Risky business: Third-party endeavors

The English poet John Donne famously opined that “no man is an island entire of itself." We could just as easily say the same for today’s businesses operating in the globalized, information-rich economy.

For every company offering a service or product to customers, there are potentially hundreds of other companies behind the curtain helping to facilitate that transaction’s journey: manufacturers and engineering firms, distributors and resellers, licensed service providers and software vendors, as well as subcontractors, brokers, and more. 

Entering a relationship with a third party can help companies conduct business much more efficiently, but it also puts the organizations involved at higher risk of a security breach. Recent years have seen a troubling correlation emerge: the more third parties a company depends on to carry out business, the higher the frequency of security breaches and data leaks that occur.

Now, we’re not suggesting that companies scale down their third-party relationships to eliminate the risk. Rather, the goal is for companies to understand the risks associated with managing third parties so they are better prepared to address them in the first place. 

Managing risks: What the data confirms

In late 2022, CyberRisk Alliance Business Intelligence surveyed a mix of IT security leaders, administrators and compliance professionals to understand concerns and strategies for addressing risks related to third-party management. According to the data, several factors are responsible for exacerbating third-party risk in recent years.

#1: More third parties creates greater complexity

It’s the nature of doing business: one company (let’s call them “A”) discovers that another company (“B”) can provide a service or value at less expense than it costs A to do it themselves. Thus, a business relationship is formed.

These sorts of relationships become more common as businesses scale and diversify their services to reach more customers. According to CRA survey data, the average estimated number of third-party partners among all respondents is 88. In large enterprises of 10,000 or more employees, however, we see that number rise to 173. 

When asked about the causes of this increase in third parties, respondents pointed to several factors: the Covid pandemic and resulting spike in remote work lifestyles, the expansion of SaaS and cloud services, as well as increased pressure from customers, insurance providers, auditors and regulators. 

Alongside an increase in third parties, organizations report greater complexity in the supply chain that allows them to bring their product or service to the market. Overall, nearly 8 out of 10 respondents ascribed some degree of complexity to their supply chain, with those at the largest organizations much more likely to describe their supply chains as very or extremely complex. 

In other words, a company can easily find itself the victim of ‘too many cooks in the kitchen’ syndrome. But is the problem actually a surplus of ‘cooks’, or a failure to execute effective risk management?   

#2: Limited resources and staff

It’s a tale as old as time. Organizations aspire to meet a recognized need, but lack the funding, personnel or tools (or all of the above) to make progress on that front. Even though awareness of third-party risk is growing — thanks in large part to the devastating SolarWinds supply chain attack in 2019 and 2020 — there is general consensus among CRA survey respondents that organizations lack essential resources for managing their business relationships. 

Roughly half of all respondents said they lacked qualified staff to implement a third-party management program in the first place. Others pointed to an insufficient budget as the primary offender, while still others lamented the absence of an automated technology solution for more effectively managing third-party risks.

#3: Poor visibility

As supply chains grow more complex, it becomes increasingly important for businesses to track all tiers of the supply chain. However, the survey data shows that organizations are largely in the dark when it comes to potential vulnerabilities in the third parties they interface with. More than a third of security professionals (36%) say their organizations only have visibility into tier one suppliers — in other words those that directly provide the final product. Just 22% said they have visibility into tier-two suppliers, and a meager 11% said they have visibility across all tiers, regardless of their supply chain complexity. Meanwhile, 12% said they have no visibility whatsoever into third party security operations.

As one respondent put it, “[our] third-party ecosystem has become complex, and the open-source software system has been attacked and is an easy target. Without having clear visibility into the remediation process, it poses a big risk.”

That limited visibility is taking its toll on organizations. More than half of those that CRA surveyed said their business had suffered an IT security incident – either an attack or a breach – related to a third-party partner in the past 24 months. Among organizations that were affected, 52% said the source of their attack was via a vulnerability exploited in a software vendor. 

#4: Culture clash

Even as most organizations agree on the need for better third-party risk management, it can be difficult to get all parties on the same page with respect to executing these reforms in practice. Organizations face a variety of obstacles in auditing and managing third parties and coming up with policies to address the risks. Dedicating the funding, time, and qualified staff to this task is daunting, and impossible for many organizations as it often competes with other priorities. 

Respondents pointed out that “simply getting the other party to get on board and implement good security can be a formidable challenge.” And when a third-party breach did occur, potentially exposing their organizations’ sensitive data to attackers, respondents remarked they didn’t always receive timely notifications from their vendor or partner, limiting their ability to be proactive in notifying customers and other stakeholders. 

Conclusion

Companies must have a plan to anticipate and address third-party vulnerabilities or risk suffering a range of consequences. In our next article, we’ll look at some steps organizations can take to reduce third-party risk and introduce greater accountability in the supply chain.