We will continue to see cyber breaches in the supply chain because most approaches to third-party risk management adopt the same thinking that has failed to drive down security risk over the last 20 years – by focusing on the maturity of policies and controls, third-party risk management (TPRM) fails to do what it ‘says on the tin’ and actually manage risk.
Risk in the extended enterprise
In a deeply interconnected world, third-parties, vendors and suppliers no longer sit outside of an organisation’s risk and security environment – many need to rely on outsourcing to create the innovative products and services critical to success in today’s marketplace. And with ever-evolving techniques, cyber criminals can now cause more damage ‘from the outside’, exploiting vulnerabilities that may slip through the cracks of this delicate balance of interdependencies. Organisations may also be vulnerable to events ‘on the inside’ at third-parties, such as disaffected employees, process failure or technical disruption.
Security breaches through third parties have become increasingly common. According to a 2021 report by Ponemon Institute, 51% of businesses have suffered a data breach caused by a third party. The severity of an attack or breach through a third-party is not to be ignored, with the average financial impact of this category of incident reaching $1.4 million in 2021, according to Kaspersky’s annual IT Security Economics report. This makes third-party incidents the most costly enterprise data breaches.
In the current climate organisations must understand the genuine business risks that they face from supply chain and third-party relationships. Keeping these risks down to a tolerable level reduces the chances of incurring unexpected costs, reputational damage or even an existential crisis. This is where TPRM should come in, helping organisations zero in on identifying and managing material risks across the supply chain.
Doubling down on a failing strategy
Most TPRM programmes are centred around due-diligence onboarding questionnaires which attempt to provide some assurance around the policies, processes and controls, and therefore the general maturity of third-parties.
According to an article from Security Boulevard “One of the most important measures you can take to keep your data safe is to thoroughly analyse your vendor’s cyber security risk before you onboard them. Make sure to check the vendor’s cyber security policies, controls and procedures for performing a thorough assessment of their cyber security posture. Avoid providing the vendor with access to PII data before estimating the cyber risk they pose”.
“The misconception that an organisation’s security posture, as measured by the maturity of security policies, procedures and controls reduces business risk goes to the heart of the problem that we have had with cyber security for the last 20 years”, says Acuity CEO and Co-Founder Simon Marvell, drawing on his 30+ years of experience in helping businesses improve their security and manage risk.
“Businesses have spent vast sums on assurance, compliance and auditing of policies and controls, but losses from cyber breaches haven’t been driven down, instead they continue to go up”.
A 2019 report by the global management consultancy, McKinsey refers to the maturity-based approach to cyber security as a ‘dog that’s had its day’, yet we are now replicating exactly this approach across hundreds and thousands of third-parties in our supply chain. Talk about doubling down on a failing strategy!
In fact, applying a maturity-based approach to third parties is even worse than applying it internally because (in most cases) the data is collected only once, during onboarding and can be out of date shortly afterwards. It is also prohibitively expensive to validate questionnaire responses and vendors’ security teams, overwhelmed by a deluge of questionnaires from customers are under pressure from the sales director to respond quickly with the ‘right answers’.
Therefore, we find ourselves in the situation where organisations are collecting large volumes of dubious and unverifiable data. While it may tick a box for compliance, legal or audit almost nothing has been done to understand and manage real risk to the business.
The ‘risk-based approach’ to TPRM
If management truly wants to manage its third-party risks it needs to take a risk-based approach.
Measuring cyber security posture by looking the maturity of policies, processes and controls is not a risk-based approach. Neither is tiering of third parties based on type or volume of data held and asking tougher maturity questions to Tier 1 vendors.
A risk-based approach identifies the specific risks that could cause material damage to an organisation and then works to keep these within tolerance. These material risks will be those that could result in a material and unacceptable impact on achievement of business objectives. There won’t be many third parties posing a material risk and there won’t be many material risks in total – if there was you would already be out of business.
According to Marvell, start with a clear understanding of business objectives, identify the specific risk scenarios that could materially affect achievement of those objectives. Validate this by measuring the risk, usually in financial terms – it’s what the business understands and even ‘hard to quantify’ impacts, such as reputational damage, have a way of appearing years’ later as a financial cost, e.g. from increased customer churn.
Having validated the material risks, discuss with the third-party and agree on the specific policies, processes and controls that will keep the risk at a tolerable level. Then work collaboratively with the third-party to ensure that these policies, processes and controls are properly implemented, tested, maintained and monitored. You might agree on monthly or quarterly metrics which demonstrate that the risk remains under control and tolerable.
Every other vendor or risk scenario that isn’t material to achievement of business objectives can be addressed through contract, which may require adherence to legislation, regulations and codes of practice but which doesn’t require the collection of data on the maturity of general policies, procedures and controls. This will allow resources to be redirected to addressing material risks.
Finally, remember the uncertainty in risk and that events and losses will occur in the supply chain, many of which are immaterial and a cost of doing business. It’s the material losses that we need to worry about and by focussing on these we can deliver better security at lower cost and help our organisations to thrive.