Third Party Risk: YourHidden Security Blindspot

In december 2022, Uber, the global ride-sharing titan, disclosed a third-party data breach after cyber attackers leaked email addresses of Uber employees, along with details on IT assets and corporate reports, through an online post.

The attackers executed the breach via an intrusion into an Uber vendor, Teqtivity, an IT and technology asset management solution provider.

The breach exposed sensitive information that could potentially enable targeted phishing campaigns against Uber’s staff.

This is far from unique. It joined a flurry of similar high profile tales of third party breaches affecting enterprises such as SolarWinds, Microsoft and Okta, highlighting the need for rigorous third-party risk management (TPRM) in dealing with third-party services.

Awareness around third-party risk is growing: A 2023 survey by EY reveals that 90% of more than 500 participants are actively enhancing the efficiency of their TPRM programmes.

This article explores the evolving realm of third-party risk management, offering key strategies for businesses to manage their external partnerships effectively throughout the entire relationship lifecycle.

EMERGING RISKS

Third-party risk involves the potential for adverse events a company might face because it relies on external entities within its supply chain or ecosystem.

With the evolution from self-sufficient corporations to businesses increasingly outsourcing non-core functions to third parties, reliance on external partners like software vendors, IT service providers, and staffing agencies has increased significantly.

This extends a company’s risk profile to the risks of its third-party partners, potentially leading to operational disruptions, financial losses, damage to reputation and regulatory consequences, especially if a critical service provider is compromised.

While third-party relationships have always posed some level of risk, their likelihood and potential impact have grown significantly.

This is due to expanded reliance on third parties, the growing complexity of supply chains, and advances in cyber attack methodologies.

Consequently, any material risk at vendor level can significantly impact the host company, leading to a reevaluation of the relationship from a risk management perspective and emphasising the importance of TPRM programmes.

PITFALLS AND BEST PRACTICES

A common approach to managing third-party risk is to request vendors to fill in a security questionnaire as a means to assess a vendor’s security posture.

This often proves ineffective because the questions can be overly broad or overly detailed, not necessarily reflecting specific risks relevant to the business relationship.

Additionally, responses may not always be provided by individuals with the right expertise, risking inaccurate portrayals of a vendor’s security posture.

Ultimately, the exercise tends to overburden both suppliers and customers, turning the process into a mere formality rather than a genuine, fit-for-purpose risk management exercise.

Appropriately managing third party risk therefore rests on five key tenets:

• Due Diligence: Before engaging a third party, rigorously evaluate their security practices and risk profile to ensure alignment with your organisation’s requirements and to proactively mitigate identified risks.

This implies you set a baseline of your own security capabilities and requirements – asking a vendor to fill out an elaborate questionnaire when one’s own capabilities and risk practices are limited is counterproductive.

• Clear Contracts: Incorporate specific security and compliance expectations into contracts, including breach notification protocols and audit rights, to legally enforce adherence to set standards.

Bear in mind that security is a mutual obligation; expectations on security in contracts should be enforced on both sides. This process must also include relevant business players like procurement and legal.

• Continuous Monitoring: Engagements with third parties do not end with an initial risk assessment – both the initial risks identified and those that may emerge later must be monitored throughout the business relationship. Leveraging real-time monitoring tools to observe changes in third-party compliance and security, along with examining any available assurance reports from third parties, facilitates the quick detection and resolution of potential risks.
• Open Communication: Maintain open, regular communication with third parties to discuss security concerns, updates, and improvements, ensuring both parties are aligned on risk management practices.

This is particularly important for key vendors and is best accomplished by contractually mandated scheduled performance review meetings and security updates.

• Structured Offboarding: The conclusion of a third-party contract marks the beginning of a critical offboarding phase, not its end.

Establish a defined process and offboarding checklist for securely ending third-party relationships to ensure sensitive data is returned or destroyed, and access rights are revoked to protect against post-relationship vulnerabilities.

As businesses evolve and expand their operational and digital footprints, reliance on third parties becomes inevitable, and the potential for third-party vulnerabilities will continue to rise.

Effective third-party risk management requires more than just fleeting security questionnaires.

It hinges on thorough vetting, definite agreements, consistent oversight, effective communication, and organised offboarding protocols.

These practices ensure third-party engagements do not become hidden liabilities, but are instead harnessed productively while being managed proactively to safeguard against emerging threats and ensure compliance.

• Thomas Hamata and Job Angula are IT risk professionals and co-founders of Accelerate Advisory Services (Pty) Ltd. You can read more on their thought leadership at www.acceler8namibia.com/blog.