How to choose, manage, and mitigate third party risk - RSA
Article by RSA APJ governance, risk and compliance director Sam O’Brien
The continuous stream of data breaches, like the one recently announced for PageUp, are a reminder of just how important it is to consider cybersecurity risks posed by your third-party relationships, as well as the responsibility they carry in providing services either for you or on your behalf.
While the impact to PageUp was immediate, with several major Australian brands having to suspend their careers websites, the full impact on its customers is still unclear.
Unfortunately, this wasn’t the first time a major data breach occurred as a result of the compromise of a third-party service that is being used for outsourced business processes or technology services.
If you look at many of the major data breaches over the last five years, both in Australia and on an international scale, there is often a third party factor involved.
According to a recent Deloitte survey, three in four respondents faced at least one third party-related incident in the three years leading up to the report.
Worryingly, only 20% of respondents reported they had integrated or optimised their extended enterprise risk management systems, and just 11% said they were ‘fully prepared’ to deal with the increased uncertainty in the external environment.
Part of this is down to the rise of cloud computing that has shifted major infrastructure outside the organisation and into the hands of third parties, but there is also a general push for many organisations to focus on what they are good at and to outsource the rest.
Relying on third parties creates unique security risks as the handling and storage of an organisation’s ‘crown jewels’, including everything from intellectual property to trade secrets, and even internal contact lists and staff credentials, move outside corporate borders and is handled by workers that aren’t your own. Here are some of the steps that can be taken to mitigate third-party risk.
You can only protect what you’re aware of
This means ensuring you have a clear view of who the third parties are that you do business with and, more specifically, how you do business with them.
While it would be wonderful for all this information to magically appear, it is often dependent on certain business departments deciding these factors (procurement, IT, facilities, HR, etc.).
Focusing not just on who, but on how, will ensure that the context and channels of your relationship are clear – two things that are necessary in understanding the risk inherent in the relationship.
Confidence is king, but assurance is queen
You should consider putting all your providers through a comprehensive due diligence and risk review activity.
This may include, at an interim level, ensuring that the parties you’re dealing with have established risk management activities that align with those of your business.
Also, ensuring they have valid security policies or that they have sufficient business continuity practices to deal with events such as data breaches.
If this seems like a monumental task, then consider taking a risk-based approach by focusing your efforts on those relationships that present the greatest risk.
Consider conducting an audit to understand which third party has access to sensitive customer data, intellectual property and trade secrets.
While a non-disclosure agreement is a great place to start to secure your data, the agreement becomes redundant if the data is compromised.
Once data is lost, your organisation will have no power or influence over how it’s used when it’s in the hands of malicious actors.
To ensure that this loss doesn’t occur in the first place, you must make sure that your third-party contractor’s security arrangements are aligned with those of your own organisation.
Be sure you have an idea of their security posture, at least at a high level.
Be prepared for the worst
In case a data breach does occur, it’s important to be prepared with the correct technical measures and operational processes in place to discover, monitor and communicate the breach.
The first course of action should be to get in contact with the third party cybersecurity team to understand the source of the breach and the actions you need to take to prevent further compromise of sensitive customer data.
Communication with their team will also help your organisation understand the scale of the data breach.
The second should be to get in contact with your own legal, risk management and corporate communications team to be able to report the data breach and prepare a public statement to outline what has been compromised. Also, as per the new Australia Notifiable Data Breaches (NDB) scheme, you may be required to notify affected individuals and the Australian Information Commissioner of the data breach.
To see how to report breaches under the NDB scheme, visit the Office of the Australian Information Commissioner website to ensure your organisation complies with the scheme.
Operationalise your third party program
Being vigilant is not a one-off activity or project, it’s an ongoing commitment.
If you’re going to go to all the effort of completing steps 1, 2, and 3 – don’t let it fall by the wayside by not revisiting it.
Consider how you automate processes, such as vendor assessments and contract reviews, as well as issue and action tracking. When you are implementing tools for automation, take steps to make sure they are integrated with your current and planned infrastructure, as well as examining the comprehensiveness of the data sources you are receiving from the third party. A final step is to understand what happens when the engagement with that organisation is complete.
Will they return the data, retain it, or will it be destroyed?
Leaving your data in a third parties’ hands once your business relationship has ended is a sure-fire way to suffer a data breach in the future, when your tools and audits of the third party no longer occur. The main takeaway from the PageUp data breach and past breaches should be the realisation of the importance of managing, assessing and monitoring third-party risk.
No organisation is an island, and you are unlikely to remain competitive without at least some appetite for outsourcing.
The key is to ensure that you have the proper plans in place so that you can plan for the best but be prepared for the worst.