With cybersecurity in the spotlight for most businesses today, it’s essential to understand the key sources of threats to your organisation. One major concern is third-party risk and the myriad of cyber threats that can lurk within the extensive network of partners and suppliers that modern organisations rely on.
Whilst third party risk is unlikely to pose the biggest impact to an organisation – and not necessarily more likely to occur than other internal ones – it ranks high on risk registers because it’s one of the hardest to mitigate. That’s because these risks exist outside of your organisation, which means you can only put in place minimal controls and in some cases none at all. To effectively manage third-party risks you need to take a proactive approach and have the right tools to efficiently identify, assess and mitigate potential threats.
In a recent industry dialogue with The Register, we shed a light on the pivotal role that threat intelligence can play in bolstering third-party risk management practices. This article discusses what organisations need to know when it comes to tackling third-party risks.
Types of third-party risk
In understanding third-party risk, it’s crucial to recognise that it extends beyond typical vendor relationships where an organisation is paying third parties for goods or services. With the increasing integration of technology, third parties are often tightly linked to an organisation’s information systems and may include managing entities such as open-source or freeware vendors.
In order to identify your organisations’ most significant third-party risks, it’s important to consider the types of impact whether operational, reputational or regulatory. Each business sector may have unique risks and mitigation priorities. For example, banks may focus on the impact of cyber fraud and theft on their customers, while hospitals may centre their attention on threats to operations that impact on the safety of their patients.
Establishing strong partnerships and due diligence
When it comes to third-party risk, it’s vital for organisations to foster strong relationships with suppliers from the outset. These relationships serve as a foundation for future collaboration, particularly when combating a cyber-attack targeting your organisation. Moreover, it’s important to note the significance of pre-contract due diligence in setting clear security expectations and obligations for both parties, laying the groundwork for effective risk management.
At the bare minimum, organisations should make sure that the company they are about to do business with has the appropriate security before contracting with them. These measures should be relative to the risk that any attack against them causes your business. Indeed, having a trusted expert in place at both supplier and consumer level is the most valuable piece of due diligence for any organisation.
Tailoring contracts for enhanced security measures
Moving beyond initial due diligence, the process of tailoring contracts to address unique security requirements should be a necessary consideration when it comes to third-party risk prevention. While legal negotiations can feel tedious, contracts play a vital role in aligning security expectations between suppliers and customers, particularly in large business-to-business deals. For smaller contracts, using generic terms is common, but a careful review of all terms should still be a part of your best practice requirements. Even in smaller transactions, organisations shouldn’t overlook the importance of understanding and agreeing on suitable terms.
Building strong relationships with partners and tailoring contracts are crucial steps in mitigating risks in business dealings. Contracts should be viewed not merely as punitive measures in case of failure but as guidelines for day-to-day operations aimed at minimising the occurrence of issues. Establishing a solid foundation early on can pave the way for smoother operations and effective risk management down the line.
Continuous monitoring and identifying emerging threats in real-time
Following due diligence and contract negotiation, continuous monitoring of everything and anything is the next stage in third-party assurance. For large companies or those operating in high-risk environments, continuous monitoring is essential, even if it involves astronomical amounts of data.
Real-time monitoring encompasses collecting, analysing and reporting intelligence to identify potential threats promptly. For instance, monitoring dark web marketplaces for the sale of compromised credentials can provide forewarning of potential attacks. Similarly, tracking initial release of ransom demands and classified documents can enable organisations to stay ahead of emerging threats. Monitoring ransom payments and extortion negotiations offers insights into attackers’ motives and strategies.
Threats from supply chain attacks and targeted political activism can escalate quickly and have widespread impact, highlighting the importance of real-time monitoring. Real-world examples – like the critical SSH vulnerability which had the potential to be a huge issue for Linux users worldwide – demonstrates the need for timely intelligence to keep abreast of rapidly evolving situations.
Likewise, utilising threat intelligence to monitor hacker activity, such as when threat actors announced that they would target European banks with cyber attacks last year, shows how real-time intelligence can flag important risks.
Timely intelligence empowers organisations to proactively manage critical risks. From alerting suppliers about potential threats and allocating security resources, to preparing media responses, businesses can gain enhanced visibility for risk mitigation. By leveraging threat intelligence early, organisations can respond more effectively, minimising the impact of potential incidents.
How Silobreaker can help
Complex and globally dispersed supply chains make it hard to gain visibility into all the potential risks that may impact an organisation through the suppliers it relies on.
For organisations looking to enhance their third-party risk management practices, the journey begins with comprehensive due diligence and contract negotiation. From there, embracing continuous monitoring and real-time threat intelligence enables proactive risk mitigation.
Silobreaker provides powerful insights on emerging risks and opportunities in real-time. It automates the collection, aggregation, accurate analysis and dissemination of data from open and dark web sources in a single platform, so intelligence teams can produce high-quality, actionable reports in line with priority intelligence requirements (PIRs).
This enables global enterprises to gain a holistic understanding of the risk specific suppliers pose based on their involvement in any breaches and cyberattacks, and the geopolitical and regulatory landscape in which they operate. Silobreaker also empowers organisations to make intelligence-led decisions to safeguard their business from wider cyber, physical and geopolitical threats, mitigate risks and maximise business value.
By staying vigilant and responsive to emerging threats, businesses safeguard against both direct and third-party risks, protecting their interests and fostering stronger partnerships with suppliers.
The full webinar “Mitigating third-party risk, Insights from threat intelligence with Andy Grayland, is available to watch here.