Where does cybersecurity risk come from? If you answered, “everywhere,” then you’re on the right track. However, that perspective isn’t enough. You need to be more specific in identifying problems and threats. You need to be skeptical and curious to find all the threats. That includes looking closely at your third-party risk.
What Is Third-party Cybersecurity Risk?
You’re already used to working with customers and employees to address security risk. Honestly, that’s table stakes to effective cybersecurity today. The next challenge lies in identifying and managing third-party cybersecurity risk. The three most common causes of this risk category include:
- Consultants and contractors: You’re not always going to have the right talent and expertise you need, which is why relying upon outside experts is a common practice. However, the more you rely upon outside providers, especially developers, the more third-party risk you have. A consultant may work with multiple clients who have different cybersecurity requirements, and may make mistakes.
- Application Programming Interface (API): APIs are a great way to extend the power of your software. This is a main reason why you see so many integrations on the market. There’s a downside to this ease of integration: greater risk. If you integrate with partners with weak security protections, or if you have hundreds or thousands of API connections, this risk becomes much more difficult to manage.
- Open source involvement: Engaging the open source community is a smart way to spark innovation. On the other hand, you need to be thoughtful about what you accept into your core product. Ask what processes and systems have been properly tested.
Now that the overview is covered, you’re probably wondering what this means for your company.
Do You Have Third-party Cybersecurity Risk Today?
There are two factors involved in answering this question: discovering your risk and deciding how to respond to it. Start with using these four self-assessment points, but note that you may need to check with other departments to get all the answers.
- Contractors and consultants: Produce a list of individuals and companies that have user IDs for your organization. Make sure to include past consultants as well. It’s important to manage inactive user account risk. After all, ending a consultant’s contract doesn’t automatically terminate his or her user ID. That ID and its associated access may continue to exist for weeks or months afterward.
- APIs: Create an inventory of companies using your API. Next, identify the high-importance companies, and perform a cybersecurity assessment of these providers.
- Open source: Evaluate how much your company and products rely upon open source contributions. Do you have a manager with accountability for overseeing these contributions? Don’t be quick to assume you have no exposure, as you may have indirect exposure through other products you have.
- Blue sky scanning and strategy: Examining your current situation isn’t enough to understand your risk. It’s also important to consider the company’s future plans. Review the strategic plan for expansion, innovation, and other changes.
What do you do with all this information? If you find exposure in two or more of the categories above (e.g., consultants and APIs exposure), you have a medium risk level. That risk needs to be aggressively managed using the tripod strategy.
Designing a Solution to Third-party Cybersecurity Risk: The Tripod Strategy
There’s no silver bullet in cybersecurity; instead, you need a combination of strategies to protect the organization. You need to use a tripod to deliver a stable cybersecurity defense.
- Management: The organization’s leaders set the tone for security. This includes attending cybersecurity training with staff. It also includes providing sufficient budget and staff to IT to protect security. It staff members sense that the leadership doesn’t care about security, bad practices such as password reuse disease will increase.
- Software solutions: Here’s the blunt truth for cybersecurity specialists: most people don’t think much about security. That’s why it’s essential that you make security as comfortable as possible. You can streamline policies and procedures to a degree. Even better than that is using software to automate security tasks such as password management.
- People: Equip your staff to manage security obligations by providing training and coaching. This point is especially important for high-growth organizations that are adding a large number of staff.
Now, apply the security tripod to third-party cybersecurity risk. Assume that you’ve already done your homework in identifying your risk. If not, go back to the previous sections of this article and complete those steps.
- Management for third parties: Assign clear responsibility for managing third-party risk. If you have a relatively stable list of external consultants and experts, appoint a vendor relationship manager. This role is familiar at large organizations such as banks that make extensive use of outsourcing. For the best results, equip your vendor management with training from IAOP, so they have a holistic understanding of their role.
- Software solutions: Revisit your current software solutions for identity management and passwords. Do you have an easy way to manage, add, and remove access? If not, you’ll need to add some new tools. To help you win support for these changes, you may need to develop a business case. We can get you started on the path with this: Get Your SSO Software Project Funded with a Business Case. If you’re actively looking for identity management solutions, make sure you include Lifecycle Management.
- People: Supporting your people to manage third parties comes down to training and management follow-up. Start by reviewing your annual cybersecurity training to cover third parties. Next, ask managers with third-party touchpoints to report on these risks quarterly.
A Growing Cybersecurity Risk You Can’t Ignore
Outsourcing, open source, and other trends are combining to increase third-party risk. You might be tempted to simply ignore these risks and eliminate third parties, but that’s a mistake! You’ll cut yourself off from much-needed expertise and growth opportunities. Instead, look for ways to proactively manage this risk and maintain your growth.