COMMENT
December marked the third anniversary of one of the industry’s most high-profile data breaches, SolarWinds. While the immense cost and recent legal documents After this highly malicious 2020 supply chain attack highlighted the importance of third-party risk assessment, bad actors continued to exploit third-party software.
Second Forrester Research 2022 Security Survey, supply chains are the leading cause of breaches. For example, the number of organizations affected by MOVEit supply chain hacking it’s close to 3,000 – and that number is growing. It’s time to review your current third-party risk assessment program and adopt new best practices to reduce risk.
The rise of SaaS subscriptions
The risks towards third parties have never been higher. Industry analyst firm Gartner recently revealed this that despite increased investments in third-party cybersecurity risk management over the past two years, 45% of organizations have experienced third-party-related business disruptions. How did we get here? According to Gartner, 60% of organizations work with more than 1,000 third parties. On average, organizations use over 370 Software-as-a-Service (SaaS) applications.; the average department now uses 87 SaaS applications. With each new application, the attack vector increases. The scale of the problem is enormous.
In the past, enterprise software procurement was a long, drawn-out process with lots of oversight. While sometimes tedious, long enterprise sales cycles have provided the opportunity for adequate due diligence, so organizations have not integrated too many third-party systems. With the proliferation of SaaS, it is easier than ever for organizations and individual users to add new software subscriptions, sometimes with little oversight or risk assessment.
The volume and speed of SaaS subscriptions is one of the main reasons why organizations today have so many third-party vendors. Decision-making power for the purchase and onboarding of these applications is increasingly decentralized; from individual employees who simply want to participate in a free software trial to empowered team members. Third-party solutions are introduced into an organization through many avenues, which has only increased the security challenge and made risk assessment more difficult.
With the emergence of AI-based productivity-enhancing tools, we can expect the expansion of SaaS – and the risk associated with third parties – to increase. Additionally, there is growing employee demand for innovative, consumer-grade products. While organizations may prefer to solidify supplier relationships, employee demand for high-end products may counteract this effort, continuing the momentum toward supplier onboarding.
A path towards better third-party risk assessment
One of the biggest myths about third-party risk assessment is that it is a one-off activity. Many organizations mistakenly view this as a checkbox exercise, conducted only during the initial vendor onboarding process. This approach neglects the dynamic nature of risk, not accounting for changes over time in the third party’s business practices, security posture, or regulatory environment.
To increase efficiency while reducing risk and improve third-party risk assessment, organizations should take the following steps:
-
Classify suppliers based on risk level they pose. Focus more in-depth assessments on higher-risk suppliers while applying streamlined processes for lower-risk ones.
-
Move from periodic reviews to continuous monitoring of third-party risks using real-time data feeds. This helps identify and respond to emerging risks in a timely manner.
-
Develop standardized procedures and models for risk assessment to ensure consistency, reduce redundancy and accelerate the evaluation cycle. Create a system that automatically reminds you when a supplier needs to carry out risk assessment.
-
Secure third parties comply with international data privacy laws and regulations, which may vary significantly by region.
-
Evaluate third-party preparation to respond to security incidents or operational disruptions.
-
Considering fourth party risks posed by an organization’s subcontractors or third-party vendor partners, which can have a significant impact on the risk landscape.
-
Assess the robustness of the third party’s supply chain against disruptions and their impact on the organization’s operations.
-
Expand risk assessment programs to accommodate business growth and an increasing number of third-party relationships.
-
Implement advanced technologies such as artificial intelligence and machine learning for automated data collection and analysis and uses artificial intelligence to develop the right questions to ask your suppliers. Adopt cutting-edge technologies and automation processes to combat the scale of the challenge and quickly ensure security at scale.
Conclusion
As organizations continue to onboard new suppliers, supply chain and other third-party risks will continue to increase. By continually evaluating and updating your organization’s third-party risk assessment program, you can significantly improve your security posture and hopefully ensure that your company doesn’t suffer the next headline-grabbing incident.