Third Party Exposure - Cyber Security Risk

 

 Author - Sivakumar RR

 

The term “Enterprises” was more associated with industries, manufacturers with a huge factory setup environment etc in older days and operations were more centralised and decision making was a very isolated and planned process in such setup. But the times have changed a lot of things, booming globalisation across domains gave new definitions to the “Enterprises”, public cloud companies gave wings to the startups where small organisations could fly across nation and Geo boundaries and offer their services. Growth on the operations were drastic and were more dynamic, so do the risks associated with the same.

 

“Security” were more of a physical oriented process and precautions earlier, with the new connected devices (IoT) and data oriented approach across business infrastructure, organisations were forced to accept the new risk factor in their puzzle, “Cyber Security”.

 

What makes third party risk important? 

As I mentioned above, globalisation opened several doors to organisations to grow across geo boundaries, which helped them to reduce their operations cost by outsourcing their cost oriented needs such as manufacturing, human resources etc. Having these distributed components in their business demands the operations to be more connected and stay up to date with on floor / field activities. Although these outsourcing companies or third party companies are external entities from a business standpoint, it is very crucial to get them into the main system to have the parent organisation to have a better foot hold on their operations. 

Managing these vendor companies becomes one of the core processes in most organisations, there are a lot of screening and procedures in place for onboarding a vendor and running business with them. Unlike considering the vendor parties as an external entity most organisations take them as an extension of themselves during the contract period. Which is actually pretty good in terms of running smooth business with the vendors but also it inherits the risk elements which the vendor companies are facing. This can expose the parent organisation to regulatory action, reputational damage or  it can even stop the company from providing service to their existing customer as promised. 

Cyber Security Risk is one of the major key risk elements while doing business with third party companies. In most cases third party companies will have access to networks, data or privileged information of the parent organisation. This can potentially make the vendor company to be a target for the hackers whose actual target is the parent company. By breaching the vendor organisation, it will open a door to the parent company if the malicious actors can crawl the way up through privileged access.

  

How to minimise the third party risk?

  

Having these risks are inevitable, the only thing the organisations can do is, minimising the risk. This is a continuous process with periodic repetitions of the steps in it. Considering a MNC as the parent company, they will be having hundreds of vendors who are associated with them, starting with the welcome gift that the employer gives to their employee on the joining day. If a vendor company manages this process then they will be having access to the employee data with attributes like date of joining, DOB and their contact info etc. Which makes this vendor more risky to be handled.

So having a Vendor Inventory is a start in this process, who does what and who has access to what etc, this data makes a pretty good start in the Cyber Security Risk mitigation model. By analysing this data an organisation will be able to group the vendor companies to different risk levels based on their exposure to sensitive data.

Vendor Assessment is the next step in this which is a periodic process to be performed to evaluate their security posture. This can be done from the parent organisation or a trusted auditing firm which can give a detailed review on the security posture of the vendor company.

Access Control is something which not only needs to be established internally but also strictly enforced to the vendor companies as well. Use the initial data collected for the Vendor Inventory, have the list of services or resources who or which have the access to the core infrastructure of the parent company and enforce least privileged access to the same.

Performing these processes needs to be prioritised across high risk and low risk vendor companies, but it is important to assess them both with the same standards to have a quality evaluation. Having the vendor companies to get certified on the regulatory compliances or in other words choosing the vendor companies which are regulatory compliant will be an ideal option to short list the vendor in the selection process.

And finally having a Mitigation Plan in place in case of incidents is very important. Although we assess the vendor companies, we have to accept the fact that Cyber Security risks are emerging day by day, zero day vulnerabilities are being identified every day. So an organisation should have a process or plan to mitigate any risk or breach that is anticipated. A process that acts like a kill switch that shuts down all the access of a vendor company to the parent organisation. 

Last but not the least, we build fool proof systems but we are not expecting fools on the other side, are we?