ULTIME NEWS: Gyala riconosciuta Sample Vendor nel documento “Emerging Tech: AI in CPS Security” di Gartner Leggi

Third Party Cybersecurity Risk Management

Cybersecurity must look outside the company perimeter.

TPRM or Third-Party Risk Management is the process that an organization implements to manage the risks deriving from commercial and technical relationships with third parties integrated into its environment and with its IT and/or OT infrastructure.

TPRM as a process Includes:

  • Cybersecurity Risk
  • Operational Risk
  • Financial Risk
  • Strategic Risk
  • Compliance Risk
  • Geopolitical Risk

Traditionally TPRM is the responsibility of the Risk & Compliance Team, which – among other responsibilities in the management of third parties – has that of the collection of information from third parties, assessing their ability to manage compliance, prioritising risks, supervising legal aspects – such as SLAs to mitigate any legal risks for the organization.

However, looking at the management of the cybersecurity vertical, in many cases the responsibility of TPCRM (Third Party Cyber Risk Management) falls under the IT direction, which has specific technological expertise.

Little attention given to the management of cyber risks from third parties

In a recent study, Gartner reported an interesting fact (summary of reports with data from interviews):

“75% of Cybersecurity Leaders report spending more time on third-party cyber security management (TPCRM) activities than in 2021, but third-party cyber security incidents that have led to business disruptions have increased by almost half (45%)”

The focus on third-party cyber risk management has therefore increased but, despite record investments in security, remains residual, whereas the frequency of third-party security incidents has increased dramatically.

This discrepancy highlights the problem present in many TPCRM programs: The absence of a real focus on an exhaustive due diligence and the lack of preparation of an additional layer of defense that is dedicated to this activity.

The susceptibility to attack varies by sector

Furthermore, cyber risk profiles may be different for each organization as the susceptibility to attacks varies by industry, size, strategy and other business characteristics; and, when it comes to understanding the extent of risk from third parties, communication needs to be considered and managed at different levels. This is because each corporate figure assigns a different level of value to a TPCRM plan.

For CEOs the value of a TPCRM plan is centered on protecting the company’s reputation and profits; for CISOs the intrinsic value is in extending the security perimeter of the infrastructure; For the Legal team, TPCRM is an essential support to the company to enforce various regulations – such as the GDPR- that impose strict data protection requirements.

It appears clear that the theme does not have a single reading.

Here are some best practices for an optimized TPCRM management:

  • Census: Map which third party suppliers have access to company resources, always giving attention to who has access to what, for what reason and what they are able to achieve. Some examples of data to be considered are:
  1. Which supplier has access, when, how and why.
  2. Is access restricted, controlled and does not allow side-views?
  3. Does access allow the third party to have access to critical resources (e.g., data, networks, systems, business processes)?
  4. Can the third party outsource its services?
  • Collaboration between the Stakeholders: IT, Security Manager, Legal and Management must collaborate in the preparation of joint security plans.

Too often the company management, despite the suggestions of the Security Risk Manager, “accepts” risks that should instead be excluded from the tolerance zone.

This is unfortunately due to a divergent communication between sectors that, sometimes, does not give the correct relevance to risks in a business perspective, relegating them to a factor closely related to cyber risk understood as “attack”.
Management responsibility for decisions must be promoted, not only by communicating the risk so that it reaches the recipient as a key business item, but also by implementing a risk acceptance mechanism by a steering committee and continuous monitoring of contractual changes by third parties that could modify the agreements without the knowledge of the technical sector.

  • Proactively collaborate with third parties

Interactions with third parties often focus only on sporadic or reactive risk assessments.
The SRM team should instead adopt a proactive approach, continuously collaborating with third parties to develop risk management practices more mature and consistent with the company. This not only improves mutual understanding of threats but also increases trust between the parties.

  • Monitoring and additional protection

Monitoring third parties alone is not sufficient to mitigate actual risks. In addition to the contractual sharing of best practices on joint security, it is necessary to include a layer of protection and monitoring within the company, which aims to specifically identify and mitigate access points that could be used to compromise corporate security.
This is crucial. It must always be remembered that, despite the fact that work is done upstream of best practices, tasks are assigned to people and, for example, a technician who arrives at the company with a USB stick to update a system, is and always remains a danger.

  • Prepare emergency plans

In the face of an attack, third-party organizations sometimes don’t feel involved. This drastically slows down the solution of the problem.
Developing and implementing formal contingency plans involving all relevant business functions, not just IT security, is certainly a great starting point. The shared creation of incident response playbooks with third parties can be a winning element for coordinated incident response

Conclusions

To effectively address the growing cyber security risks of third parties, RMS must adopt a holistic approach that goes beyond pre-contractual due diligence.

Promoting management accountability, proactively collaborating with third parties, closely monitoring activities and preparing efficient, effective and shared contingency plans. These actions not only strengthen cybersecurity,but also improve overall business resilience.