Best-practice strategies to tackle third-party ICT risk
The MOVEit breach was the big ransomware story of last year. According to reporting, more than 60 million people were affected.
Numbers alone don’t explain its significance, though. In targeting an enterprise file transfer tool in the first place, perpetrators of the attack highlighted a significant risk to an organization’s operational and cyber resilience. That risk is third-party vendors.
Indeed, so many people were affected by the breach precisely because of the number of organizations using the tool. More than 2500 organizations are said to have been impacted, running the gamut from private business, government agencies, to even HR and payroll solutions.
How prevalent are attacks on third-party vendors?
What’s worse, the incident wasn’t a one-off. These types of attacks on third parties are becoming far more common.
According to last year’s Apple-sponsored study, 'The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase', 98% of organizations reported having a relationship with a vendor that experienced a breach within the last two years.
With organization’s striving to bolster their own operational and cyber resilience, it's likely that cybercriminals will increasingly turn their attention to vulnerabilities in vendor systems to gain access to the data stored by organizations reliant on the vendor.
Strategies to mitigate third-party ICT risk
What can organizations do? Well, acknowledging that there’s a problem with third-party risk is the first step. Here are some other strategies companies can take to mitigate third-party ICT risk:
- Isolate ICT risk. This is the risk of losses or potential losses related to the use of network information systems or communication technology. ICT risk, however, forms a disproportionate share of third-party risk. As a result, third-party risk management (TPRM) programs should take special consideration of ICT risk within broader third-party risk policy.
- Vendor due diligence. What could that consideration look like? One common-sense policy to pursue is to work only with third-party service providers that comply with appropriate information security standards, such as ISO 27001.
This type of vendor due diligence is most important when forming contractual arrangements concerning your critical or important functions. In this circumstance, organizations should take due consideration that vendors use the most up-to-date and highest quality information security standards.
- Prioritise. Like risk more broadly, third-party ICT risk isn’t created equal. Maximum risk controls won’t be needed for every identified risk.
Indeed, organizations will have to do the hard work of prioritising how much third-party ICT risk they are willing to tolerate. Controls, then, should be implemented based on the nature, scale, complexity, and importance of the ICT-related dependency, taking into account the criticality or importance of the respective service, process, or function.
- Review. Bad actors won’t adapt to third-party ICT risk measures, meaning that organizations will have to make a habit of regularly reviewing their risk strategies.
These reviews should be undertaken at the highest levels of the organization. The managing body, whether a board or a senior leadership team, should regularly review third-party ICT risk. This should be reviewed with respect to the services supporting critical or important functions on the basis of an assessment of the overall risk profile of the company, as well as the scale and complexity of business services.
Digital technology to mitigate third-party risk
These interventions are by no means exhaustive. They are, however, apiece with the third-party risk management lifecycle.
The purpose of this lifecycle is to help organizations manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.
Fortunately, firms don’t need to approach the third-party risk management lifecycle with the same manual processes and methodologies as they might have once used for the risk management lifecycle.
This is because advances in digital technology have led to third-party risk management platforms being purpose-built to streamline activities throughout the third-party lifecycle.
Solutions, such as using automated workflows to invite vendors and gather due diligence information using questionnaires and documents can simplify the onboarding process for third parties. Once onboarded, service details, contracts, and risk assessments are set up in collaboration with vendors to ensure alignment between parties.
Further capabilities include:
- Integrating third parties into your resilience initiatives
- Automating ongoing monitoring and follow-up activities
- Identifying and sharing insights to improve resilience
What other digital capabilities and best-practice measures are needed to mitigate third-party ICT risk? Read Noggin’s Guide to the Strategies and Digital Tools Needed to Manage Third-Party Risk to find out.