Recent surveys report that while 37% of organizations feel they are highly exposed to cyber risk, only 62% have an operational and strategic plan to defend against cybersecurity threats, and only 57% have a cybersecurity risk program in place that monitors and tracks the security posture of their third-parties. With increasing numbers of attacks from third parties, it’s critical that your organization understand the cyber risks your organization is exposed to and have proper cyber mitigation policies to guard against third-party attacks.
What is Cyber Risk?
Cyber risk is the likelihood of an organization’s digital systems suffering from a cyberattack or security incident that exposes an organization to data loss, financial, operational or physical damage. These risks can occur from internal threats within an organization or from external forces outside of an organization. Due to an increase in the number of applications, third-party services, IoT devices and code, third-party risk is one of the most common types of cyber risk that organizations struggle to mitigate.
The Two Main Types of Cyber Risks
Cyber risks can be divided into two main categories:
- External. External cyber risks originate from outside of your organization. These can include data breaches, DDoS attacks, advanced persistent threats (APTs), ransomware attacks, zero-day exploits, social engineering and supply chain attacks.
- Internal. Internal risks originate from actors and behaviors within your organization. These can include malicious insiders, poor internal security practices of employees such as excessive user privileges or clicking on malicious links, and accidental data leakage or data loss.
When a cyber risk occurs in a supplier, contractor, third-party service, partner or agency, it poses a third-party risk to your organization. Organizations do their best to minimize these cyber risks with third-party cyber risk management.
The Importance of Third-Party Cyber Risk Management
An increased reliance on third parties combined with more regulations has resulted in more sophisticated attacks as organizations are targeted indirectly through third parties. Third-party data breaches of Boeing, Okta, and AirEuropa in the past year alone demonstrate the importance for each organization to develop a strategy to strengthen their security posture against third-party risk. Third-party risk management assesses and controls the risk posed by third-party vendors through a variety of methods, including cyber security ratings, security questionnaires and evaluations of the company performed by an outside third party.
However, traditional third-party risk management faces a number of challenges. These challenges include complex and time-consuming security questionnaires, the subjectivity of these questionnaires, the need for greater visibility into an organization’s inherent risk levels, and inability to manually evaluate hundreds or thousands of third parties have highlighted the need to automate their third-party risk management. Many organizations manage their third-party cyber risk automatically through a third-party cyber risk management platform that identifies, prioritizes, alerts and remediates cyber risks to your organization.
5 Steps to Cyber Risk Mitigation
All third-party relationships involve a certain amount of inherent risk that is acceptable according to the risk tolerance of the organization. Since not all risks can be remediated, cyber risk mitigation is a crucial element of any organization’s third-party risk management.
Here are a few steps your organization can take to mitigate cyber risk:
1. Evaluate the security posture of your third parties
Conduct third-party risk assessments at the beginning of your vendor relationship to understand the risks they pose along the supply chain. This includes establishing key risk indicators (KRIs) that include the number of third-party risks identified, the number of risks that occurred, the percentage of risks monitored and the percentage of risks mitigated. You’ll also need to determine the amount of inherent risk involved in each vendor relationship and establish the level of due diligence necessary to evaluate the security posture comprehensively.
2. Establish clear cybersecurity requirements
A strong cyber security posture means communicating to your third parties the compliance and security requirements they must uphold, including access controls, employee training and awareness, the level of data encryption, incident response training and ability to meet relevant regulations (e.g., HIPAA, GDPR), standards and data requirements. Regular audits and assessments should also be required to evaluate the effectiveness of these requirements and if the third party is successful in meeting them.
3. Have an incident response plan in place
Knowing exactly how your organization and the vendor would respond in the event of a third-party attack or supply chain attack is the first step to minimizing the damage from the attack. This should include the exact roles and tasks members of your security, IT, business and executive team should execute and tasks and similar information for your third party. Your incident response plan may also include simulations of attacks with the cooperation of third parties to learn how to improve it and make the relevant changes for mitigation against similar types of attacks.
4. Monitor risk continually
With a growing reliance on third party services, apps, IoT devices, partners and suppliers, both your attack surface and the cybersecurity landscape are constantly changing. According to Gartner, more than 80% of third-party services were identified as having cyber risk after the process of onboarding and due diligence. To mitigate these specific risks, you’ll need to continually monitor your third parties’ digital presence and external-facing assets through external attack surface monitoring to understand any potential points of vulnerability that could be exploited by external hackers and unauthorized users. Even after the initial onboarding and due diligence process, you’ll still need to regularly verify your third parties’ compliance with regulations, sending security questionnaires and conducting regular audits and on-site visits. Monitoring risk continually also includes evaluating the effectiveness of current security controls against the current security landscape.
5. Review and update mitigation policies
As your business relationships evolve, your cyber risk evolves as well. Conduct regular third-party risk assessments, due diligence questionnaires and security questionnaires as your attack surface expands and third parties are added, deleted and replaced to your digital ecosystem. At the same time, the technology landscape is constantly changing, as are the vulnerabilities and weaknesses it poses to your third parties and your own. You’ll also want to review specific mitigation efforts to recent attacks or threats to evaluate their efficiency and extrapolate any lessons that can be applied to similar attacks in the future.
How Panorays Helps You Manage Third-Party Cyber Risk
Panorays delivers a 360-degree cyber risk rating based on a combination of automated and customized security questionnaires and external attack surface assessments. Through an evaluation of hundreds of tests, Panorays collects information on third-party security best practices and exposed assets to determine a cyber posture rating of your supplier’s cyber risk. This includes continuous monitoring of vendors to ensure compliance with industry regulations such as EBA and NYDFS and standards such as NIST and PCI DSS, and how critical the relationship is to your business. When you detect a security gap, you’ll then receive a remediation plan for each vendor, prioritized so that the most important issues are addressed first. With remediation plans tailored to your organization’s risk appetite, you’re now open to more business opportunities that you might have had otherwise.
Want to learn more about how you can manage cyber risk across your entire digital supply chain? Get started with a Free Account today.
Cyber risk is the potential for damage to an organization that results in reputational, financial or operational damage due to unauthorized use, failure or misuse of its information systems. Broadly speaking, cyber risk can be divided into internal and external risk. Internal risk might be due to a malicious insider, poor security controls or misconfigurations while external risk could be from an advanced persistent threat (APT), phishing, ransomware, DDoS attacks, zero-day exploits and supply chain attacks. Many cyber risks that exist in a third party, supplier, external contractor, agency or partner can have a snowball effect on other organizations in that same supply chain.
Cyber risk appetite is the amount of risk an organization is willing to take on to meet its business objectives. An organization’s risk appetite might vary according to the specific risk and its related strategic goal. For example, a startup may be very averse to financial risk from investors, whereas a more established company may be more averse to reputational risk from a third-party data breach. A company’s risk appetite should be regularly reviewed and communicated to all stakeholders across the organization.
An example of a cyber risk is a malicious insider who gains unauthorized access to your organization’s sensitive data. The malicious insider could be a disgruntled employee or a former employee seeking revenge or financial gain while also damaging the company’s reputation, finances, or operations. After accessing the data, the malicious insider could sell it on the dark web, exposing confidential or personally identifiable information of customers, or encrypt it and use the encrypted data to launch a ransomware attack.