Please Follow us on Gab, Minds, Telegram, Rumble, Gab TV, Truth Social, Gettr, Twitter
Guest post by Elizalde, Martín Francisco and Devoto, Juan Martín, Argentine lawyers practicing in digital forensics and electronic discovery.
“When we reject the single story, when we realize that there is never a single story about any place, we regain a kind of paradise”, Chimamanda Adichie
We are complex organisms so, as tech issues mostly derive from us, they are complex too and should not be approached from only one vector. Last week, I watched Ms. Chimamanda Ngozi Adichie's Ted Talk called "The Danger of a Single Story". I really enjoyed it and I couldn't agree more with her words: “to create a single story, show a people as one thing, as only one thing, over and over again, and that is what they become”. It made me realize that her wisdom applies to information security.
When it comes to your organization, in terms of information security, it is common to think of it from within: this would be a single-story approach. Usually, when you assess and rank risks, you tend to identify them within your organization, not from the uncharted terrain behind your well-protected barriers. It is like that horror movie where the character thinks that if he shuts his eyes, nothing bad would happen to him. Of course, it will.
As a matter of fact, looking for information security risks only within your organization is startlingly insufficient. Looking inside your organization could be enough to find out its vulnerabilities - - and hopefully, to fix them. But this approach would be like considering a single story to test your organization's security information. And this is insufficient.
Your organization probably uses some tool to manage its information security. Actually, there are plenty of them in the market. Then, which information security risks do you have to assess by using these tools? Generally, the list may include hardware and software failure, human error, spam, viruses, malicious attacks, natural disasters such as fires, cyclones, or floods, as well as improper use of data, IoT vulnerability, and system failures.
Moreover, recent research conducted by Riskrecon found that, after surveying over 150 third-party risk practitioners, 31% of respondents stated that they had vendors they considered to be a material risk in the event of a data breach. Clearly, this issue affects everybody, even large players, which are supposed to be more on the alert. Just to mention one case, in March 2021, Volkswagen Group of America, Inc. was notified that one of its vendors had left unsecured data on the Internet between August 2019 and May 2021 that had been accessed by an unauthorized party. The data exposed varies per customer but could range from contact information to more sensitive information such as social security numbers and loan numbers. The breach affected 3.3 million customers, with over 97% relating to Audi customers and interested buyers. Too bad, if it happened to mighty Volkswagen, what future would hold for us, lesser mortals? The case is that many firms have not addressed these issues yet; it seems that these are simply overlooked.
Accordingly, we will first discuss the issue of the importance of third-party risk.
Then, we are going to address some other issues that should be considered before buying a tool that helps you handle these risks.
To address our first issue, we have to start defining what third-party risk means -- basically, it “is any risk brought on to an organization by external parties in its ecosystem or supply chain. Such parties may include vendors, suppliers, partners, contractors, or service providers, who have access to internal company or customer data, systems, processes, or other privileged information.”
Additionally, the third-party risk is defined as “the potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems”.
Let's analyze the words used in both definitions. In the first one, we find “vendors, suppliers, contractors, partners or service providers”. This is not surprising, as nowadays organizations rely heavily on them. Indeed, it is hard to find a firm that operates without them, and I am not thinking of large organizations but medium and small-size also. “Most modern companies rely on third parties to keep operations running smoothly” ... “so, when a company’s third parties, vendors or suppliers cannot deliver, there can be devastating and long-lasting impacts.” In the second definition, we can find an interesting choice of words: “outside parties that provide products and/or services''. The language used stresses the sense of connectivity or interdependence among organizations. Of particular significance is the fact that both definitions mention that third parties have access to privileged information and highlight the vulnerability of the organization’s data.
Now, let's go to examples. Who are third parties? Well, anyone from your email service provider (e.g., Microsoft or Google) to your CRM (e.g. Salesforce) or your internal communication tool (e.g. Slack or Zoom) counts as a third party. Actually, every time your organization turns to SaaS-based vendors or chooses to hire outsourced services, it lets a third-party in. The same happens when you use software built by third parties to accomplish certain tasks, simply because the third-party vendor could be accessing, sharing, or leveraging your organization’s protected data assets.
Then, both the possibility and the impact of a third-party risk cannot be ignored. No matter its size: cyber risks are extremely egalitarian.
We have pointed out the reasons why third-party risks are so critical. Now let’s go to our second issue: what must be considered regarding third-party risk assessment - - no matter which risk management tool the organization chooses to conduct it.
We do know that third parties can originate other risks than information security risks. For instance: compliance, reputational, financial, operational, and strategic risks. However, in our opinion, third parties' information security risks rank first. This is because they are the only ones that have the capacity of triggering many of the other risks.
Moreover, information security risks are the most important issue to consider when an organization implements its risk management. Consequently, the so-called Information Risk Management Model (IRM) “is a form of risk mitigation through policies, procedures, and technology that reduces the threat of cyber-attacks from vulnerabilities and poor data security and from third-party vendors”.
The first stage of third-party risk management is called onboarding, which consists in registering all third parties. It needs to be implemented consistently across the organization. It is a task that usually involves a team, but it is convenient to appoint a “point person” to make the process easier. As a good deal of data will be flowing forth and back, it is useful to have one person to communicate with -- centralization of the information in this field will save a lot of time and effort.
That said, something that the model must consider is focusing on the terms and conditions of the agreement that the organization will sign with the third party. The agreement must provide that both the organization and the third party will oversee protecting the security and privacy of the data.
After checking the agreement, it is time to analyze if the vendor meets the information security processes set by industry standards and good practices. At this point, we think that a case-to-case assessment approach is convenient, e.g. it must consider the size of the vendor and the amount and type (whether it is sensitive or not) of data involved.
Now, how does this model work? It usually contemplates a step-by-step approach that includes a questionnaire sent to the vendor, its response, a review of this response, and its final approval.
Following the rule that says, “do not introduce unwarranted risk exposure”, the vendor “should have defined policies and controls”. They must reflect on how the third party is going to handle not only the data protection but also a security information incident, pointing out how and when it will be notified. On this issue, it must be considered that most domestic regulations strictly provide quite short notification terms.
Moreover, if the vendor allows subcontractors to access its data, it is convenient to put it in writing. Loggins and even the extent of any access should be registered.
It is also convenient to carry out due diligence of third parties. During this process, you should start to look at specific aspects such as certifications and attestations to ensure firm policies are being followed by all parties. Also, to conduct a valuable security evaluation, you must first define what your organization considers to be an acceptable level of risk.
The organization's right to monitor the third parties’ security measures and good practices must also be made sufficiently clear. Continuing monitoring is the most effective thermometer that the organization must test to what extent the third party is reliable.
Not only a first assessment should determine the degree of potential risk that vendors pose for your organization, but also contemplate monitoring the way they handle their information security. Both due diligence and continuing monitoring constitute fundamental pillars that support risk management.
Furthermore, we strongly recommend engaging senior leadership and members of the board of directors during third-party risk management, including during the managing tool selection process. This usually will have a healthy side effect: senior management thus involved are generally willing to allocate funds to address this issue.
Equally important is how to terminate the relationship with a third party. Risk managing tools sometimes focus on the addition of new vendors, but the processes of termination often receive much less attention. All vendor relationships eventually come to an end, but your risk exposure does not entirely disappear when the contract is terminated. Consequently, there are final obligations to meet, data destruction procedures to follow, ongoing service agreements to consider, vendor access and credentials to remove, and final payment terms to confirm. Surprisingly, 60% of companies say they are not actively assessing third-party risk during offboarding.
Following the analysis, we have conducted above, it is extremely important to implement a thorough third-party risk management plan. However, this issue is not considered critical by every organization, and not enough attention is put on it. This choice is both careless and dangerous. As Maurice de Talleyrand, the celebrated French statesman might have concluded such an approach is worse than a crime, it is clumsiness.