Why Companies Misunderstand Third-Party Cyber Risk

Rethinking How We Discuss Vulnerabilities in the Digital Supply Chain

The fundamental principle that makes the internet so powerful is the concept of connecting previously disparate systems, and yet many firms are struggling to understand the digital – and in particular, the cybersecurity – implications of their business relationships. Why is this? In short, this is a challenge of language. As cybersecurity professionals, we are failing in our duty to help explain cyber risks in a way that makes sense to those facing such risks.

We talk about the “digital supply chain” as if this is a term that will make immediate and innate sense to boards and leadership suites across the professional services world. Unfortunately, all too often, that’s not the case. “Supply chain” conjures images of factory floors, of coordinating suppliers or logistics, just-in-time production or perhaps enterprise resource planning (ERP) systems. These are the exact wrong metaphors to be conjuring, and if we are to be successful in helping our clients (internal or external) to not only understand these risks, but also mitigate them, we must change the conversation, beginning with the very words we use.

Trusted Relationships

To start, I suggest using the phrase “trusted relationships” or “partners” over terms like “digital supply chain” or “suppliers.” Traditional terminology conjures a one-way relationship, wherein the firm simply procures products or services from the supplier and then proceeds to do its value-added work. The reality of today’s relationships is much more fluid. Data flows back and forth between your firm and the third parties that support the business in more ways than most even understand. Perhaps this takes the form of sharing sensitive intellectual property or proposed merger details with an outside law firm. Perhaps it is leveraging an external provider for email or cloud storage services. These are standard practices, but the risks are rarely fully understood.

When the American Bar Association established its Cybersecurity Legal Task Force, it noted that 80 of the top 100 law firms were breached in a single year. Intellectual property and M&A information is a perpetual target for state-sponsored organizations, with recent reports from the Washington Post indicating that China has continued their efforts. Yet these trusted relationships remain critical to getting business done, forcing firms into a difficult position of having to evolve into a “trust, but verify” mindset.

Identifying and Contextualizing Relationships

Once the nomenclature has been adjusted, the next step in the evolution of evaluating risk in trusted relationships is to expand the concept and identification of these relationships and partners. The rise of cloud service providers, apps and outsourcing has created great efficiencies for many small and medium (and even large) enterprises. Firms can outsource many typical business functions (such as HR or IT) and focus on their core competencies. This does, however, bring with it additional risks. In this new arrangement, information about your employees or your systems now rests outside your walls and largely beyond your reach. If a security incident occurs with your HR software provider, it can become a very real headache very quickly, as a recent breach at an HR software-as-a-service company demonstrated.

This problem is not isolated to small firms or to startups. A robotics firm used by some of the world’s largest automakers recently revealed that over 10 years of proprietary data from over 100 companies leaked thanks to a misconfigured backup. In fact, for large organizations, it can be even more difficult to fully understand the complex web of relationships that make the business function. Still, this basic understanding is essential for any firm looking to improve their security posture. Where and how does data flow in and out of your organization? What technical or policy controls govern those data flows? Without this level of understanding, information security teams won’t be able to help procure an appropriate level of cyber insurance to cover you in the event of an incident, will struggle to develop a key management strategy for encrypting and maintaining data stored offsite or fail to implement a third-party risk management process to help highlight vulnerable vendors or data practices.

But there is hope. By implementing more deliberate, trusted relationship strategies, cybersecurity professionals can begin to change the conversation. These third-party risks are real, but they’re also manageable. Once you’ve helped your leadership understand what they are, you can help them understand how to make better-informed risk-based decisions. We’ll never eliminate risk, but the more we understand it, the better we can address it. As more firms demand improved cybersecurity posture from their partners and trusted relationships, the resulting best practices will benefit everyone else your partners work with. A rising tide, indeed.