Story image

How to choose, manage, and mitigate third party risk - RSA

19 Jun 2018

Article by RSA APJ governance, risk and compliance director Sam O’Brien

The continuous stream of data breaches, like the one recently announced for PageUp, are a reminder of just how important it is to consider cybersecurity risks posed by your third-party relationships, as well as the responsibility they carry in providing services either for you or on your behalf.

While the impact to PageUp was immediate, with several major Australian brands having to suspend their careers websites, the full impact on its customers is still unclear. 

Unfortunately, this wasn’t the first time a major data breach occurred as a result of the compromise of a third-party service that is being used for outsourced business processes or technology services.

If you look at many of the major data breaches over the last five years, both in Australia and on an international scale, there is often a third party factor involved.

According to a recent Deloitte survey, three in four respondents faced at least one third party-related incident in the three years leading up to the report.

Worryingly, only 20% of respondents reported they had integrated or optimised their extended enterprise risk management systems, and just 11% said they were ‘fully prepared’ to deal with the increased uncertainty in the external environment.

Part of this is down to the rise of cloud computing that has shifted major infrastructure outside the organisation and into the hands of third parties, but there is also a general push for many organisations to focus on what they are good at and to outsource the rest.

Relying on third parties creates unique security risks as the handling and storage of an organisation’s ‘crown jewels’, including everything from intellectual property to trade secrets, and even internal contact lists and staff credentials, move outside corporate borders and is handled by workers that aren’t your own. Here are some of the steps that can be taken to mitigate third-party risk.

You can only protect what you’re aware of

This means ensuring you have a clear view of who the third parties are that you do business with and, more specifically, how you do business with them.

While it would be wonderful for all this information to magically appear, it is often dependent on certain business departments deciding these factors (procurement, IT, facilities, HR, etc.).

Focusing not just on who, but on how, will ensure that the context and channels of your relationship are clear – two things that are necessary in understanding the risk inherent in the relationship.

Confidence is king, but assurance is queen

You should consider putting all your providers through a comprehensive due diligence and risk review activity.

This may include, at an interim level, ensuring that the parties you’re dealing with have established risk management activities that align with those of your business.

Also, ensuring they have valid security policies or that they have sufficient business continuity practices to deal with events such as data breaches. 

If this seems like a monumental task, then consider taking a risk-based approach by focusing your efforts on those relationships that present the greatest risk.

Consider conducting an audit to understand which third party has access to sensitive customer data, intellectual property and trade secrets.

While a non-disclosure agreement is a great place to start to secure your data, the agreement becomes redundant if the data is compromised.

Once data is lost, your organisation will have no power or influence over how it’s used when it’s in the hands of malicious actors.

To ensure that this loss doesn’t occur in the first place, you must make sure that your third-party contractor’s security arrangements are aligned with those of your own organisation.

Be sure you have an idea of their security posture, at least at a high level.

Be prepared for the worst

In case a data breach does occur, it’s important to be prepared with the correct technical measures and operational processes in place to discover, monitor and communicate the breach.

The first course of action should be to get in contact with the third party cybersecurity team to understand the source of the breach and the actions you need to take to prevent further compromise of sensitive customer data.

Communication with their team will also help your organisation understand the scale of the data breach. 

The second should be to get in contact with your own legal, risk management and corporate communications team to be able to report the data breach and prepare a public statement to outline what has been compromised. Also, as per the new Australia Notifiable Data Breaches (NDB) scheme, you may be required to notify affected individuals and the Australian Information Commissioner of the data breach.

To see how to report breaches under the NDB scheme, visit the Office of the Australian Information Commissioner website to ensure your organisation complies with the scheme.

Operationalise your third party program

Being vigilant is not a one-off activity or project, it’s an ongoing commitment.

If you’re going to go to all the effort of completing steps 1, 2, and 3 – don’t let it fall by the wayside by not revisiting it.

Consider how you automate processes, such as vendor assessments and contract reviews, as well as issue and action tracking. When you are implementing tools for automation, take steps to make sure they are integrated with your current and planned infrastructure, as well as examining the comprehensiveness of the data sources you are receiving from the third party. A final step is to understand what happens when the engagement with that organisation is complete.

Will they return the data, retain it, or will it be destroyed?

Leaving your data in a third parties’ hands once your business relationship has ended is a sure-fire way to suffer a data breach in the future, when your tools and audits of the third party no longer occur.  The main takeaway from the PageUp data breach and past breaches should be the realisation of the importance of managing, assessing and monitoring third-party risk.

No organisation is an island, and you are unlikely to remain competitive without at least some appetite for outsourcing.

The key is to ensure that you have the proper plans in place so that you can plan for the best but be prepared for the worst.

Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Bitdefender invests in A/NZ with new offices and regional director
Bitdefender has opened its Partner Advantage Network (PAN) programme with the aim of recruiting and supporting its over 500 local resellers.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.