Many people view risk in business as something that should be avoided at all costs. However, we believe that with the appropriate third-party risk management processes, these risks can be catalysts for strong business growth and revenue.
For decades, organisations have searched for ways to better adapt to the marketplace of their time. In the modern economy, businesses have turned towards an ecosystem of third-party services that can cater specifically to their needs and drive their competitive advantages.
Whether it be a vendor, supplier or business partner, there are many reasons why organisations continue to engage and rely on third-party services. These vary drastically case by case, but can include:
• Leveraging industry knowledge or subject expertise • Cost savings • Time savings • Outsourcing labour • Compliance with evolving legislation • Value-add to their existing services • Join venture or business partnership
What is a third party in a cyber context?
Traditionally, a third party is defined as an entity that ‘may be indirectly involved but is not a principal party to an arrangement, contract, deal, lawsuit, or transaction’. There are many more interpretations.
But in the world of cyber, the idea of a third party is not so simple. Third parties do still exist in the traditional form, though businesses should now consider certain technologies (namely AI, IoT, open APIs), as well as third parties’ third parties (also referred to as fourth or fifth parties), under its guise.
The relationships between businesses and their respective third parties are far too complex to monitor using manual methods. Especially for companies with thousands of third parties, addressing the risks associated with each one would take years to process. This is not very helpful for coping with evolving compliance demands or making pre-emptive improvements in third-party cybersecurity.
The dangers of third-party cyber risk While there are notable benefits to engaging these third-party solutions, doing so carelessly, without a structured approach, will only complicate the existing risks you face as a business. Exposure to cyber risk is among the most dangerous areas of risk for a business because of the potential to lose consumer data, intellectual property, or other sensitive digital assets.
For example, between August 2018 and March 2019, a hacker successfully penetrated the American Medical Collection Agency (AMCA) system – a prominent billing services provider in the US healthcare industry. Reportedly, the hacker obtained access to the patient records of more than 25 million people, including ‘patient names, addresses, telephone numbers, dates of birth, dates of service, account balances, banking or credit card information, and provider details.’
Numerous companies impacted by the breach are currently ‘facing lawsuits, as well as state and Senate investigations. Security researchers have noted that the impact of the breach will continue to reverberate throughout the foreseeable future.’
Common mistakes made in relation to third parties
Common mistakes when dealing with third parties include:
• Failing to fully understand which risks are critical to your business or the respective third party, leading to generic or irrelevant assessments. • Failing to gain accurate and actionable risk data from these third parties, due to a lack of correct guidance. • Manually collecting data. This is not necessarily a mistake, but can cause significant delays in cybersecurity improvements and risk mitigation. Speed and agility are important to combat evolving threats. • Failing to create a third-party cybersecurity program that can be efficiently scaled to accommodate third-party ecosystem growth. • Failing to implement a third-party-specific cybersecurity process for approving or vetting third parties. • Failing to conduct and prioritise improvements or remediation based on which third parties pose the greatest potential threat to your business.
Protecting your business from third-party risk
The prevalence of data in modern business practices demands a comprehensive solution to protect against the cybersecurity risks posed by third parties.
Move away from spreadsheets and embrace secure digital integration in your risk management and compliance processes. Using manual processes to address cybersecurity risks is not a sustainable solution given the intertwined nature of modern data flows.
There needs to be a fundamental shift in the way organisations and third parties engage in cybersecurity. Awareness of cybersecurity best practices, and a better understanding of how these risks manifest themselves, is imperative to navigate and identify suitable third-party partnerships. Unfortunately, there is no ‘one size fits all’ approach, but a strong cyber risk management program can save your business millions of dollars.
Furthermore, you need to be constantly aware of the state of all your third parties’ cybersecurity postures. As part of this, you need to develop the mutual understanding that upholding the appropriate cybersecurity standards is a non-negotiable condition of any partnership.
A simpler way to manage third-party cybersecurity
Around the world, issues of cybersecurity are more commonly discussed at the board level, and rightfully so. Executives and directors want to avoid the potential disruption of customer services or breaches in regulation, because they are beginning to understand what is really at stake.
The cyber risks associated with these third parties cannot be completely eliminated, but neither can those from within your business. Cyber threats will continue to evolve. All operators can do is seek to reduce these risks to a level that is considered ‘safe’ for your business or industry.