September 22, 2020 • The Recorded Future Team
Increasingly, companies choose to outsource business functions, meaning the number of third parties they rely on is increasing rapidly. The growing ecosystem of interconnected businesses is becoming essential for maintaining efficiency, but it comes at the cost of increased risk.
According to Forrester, 21% of all breaches are caused by third-parties like external suppliers or vendors — and this risk is only growing. Your third-parties — especially critical ones that have access to your organization’s data or could cause significant business interruptions — should be viewed as a vulnerability that threat actors can and will exploit.
Adding to the trouble, COVID-19 drastically altered the global third-party supply chain, requiring companies across all industries to reassess their third-party risk. Remote IT management vendors, for example, went from reasonably important to mission critical overnight.
All this, in combination with a growing list of regulations, such as GDPR, the California Consumer Protection Act, and NYDFS mean that third-party risk is now a C-level and board-level topic. The pressure is on to make sure your business is staying ahead of third-party risk.
Traditional Third-Party Risk Assessment Processes Can’t Keep Up
There are three traditional methods of assessing third-party risk. A very mature third-party risk management program will use some combination of all three, while an emerging program may only utilize one. Each has their unique benefits, but they have drawbacks, as well. The three methods are:
- Questionnaires — By far the most commonly used method to assess third-party risk, questionnaires are inexpensive, comprehensive, and customizable to meet the needs of each specific third-party relationship. Unfortunately, questionnaires are inherently biased and prone to error. Even a perfectly-filled out questionnaire has issues, however, because they only assess a static point in time. In today’s fast-moving business world, changes happen way too quickly for annual questionnaires to capture. Mergers, acquisitions, security policies, corporate infrastructure — all of it is prone to change incredibly quickly. This often makes questionnaires stale upon arrival.
- Penetration testing — Penetration tests are active attempts to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. These services are generally expensive, so companies tend to reserve this technique for critical vendors only— if they use it at all. Penetration tests are also point-in-time assessments, though. They give you deep visibility on the vulnerability risk your third parties face, but they offer little insight into other forms of cyber risk.
- Onsite audits — Often used for validation, onsite audits allow you to physically ensure that responses in a questionnaire line up with what is happening in reality. These are generally regarded as the strongest traditional method of risk assessment, as they can be wide in scope and are difficult to fake results in. However, onsite audits are another point-in-time assessment, so the results don’t stay current for long. They are also the most expensive form of assessment, making them cost-prohibitive for all but the most critical vendors. Additionally, the COVID-19 pandemic has had a deep impact on this approach. With many businesses limiting entrance into their facilities, or even having all their employees work remotely, you can’t rely on onsite audits to assess and validate security controls the way you once could.
Continually Monitor Third Parties With Security Intelligence
Security intelligence is a most effective and easiest way to assess cyber risk and understand third-party risk exposure. By collecting billions of entities from hundreds of thousands of sources across the open web, dark web, and technical sources, security intelligence makes it possible to dynamically link, categorize, and score third-parties in real-time. It provides insight into cyber risk across a variety of categories including data leakage, incident reports, domain abuse, email security, vulnerable infrastructure, web application security, and dark web attention.
Third-party intelligence is the application of elite security intelligence that gives you continuous visibility on your entire supply chain by automatically alerting you to new cyber risk events. It fills in the visibility gap left by point-in-time assessment techniques — making for a stronger, more proactive risk management process. It dramatically enhances questionnaires, giving you clear indicators on where to review responses more thoroughly, and where you don’t need to waste valuable time.
Use third-party intelligence for a risk-prioritized, quick glance of a company’s cyber risk exposure — or dive deep using the transparent evidence it provides to make remediating issues with third parties a smoother process. Either way, security intelligence grants third party risk teams the confidence and clarity they need to effectively manage third-party cyber risk.
See Recorded Future’s Third-Party Intelligence Module in action right now — watch the short, on-demand webinar, “Defend Your Organization With Third-Party Intelligence.”