High-Level Strategies for Third-Party Risk Mitigation

Infosec Blog

Written by

Phil Won

Product Manager, Owl Cyber Defense

High-Level Strategies for Third-Party Risk Mitigation

There are so many technologies and strategies and buzz words around cybersecurity these days that it can be difficult to know where to start. It’s hard enough thinking about the myriad threats that can find their way into your organization without even broaching the subject of third-parties and trusted connections. However, there are a few fundamental, high-level strategies to consider applying in your third-party risk mitigation plan. They can be used individually or in tandem to create a strong cybersecurity framework for your organization.

  • Defense in Depth

The primary principle of defense in depth is to build layers of security into your organization’s digital architecture, so that if one layer fails, there will be others to back it up and maintain security. It is essentially a “fail-safe” strategy that assumes threats will most likely eventually find a way through one or two layers of defense (a safe assumption in most cases). There are no limits to the types of security involved, just those that best fit your organization. Role-based access controls, authentication, data encryption/tokenization, firewalls, data diodes, SIEM, and other technologies can all be used together to create a sophisticated, hardened defense.

  • Risk-Based Security

Assuming that threats will eventually breach your network’s defenses (you may be sensing a theme), a risk-based strategy applies more security resources to your most sensitive assets while less resources are applied to the lower risk assets. Risk-based strategies also typically assume that there is not a way to eliminate risk – there will be a need for multiple sophisticated connections to external networks, for a large number of users to access or collaborate on (sometimes sensitive) data, legacy or outdated equipment in use, or other complex issues that complicate traditional security methods. Over time, larger and higher performing companies have evolved the idea of a risk-based strategy into a more comprehensive method of protecting their organizations known as “zero trust.”

  • Zero Trust

A zero-trust strategy assumes that a threat can come from anywhere inside or outside your organization, and therefore a continual assessment of every request or attempt to connect or access networks, devices, or information is required. This can be highly resource intensive, and typically requires sophisticated authentication schemes as well as some sort of SIEM automation in the form of cloud data collection, systems monitoring, etc. User and systems data are monitored continually to develop a baseline of what is considered “normal” activity, which then allows for alerts if any abnormal activity occurs. Reducing the number of your external connections, applying the least privilege principle, and having dedicated resources to monitor and calibrate the results are all key to making this strategy effective, and while it is theoretically a great strategy for complex, highly-connected organizations, in practice it is very difficult to fully achieve today.

Effective Steps to Reduce Third-Party Risk

To start rolling out your third-party risk mitigation strategy, let’s begin by taking a step back to the definition of what risk actually is – which assets are most valuable in your organization, and what is the potential fallout if they are compromised? Taking stock of your internal assets may be a simpler exercise than attempting to account for each and every third-party connection out of the gate and is a helpful place to start by assessing the inherent risk within your organization. Once you understand the value of your various information and systems, you can take the first steps to reducing the exposure of the most vital assets to both third-parties and other cyber threats.

Make Third-Party Risk Management a Priority

The next step would be to make third-party risk and relationship management a priority within your organization. Your entire risk mitigation strategy doesn’t need to happen overnight, but it does need to start somewhere. Simply by regularly involving senior leadership or boards of directors on incremental steps taken to protect sensitive information and systems from third-party breaches can help to reduce risk. In the Ponemon study, 53% of organizations that had not experienced a third-party breach regularly reported on third-party risk mitigation, compared to only 25% of those that had been breached. This is likely attributable to illuminating the problem, rather than sweeping it under the rug, which could lead to increased funding and other resources necessary to adequately address the scope of the problem.

Create an Inventory of Third-Parties with Access to Your Company/Data

Once you have some transparency and buy in, you may be in a better position to create a complete inventory of all third-party connections to your systems and digital assets. Again, like on social networks, to reduce risk, it’s vital to vet and keep track of your connections, limit what you share and how you share it. Creating this comprehensive inventory of third-party connections involves a full assessment across your entire organization. You can’t secure what you can’t see, and unauthorized or unknown connections are unfortunately very common. 45% of companies that had not been breached had created an inventory, compared to only 22% of those who had been breached. Not every organization has the resources or time to accomplish a full accounting of their connections, but any assessment is better than nothing. Remember that cybersecurity is incremental and a process, not a destination.

Prioritize Connections by Risk

Take the list of third-party connections and prioritize them by risk, according to what they have access to and the potential fallout of a breach and focus on securing the highest risk connections first. Apply the Least Privilege principle, making sure they only have access to the systems and data that are absolutely necessary. If no connection is needed, eliminate it! The fewer connections you have, the less there is to protect. If data sharing is only for monitoring or accounting purposes, consider using a higher security mechanism such as a data diode to share the data one-way. This effectively eliminates the connection into your organization just as if you had severed it completely. If external access is required, make sure to segment your network so the areas that are accessed by third parties don’t provide an open door to the rest of your organization.

Summary

Third-party connections and breaches are not going away any time soon, so there’s no time like the present to develop and maintain a strong risk mitigation plan. Depending on the level of resources available to you and your organization, you may not be able to roll out a fully automated, AI driven, zero trust cybersecurity extravaganza. That should not stop you from seeking out the strategies, tools, and technologies available to help you improve your security posture, shrink your network’s attack surface, and reduce risk to your organization. Your reputation depends on it!

You may also like

  1. Transforming Security Strategies in Times of Uncertainty

    Opinion

  2. Half of Orgs Don't Change Security Strategy, Even After an Attack

    News

  3. Half of ITDMs: Cybersecurity Still Not a Top Priority for the Board

    News

  4. Interview: What is the Future of IT Security?

    Blog

  5. 5 Common Mistakes When Dealing with Security Stakeholders – and How to Avoid Them

    Blog

What’s hot on Infosecurity Magazine?