To better manage cybersecurity risk, extend zero-trust principles to third parties

Today’s cybersecurity landscape requires an agile and data-driven risk management strategy to deal with the ever-expanding third-party attack surface. …

Today’s cybersecurity landscape requires an agile and data-driven risk management strategy to deal with the ever-expanding third-party attack surface.

When a business outsources services by sharing data and network access, it inherits the cyber risk from its vendors across their people, processes, technolog, and that vendor’s third parties. The typical enterprise works with an average of nearly 5,900 third parties, which means companies face a huge amount of risk, regardless of how well they cover their own bases.

For instance, 81 individual third-party incidents led to more than 200 publicly disclosed breaches and thousands of ripple-effect breaches throughout 2021, according to a report by Black Kite.

The current outside-in approach to managing third-party risk is inadequate. Instead, the industry needs to move toward a new third-party risk management approach by initiating conversations beyond outside-in assessments. Specifically, businesses should establish zero-trust principles for all vendors, assess risk across external and internal assets with inside-out assessments and measure cyber risk in real time.

The zero-trust principle of “Never trust, always verify” has been adopted widely to manage internal environments, and organizations should extend this notion to third-party risk management.

To combat this, enterprises need to consider vendors as subsets of their business.

The looming threat

The amount of data and business-critical information one enterprise shares with its vendors is staggering. For instance, a company might share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers to share with insurers and allow marketing agencies access to customer data and personally identifiable information (PII).

This is just the tip of the iceberg, and most businesses often don’t know how big the iceberg really is. In a survey conducted by Ponemon Institute, 51% of the companies surveyed said they do not assess the cyber risk posture of third parties before allowing them access to confidential information. What’s more, 63% of the companies surveyed said they do not have visibility into what data and system configurations vendors can access, why they have access to it, who has permissions and how the data is stored and shared.

This massive network of businesses sharing information in real-time results in a vast attack surface that is becoming increasingly difficult to manage. To overcome this challenge, businesses use cybersecurity initiatives such as questionnaire-based onboarding surveys and security rating services in their third-party risk management strategies.

While these tools have definite use cases, they also have severe limitations.

Cybersecurity rating services are a quick and economical approach to third-party risk assessments. Their simplicity — representing a vendor’s cyber risk as a score, like credit ratings in financial services — make them a popular choice, despite the limitations.