Risk-management “confusion” compromises third-party cybersecurity controls
- 24 October, 2018 10:42
Cybersecurity and data privacy have become nearly as important to risk-management professionals as ethical professional behaviour, according to a survey that identified lingering concerns over the exposures that businesses inherit when they deal with third parties whose information-security practices are outside of their control.
Respondents to the NAVEX Global’s 2018 Third-Party Risk Management Benchmark Report offered insight into their third-party risk management programs, with fully 44 percent of respondents naming cybersecurity and data privacy as a top concern.
This was just behind the 46 percent that named ethics and code-of-conduct compliance but well ahead of those who named concerns such as quality control (28 percent), conflicts of interest (25 percent), and anti-bribery efforts (21 percent).
Organisations with $US1b or more in revenue were more likely to prioritise cybersecurity and privacy as a key concern (named by 53 percent) than smaller businesses (36 percent) or government organisations (45 percent).
Cybersecurity has long been “a constant high-risk concern to ethics and compliance professionals,” the report’s authors noted, arguing that some organisations are “fighting back with encryption” but continue to face risks from malicious internal actors or inadvertent actors compromised by phishing or other schemes.
Training had been adopted as a key tool for decreasing employee susceptibility to phishing schemes but third parties “create significant cyber security risks through access to corporate data that should not be ignored,” the analysis warns.
“Many organisations may take too lightly the damage that third parties can inflict on their reputation and finances by minimising their focus or ignoring this essential compliance program element completely.”
Codes of conduct offer a highly effective approach to driving third-party behaviour around cybersecurity and other risks, the report notes. Yet despite the importance of third-party security, just 23 percent of survey respondents said they would be prioritising their third-party due diligence and oversight in the next 12 months.
The findings highlight the lingering challenges of a gap in risk-management practices that has seen many companies struggling to improve the maturity of their risk management.
Vulnerability management, in particular, is proving chronically difficult internally and becomes far more difficult when trying to manage the vulnerability profile of outside third parties.
Fully a third of enterprises in Tenable’s recent Cyber Defender Strategies Report 2018 were found to be following a low-maturity Minimalist style of vulnerability management – with utilities, healthcare, education, and entertainment businesses most commonly using this approach.
The Minimalist style is the lowest of four maturity levels – the others being Surveying, Investigative, and Diligent – and only 5 percent of enterprises display high-maturity characteristics, according to the Tenable analysis.
The analysis, which also found a correlation between company size and associated maturity, also recommends the use of customised scanning templates to tailor vulnerability assessments to specific asset groups, business units, and use cases.
Clarifying issues around cybersecurity situations has become a rallying cry for risk-management professionals, with the ISO 27000 series of risk-management standards recently updated with the first revision of ISO 27005 since 2011. This standard specifically deals with techniques for information-security risk management, and is positioned as being relevant to third parties supporting information-security risk management.
Third party-related breaches such as 2013’s major Target compromise, and this year’s widely-noted PageUp incident, have reinforced understanding of the importance of extending risk-management maturity to third parties.
These demonstrated potential repercussions should spur companies to consider – long before a breach happens – how they would engage with third parties in the event of a breach, Office of the Australian Information Commissioner (OAIC) acting deputy commissioner Andrew Solomon told AISA's recent Australian Cyber Conference.
There has been “some confusion” about how companies “would work with third parties if the breach involves something you hold jointly”, he said in reviewing the experiences of the OAIC and Australian businesses since the implementation of the Notifiable Data Breaches (NDB) scheme in February.
Analysis of hundreds of reported breaches had revealed a range of complexities introduced by third-party relationships included deciding who should respond to a breach; what each organisation would be responsible for; how suspected breaches should be communicated; how assessments should be conducted; which party is responsible for containment and notifications; and so on.
“It’s very important to link through to this when undertaking contracts,” Solomon said, “and to think about the issues beforehand. There should be clear procedures for complying with the NDB scheme when entering into service agreements with third parties. Businesses should understand that privacy has moved on from being about compliance.”