Business Risk Profile: Third-Party Risk
There are many strategic advantages to outsourcing, from cost optimization to having an increased focus on an organization’s core competencies. However, entrusting third-party vendors, contractors, or partners with access to internal systems and data can expose organizations to certain risks. In the event that a security incident or breach of a third party inadvertently jeopardizes the client’s assets or information with which they are entrusted, client organizations can face financial, operational, legal, or reputational consequences. As such, outsourcing decisions must be made with consideration to a broad range of risk factors.
In many cases, the following challenges have been known to exacerbate concerns regarding third-party risks:
During the past decade, many organizations have turned to outsourcing in order to reduce costs and increase efficiency. Third-party relationships can take many forms, including suppliers, manufacturers, distributors, lawyers, consultants, or business partners, among others. Delegating a diverse set of activities to a long list of contractors necessitates a third-party risk-management strategy that is holistic, comprehensive, and no longer siloed within any particular department.
However, developing such a strategy is becoming increasingly complex as outsourcing needs and external relationships continue to grow. In particular, companies working closely with numerous third parties may struggle to uphold confidentiality and control over their data and intellectual property. To further complicate matters, it is likely that third parties are working with fourth parties, which in turn are working with fifth parties, creating a complex chain of activity and a lengthy exchange of information. As such, organizations may be unaware of what risks they are actually exposed to.
With increased outsourcing has come increased regulation of how organizations manage their third-party relationships. Under certain circumstances, organizations can face severe penalties for violations. For example, the U.S. Consumer Financial Protection Bureau has taken considerable measures to hold banks accountable for protecting their customers’ information from compromise—even compromises that occur due to the oversight of a third-party partner of the bank. As such, in addition to meeting their compliance requirements, banks must conduct thorough due diligence before initiating third-party relationships and monitor the risks these relationships present on an ongoing basis.
Due Diligence & Monitoring Complexities
With the rise of the Internet of Things (IoT) and other emerging technologies, adversaries are continually working to exploit new vulnerabilities and develop new attacks. Since many of these adversaries congregate and conduct activities within the confines of the Deep & Dark Web (DDW), organizations without visibility into these regions of the Internet may be unaware of emerging threats or malicious schemes to which they—or any of their third-party partners—are susceptible. This necessitates a more thorough approach to third-party due diligence and monitoring, requiring organizations to supplement traditional screening assessments and audits with intelligence gleaned from the DDW.
Given the wide array of professional services available today, it may seem as though businesses can delegate virtually any task to third parties. Risk management, however, cannot be outsourced. As such, organizations must identify and monitor a comprehensive inventory of risks associated with their third-party dealings. While some risks are fairly straightforward and easy to track, others are dynamic and often remain unseen until the damage has already been done.
It’s virtually impossible to monitor emerging threats to third parties without visibility into underground cybercriminal activity. To address this gap, organizations are increasingly turning to Business Risk Intelligence (BRI) for insight into the insular communities of the DDW. By integrating BRI into their third-party risk management frameworks, organizations can proactively identify and mitigate threats, thus gaining a decision advantage over adversaries.
To learn more about how organizations are leveraging BRI to help manage third-party risk, download our use cases: Business Risk Intelligence for Third-Party Risk.
Chief Strategy Officer
Chris Camacho partners with Flashpoint’s executive team to develop, communicate, and execute strategic initiatives. With over 15 years of cybersecurity leadership experience, he has led initiatives across Operational Strategy, Incident Response, Threat Management, and Security Operations to ensure cyber risk postures align with business goals. An entrepreneur, Mr. Camacho also serves as CEO for NinjaJobs, a career-matching community for elite cybersecurity talent. He has a BS in Decision Sciences & Management of Information Systems from George Mason University.