It’s safe to say that 2020 has been the year of the unforeseen; especially when it comes to cyber risks courtesy of the COVID-19 pandemic. The uncertainty of the corporate cybersecurity landscape has heightened as many businesses, including our clients, were thrust into a virtual workforce overnight.
While businesses may have not been prepared to allow their teams to work remotely, they’ve been forced to contend with the security risks this entails. We’ve heard enough and more about remote workers who are grappling with cyberattacks outside their corporate perimeter, with supply chains also being targeted by skilled hackers.
With over 80% of legal and compliance leaders identifying third-party risks following a renewed focus on due diligence, this may not come as a surprise. This suggests, however, that traditional risk management policies are failing to identify new and evolving risks, exposing businesses to hard-hitting cyber risk management challenges.
In this post, we do a quick dive into some of the specific challenges businesses are facing while managing these cyber risks and a few solutions that may prove useful.
71% of businesses report a growth in their third-party network, suggesting an increase in the complexity of the vendors and vendor networks businesses have to deal with.
More often than not, these vendors have their own agents, partners, and subcontractors, exposing vendor networks to additional vulnerabilities.
This, in turn, may expose your teams and resources to fourth-party and fifth-party cyber risks. Even in these instances, it’s all too common for vendors to avoid assuming responsibility for the cyber risks and compliance violations courtesy of these service providers or external agents.
What can you do? In this context, you may benefit from vetting your vendors more stringently. While this may be an inelegant solution, it supports more effective vendor risk identification and mitigation.
As the complexity of the vendor networks expands, the complexity of vendor relationships also increases. Monitoring these complex relationships, then, becomes challenging due to the undefined, fragmented, decentralised, time-intensive, and unscalable monitoring systems businesses use.
According to a Refinitiv-commissioned survey, 43% of third-party vendors responded that they did not receive due diligence checks. Unstructured processes and undefined metrics like these result in businesses failing to undertake consistent vendor monitoring, increasing their exposure to third-party cyber threats.
What can you do? Target high-risk vendors first and use tactics like external network penetration testing to identify and address vulnerabilities that may give cybercriminals access to your data.
Failing to track vendor risks in line with your internal policies, certifications, and cybersecurity compliance processes can result in various operational issues. In our experience, it’s common for companies to encounter this challenge as they fail to monitor third-party compliance.
When company policies are not communicated to vendors effectively, you may experience gaps in awareness and expectations, which can impact a vendor’s ability to guarantee compliance. This hinders your efforts when it comes to third-party cyber risk management.
What can you do? Establish a disciplined vendor governance framework to improve transparency and accountability, addressing the gaps in awareness and expectations. Follow this up with policy awareness and training among your vendors.
It’s a common practice for companies to digitise their business processes. They forget, however, that their business-critical systems are running on the same Wi-Fi networks their employees’ children are using to download pirated films from websites riddled with malware!
Using cumbersome manual tools for third-party cyber risk management is nowhere near enough. More importantly, these tools don’t offer real-time threat intelligence and only provide a static view of vendor risks and vulnerabilities.
What can you do? Establish a holistic and standardised third-party cyber risk management framework inclusive of cloud technologies and security ratings for remote work.
To manage third-party cyber risks, businesses must be aware of current challenges and leverage the right security strategies, best practices, and solutions that address vendor relationships and their vulnerabilities.
We are in an era where automation and cloud technologies are part of “business as usual”. In this process, businesses must not forget to update their vendor cyber risk management strategies to address the challenges of the new normal.