensure third-party risk falls within established risk tolerances by aligning those tolerances with an organizational-level risk appetite statement and implementing risk ratings at the vendor and user levels.

The primary responsibility for approving third-party identities should fall to the leader closest to the work effort (typically the user’s internal manager or the vendor sponsor), who can validate the ongoing need for access while the CRO/CISO maintains visibility.

Automated workflows can then be built and executed based on the rating, user type, or other factors. Such automation is essential because it creates consistency, limits human error, and avoids risky delays in the curtailing of access. These workflows should include a quick and easy way to verify the identity of any profile that is added in an organization’s system; for example, offshore third-party users requiring access to critical assets.

In addition, identity-proofing specific capabilities can further verify and authenticate the individuals or things accessing company data. Sophisticated solutions can enable IGA, PAM and other Access Management solutions to trust the identity and fill in existing gaps in multi-factor authentication and other step-up authentication methods.

More than half of all data breaches can be traced to third parties, according to a Ponemon Institute study. This can create a potentially long-term impact on an organization, including its brand reputation, financial viability, and ability to effectively compete in the market. With the proper identity-proofing practices and capabilities in place, organizations can easily and cost-effectively verify the identities of their users, support risk management initiatives and better protect critical assets – eliminating the third-party risk management blind spots.

David Pignolet is CEO of SecZetta. With nearly two decades of experience in application, network and data security, Pignolet founded SecZetta in 2006, putting together an experienced team and securing strategic partnerships to address a growing need for better IT security and identity and access management in the market. Pignolet has founded two IT management and security companies working with medium and large enterprises in healthcare, finance and retail. He is a former member of the Air Force National Guard, where he specialized in combat communications focusing on encrypted secure communications.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.