© 2020 Content Security Pty Ltd.
Third-party relationships are essential if your business is to thrive in today’s marketplace. While the extended enterprise is nothing new, the frequency, scale and complexity of these business relationships have certainly changed, with Gartner reporting the median organisation contracting around 5,000 third parties and only half of businesses conducting supplier audits.
Paired with this escalation in third-party use comes increased exposure to a host of new risks, with these relationships exploited in a variety of recent high-profile cyber attacks. Failure to manage third-party risk is putting businesses in the firing line for increased regulatory and compliance fines, operational shutdowns, reputational damages, privacy risks and more. In fact, regulators are progressively concerned with how third-party risk is being managed and fines for third-party breaches are in the hundreds of millions of dollars.
Considering the strategic value that third-party relationships bring, it would be impossible to try to eliminate the risk altogether. Thus, the key is to proactively manage it and continually assess the risks throughout the supplier lifecycle.
Content Security’s Third-Party Risk Assessment (also known as a Supplier Audit) will reduce your organisation’s exposure to risk while achieving stronger relationships with your service providers. Ultimately, we help evaluate the effectiveness and maturity of your suppliers’ information security controls, providing your management and key stakeholders with a clear view on how critical and sensitive information is being handled and processed by third-party vendors.
Third-party relationships are a critical source of strategic advantage and it’s evident that outsourcing is providing invaluable business gains across productivity and profit. That’s why during our Supplier Audits, we strive to gain an understanding of the context and value of the processes outsourced to your third supplier.
From here, we’re able to critically assess the benefits they bring to your organisation – whether it might be improved agility, increased performance, or cost savings – and how these strengths could be weakened by unforeseen vulnerabilities.
Our approach to Third-Party Risk Assessments is two-fold, with the development and provision of a tailored questionnaire for your suppliers and subsequently, an assessment of their answers and the potential risks they pose. We create our Third-Party Risk Assessment framework based on best practices recommended by a variety of industry standards, such as ISO 27001, the Australian Privacy Act 1988, as well as any additional regulatory and contractual requirements that your organisation may have. In short, our supplier audit involves three main components:
Firstly, we work to understand what assets are maintained by your external parties. A large part of this process involves gauging the value of the information being stored/ shared with the third-party. Moreover, we review the services being provided by the supplier and determine what level of risk your organisation is willing to accept.
Second, we use this information to amend our framework and identify questions pertinent for the supplier to comply with based on the information being handled and shared. In addition to the scope information, we also take into consideration the level of protection required by the business and/or legislation.
Finally, following a response from your supplier, we evaluate the maturity of controls implemented by the third-party and the inherent risk. The results of this analysis are delivered to you in a business-oriented report, thus arming you with the right information about your third-party relationships.
Hackers are increasingly targeting third-party vendors to gain access to other organisations. Estimates indicate approximately 60% of breaches can be traced back to third-parties. The examples below demonstrate just how severe third-party breaches can be, with long-lasting financial, operational, reputational and compliance losses incurred:
Texas-based company SolarWinds, was compromised in 2020. In short, nation-state hackers snuck malicious code into the updates for popular monitoring software, Orion. The hackers then gained access to over 250 government agencies and businesses. This is known as one of the worst breaches to date. It demonstrates the importance of third-party risk management (TPRM), with an increasing number of parties coming forward as victims.
Similarly, Florida-based IT solutions developer, Kaseya, was hacked in July of 2021. The attackers carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software. The domino effect was felt across the globe, with 1500 companies affected.