Every business has its own set of business processes, a unique set of challenges and opportunities to provide value to its customers. Each of these business processes are being supported by a nested and highly complex ecosystem of third parties.
Some third parties manage end-to-end as in a fully outsourced business where they act as an extended team of the client’s organization, while some manage certain business processes of a company. Some handle business critical functions, while some manage non-critical aspects. Either way, third parties today have become a very large and critical aspect for enterprises to run smoothly.
Enterprises that are largely dependent on third parties carry the obligation to assess the cyber-security risks of the third party. The vendor-specific digital risks are always at the end of the client. Therefore, there is a need to continuously assess and monitor these third parties for comprehensive cyber-security controls. This is the challenge that most businesses are facing today.
In a typical business, there are several hundred or thousands of third parties engaged across the entire process. This is dependent on the kind of organization and work they are engaged in.
Therefore, many of these third parties today, have access to confidential information and personally identifiable information (PII), which is the obligation of the client as per the regulatory environments. For any data breach that happens within the third party, the final obligation stays with the client.
There are also third parties that do not have access to confidential information but are still supporting a critical business process and any disruption in their operations leads to a direct loss for the client.
An example is the integration of a payment gateway from a third party to manage the online payments for a client; if the payment gateway goes down, and customers are unable to make payments, it leads to direct revenue loss for the client, for the eCommerce channels.
Clients, therefore, need to constantly assess and monitor the threat landscape for these third parties. This is usually done in two ways. One method is where an external attack surface is to be monitored and given a cyber risk score for the third parties. It does not look at the actual individual security controls applied by the third party in this method. It only scans the internet-facing assets of third parties and identifies the vulnerabilities visible to the outside world. This approach, while necessary, is not sufficient to have a holistic cybersecurity assessment of third parties.
The challenge with using external attack surface monitoring to assess a third party's cybersecurity is that it only provides visibility into the current environment, rather than the actual processes the third party has in place for managing cybersecurity. Additionally, any assessments of the third party's internal processes are currently conducted manually. This means that the third party's basic cybersecurity processes may not be being properly monitored and managed internally.
Many companies rely on questionnaires to assess the internal processes of third parties. Larger enterprises may conduct this exercise on an annual basis. However, these questionnaires often ask the same questions of all third parties, regardless of the specific business context. This can make the risk assessment process redundant and less effective in securing the company.
Alfahive’s approach is to bring the best of both worlds mentioned above, together to optimize the process for the best results. We look at the cybersecurity vulnerabilities from the external attack surface & integrate and automate them for the cyber-security risk assessment specific to the business context.
In our other post about automation in cyber-security risk assessment, we looked at the details of how each business has unique processes and the exposure to third parties is different from one industry to the other and one business process in the same industry to another business process in the same industry
Alfahive’s approach is to look at the business context of the third-party and being able to automate as well as quantify the risk associated with that third party makes it easier for the enterprise to manage the risk on an ongoing basis. They are also able to prioritize the most important third party for their business operations to ensure maximum impact.
Alfahive understands various domains of the industry as well as the individual roles played by third parties in the value chain on companies. We are able to identify the third party that is core to the value chain of the company and also have access to PII (personally identifiable information) and assign them the highest priority.
Questionnaires used to assess third parties may include more specific questions and be triggered as frequently as necessary, rather than being limited to an annual exercise. Third parties that do not have access to the company's confidential data or do not impact critical business functions are prioritized lower in the assessment process, allowing the company to focus on the most important factors for their business. This helps to streamline the risk assessment process and manage complexity.