“Third-Party Risk Management Requires Continuous Insight”
Managing third party cyber security risk, or “supply chain assurance”, is not a new topic, in fact we’ve discussed it before here. The concept of ensuring your suppliers will protect their IT systems and the data that you exchange with them is no longer unreasonable. As Forrester says in the key takeaways in their recent research “Third-Party Risk Management Requires Continuous Insight” – the quote from this posts title..
Commercially enforceable undertakings to comply with common security policies/frameworks, maintenance of equivalent security postures and the submission to the requirement for cyber compliance audits across supply chain partners, are increasingly common.
Third Party Cyber Assurance
The usual way of building trust across the supply chain is the definition of or alignment to a standard; coupled with a review process to assure compliance of those controls is in place. This can take a number of forms, even within a given organisation.
Self-assessment questionnaires are one approach. Asking suppliers to respond to a set of questions or attestations that can then be assessed (or used as risk assessment drivers based on the answers) for cyber security adequacy is prevalent. Sometimes the delivery and response to these questionnaires can be automated with the results tracked; and any exceptions red flagged for further assessment by security experts, if necessary.
This type of assessment provides a measure of risk, although increasingly self-assessment is being seen to be a less reliable measure of cyber posture than a more independent audit process. Whilst the limitations of self-assessment may not be the end of the world; complications resulting from assessments that are subsequently shown to be inadequate, incorrect or over optimistic – are less than ideal.
That is why many organisations are now seeking to undertake these assessments themselves or via third parties, to deliver a level of assurance only available from independently audited control measures such as SSAE 16 or ISO27001.
The challenge, however, is that these audits are expensive for both the customer and the supplier organisation; particularly where there is the need for multiple party audits across the supply chain. Another more fundamental problem is that these audits, by definition, are “point in time assessments”. Their measure of compliance to the agreed set of controls occurs at a particular point in time; and is therefore only truly valid at the time of the audit. The next day, even a small environmental change may render the audit obsolete. This type of security audit is not fit for purpose.
Even when the combination of questionnaires, standards and bespoke audits are more frequent (and more expensive), as a result of greater assessed risk, it’s far from a perfect process. Key corporate participants as well as new regulations, like GDPR, have a part to play in better supply chain cyber risk mitigation.
The recent news of data leaks from the automotive industry (via an insecure, third-party backup service) really does underline the importance of this topic – read about that here.
“Over 60% of attacks come through supply chains” – HBR, July 2018
A recent Harvard Business Review article, highlighted the “crying need to enlist supply chain management departments” to help solve this cyber security challenge:
“….According to our research, over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010……”
Messrs Rogers and Choi cite the 2014 Target cyber breach as originating from a small air conditioning contractor’s IT system; where hackers penetrated the smaller company in order to access Target. The result of which caused $162 million in damage.
They propose the following strategies be part of the procurement function:
- Embed cybersecurity measures in contracts with third parties;
- Limit suppliers’ access to IT systems;
- Work with competitors; and
- Hold supply managers accountable.
These are all valuable strategies and agreeing industry standards or common frameworks across supply chains will standardise the audit process. It will also limit the cost of ongoing assessments and audits.
Any procurement driven approach, however, should be augmented with cyber security frameworks and expert oversight, that validate the presence of key controls and data safeguards– irrespective of any contractual obligations.
GDPR quotes: “Third parties are very often the weak link” – IAPP
For any organisation that trades with the EU or holds its citizens’ data there are some key changes in the way supply chain risk works. See this piece by the International Association of Privacy Professionals (IAPP).
The data controller (that is, the company with the direct relationship with the citizen) used to have sole responsibility/liability for the safeguards. In the past they were expected to enshrine these obligations in downstream/supplier/service provider contracts and validate/audit that they were up to scratch. The data processor didn’t have legislated responsibilities beyond this.
Under GDPR, however, either the controller or the processor (or both) could be held liable in the event of a breach. The processor takes on direct legal obligations under the regulation as well as a contractual risk. This may in part alleviate the controller of some third party/supply chain cyber security risk because it can now share the blame.
Cyber Security Quotes: “Continuous Measurement of Risk” – Forrester
If the key premise is that robust policies, efficient supply chain management and a structured, risk-based audit and assessment regime will improve supply chain cyber security management; an obvious improvement would be to reduce the level of labour-intensive work by automatically delivering these outcomes continuously and in real-time.
A recent Forrester Research report on the measurement of third party cyber risk recommended the following:
“Protect your extended ecosystem with third-party cyber-risk scoring: Continually quantify the cyber risk of your third parties for actionable insights”
Essentially it espouses the view that any cyber security risk oversight process must be systematic and automated in order to deliver real-time risk visibility and to avoid a hugely onerous manual audit approach.
The problem they describe is three-fold:
- The process is manual and slow, failing to scale with today’s business ecosystem;
- Risk evaluations are often limited to the initial stages of the relationship (and not on-going); and
- Extensive audits, certifications, and compliance still cannot guarantee security.
They advocate an alternative approach where third-party or technology solutions are used to measure and score third party risk in a continuous and automated way that can reliably “monitor, measure, and quantify the cyber risk of your third parties” on an ongoing basis.
Achieving Better Measurement of Cyber Posture
Automating the monitoring, interpreting and reporting of control compliance is a key element of reliable third party cyber audit, it’s measurement helps quantify cyber security posture and risk preparedness.
Simply providing metrics without timely interpretation and continuous reporting and visualisation doesn’t scale, nor does it provide a repeatable and “industrialised process”.
As a result, organisations are increasingly looking at ways to deploy technology to automatically measure their cyber posture and resilience (against key controls) in order to establish their security management capability and that of third party digital partners. Using new technologies, it is now possible to dynamically measure and report any change in security circumstances and as a result adjust security management levers accordingly. These light touch solutions deliver a continuous view of risk across any number of supplier networks and systems – looking at their security resilience through the measurement of patching, privilege management, backups, application security and so on.
This solution is unobtrusive for the supplier (the organisation being assessed) and is easily managed centrally by the customer (who is doing the assessing); and results in an objective, trustworthy, automatic and continuous cyber security posture report.
Research from the Australian Government’s national cyber security advisor, the Australian Signals Directorate (ASD), has shown that 85% of breaches could have been stopped or mitigated in any organisation (and as a result an attack averted) if just eight key risk mitigation controls were in place and operating effectively. The measurement of these cyber security controls provides clear visibility of the cyber posture of any organisation and importantly, they are universally applicable in protecting any organisation.
These so called “ASD Essential Eight” cyber risk mitigation controls provide a useful starting point from which to establish and monitor third-party risk assessment. After consultation with industry professionals, these same controls present in the native Huntsman Security ASD Essential Eight compliance tool also form the basis of the new Huntsman Security Security Scorecard solution that delivers light-touch automated real-time measurement for cyber security risk management effectiveness across customer supply chains everywhere.