September 5, 2019 • The Recorded Future Team
Like every modern organization, you rely heavily on third parties each and every day. From software providers to marketing agencies to lawyers to temporary employees to maintenance crews, third-party partners are absolutely critical to keeping a business up and running.
Yet while these relationships add business value and help boost operational efficiency, they introduce a host of new risk and compliance challenges. The growing number of high-profile breaches underscore third-party risks and remind us that organizations are only as strong as their weakest link.
Many organizations are incorporating governance, risk, and compliance (GRC) technology into their security processes to help manage this risk, but those solutions bring their own challenges when they rely on data that isn’t timely or lacks context.
Here, we’ll look more closely at the problem of third-party risk, and see how incorporating threat intelligence with GRC technology can help solve three of the most common challenges faced today in third-party risk management.
The Third-Party Risk Management Problem
Here is a look at the third-party risk problem by the numbers:
- The cost of a data breach today is $4 million — and this number continues to climb.
- Breaches originating from a third party, such as a partner or supplier, cost companies $370,000 more than average.
- 87% of organizations have experienced a disruptive incident with third parties in the last two to three years.
- Meanwhile, only 34% of companies keep a comprehensive inventory of their third parties.
- 39% of IT organizations state that data collection and analysis is insufficient for third-party security audit processes.
- And 44% of IT organizations state that the resources available to support third-party security audit processes are insufficient.
- Consequently, 22% of organizations admitted they didn’t know if they’d had a third-party data breach in the past 12 months.
- Nearly half (47%) of organizations only audit third-party risk on an ad hoc or as-needed basis.
- And yet, 26% of IT professionals believe that third- and fourth-party (that is, a business partner’s business partner) risk reports are one of the most important cyber risk metrics for business executives and corporate directors.
- When you consider that the average enterprise shares confidential and sensitive information with 583 third parties, you can begin to understand the magnitude of the third-party problem.
Common GRC Challenges
GRC technology is often used to help organizations manage third-party risk. Yet as vendor ecosystems continue to grow in size and complexity, it’s becoming harder to get — and maintain — complete, high-quality data on each vendor to feed into their existing GRC systems. This results in three common challenges for risk management teams:
Challenge #1 — Visibility
To effectively analyze and calculate risk, GRC solutions require comprehensive information on active and emerging threats to each third-party organization. Internal data may be dated or incomplete. And manual third-party questionnaires completed by third parties themselves are cumbersome, prone to error, and inherently biased. Not to mention if a vendor doesn’t know they have a security issue, they certainly won’t report it!
Solution: Threat intelligence from Recorded Future arms risk teams with vital, up-to-date information by using an automated approach to risk data collection. We gather intelligence on risks to infrastructure, as well as references to threat and attacker activity (such as company mentions on the dark web, domain abuse, IT policy violations, and so on) for a more complete view of cyber risk associated with all of your third parties.
Challenge #2 — Prioritization
You’re struggling to keep pace with ever-mounting cyber threats, regulatory compliance mandates, and lengthy and complicated vendor questionnaires piling up on your desk. Even with loads of available data, it’s extremely difficult to know how to prioritize risk and focus remediation and response efforts without the proper context.
Solution: Actionable threat intelligence integrated into your existing GRC system gives you the information you need to continuously monitor your vendors and quickly prioritize, contain, and mitigate threats. Additionally, with real-time risk scoring, you can make fast and informed decisions. For example, for pre-M&A and third-party due diligence programs, transparent access to the evidence behind scores can help you decide quickly and confidently to move forward with a third-party relationship.
Challenge #3 — Timeliness
If a third-party partner of yours was breached, you’d want to know about it as soon as possible, right? To effectively protect their organizations, risk managers require up-to-date information about their third parties’ security posture. But manual vendor assessments only provide a point-in-time view of risk, and lack the timely, relevant information needed to support effective risk management efforts. This means that if a third party is breached, an organization may not be notified of the incident until the next annual reassessment.
Solution: By integrating Recorded Future’s threat intelligence into your third-party workflows, you can continuously monitor each third-party vendor and receive risk-prioritized alerts in real time. That means you’ll know about new threats and their severity immediately so you can address them quickly.
Want to learn more about how threat intelligence can help you identify 22% more third-party threats before impact? Check out our new solution brief, “Supercharging GRC Solutions With Threat Intelligence.”