The Right and Wrong Way to Assess Third-Party Risk

Third Party Risk

Last year, I participated in a panel discussion organized by CAPCOG, a Texas group of more than 90 member governments and organizations whose mission is to strengthen the Capital of Texas ten-county region by supporting urban and rural local governments through coordination, collaboration, and sharing of ideas and resources.  One of the topics I provided my expertise on was around vendor risk management and managing the risks of working with third parties.

Attacks on third-parties have been around for a very long time.  For example, back in February of 2014, we saw an attack on Target's HVAC vendor result in the breach of PII and financial information of 70 million customers and 40 million debit and credit cards.  More recently, in March of 2020, a nation-state attacker compromised the SolarWinds software affecting up to 18,000 customers globally, including the Department of Energy, National Nuclear Security Administration, US Department of State, US Department of Commerce, US Department of the Treasury and the Department of Homeland Security.  A study by Symantec found that supply chain attacks increased by 78% in 2019 with a prevalence expected to further increase as threat actors switch their preference to this attack method.  In short, it is highly unlikely that these attacks are going away anytime soon.

Our realization here needs to be that complacency is the primary impetus to supply chain attack vulnerability.  Organizations need to ensure that their vendors are compliant with cybersecurity standards, regardless of whether regulatory requirements are involved.  So how do we do that?

STEP 1: We need to begin with basic security hygiene wherever vendors have access to our environments.  In our Target example, above, simple things like using multi-factor authentication or having properly segmented networks could have prevented a breach under that scenario.

STEP 2: We need to look for third-party attestations.  We should prioritize working with vendors who are ISO 27001 certified or who have a SOC 2 Type II attestation.  This may help with our assurance process, but it's worth noting that these may be difficult for smaller organizations to accomplish, and exceptions may be made where organizations can demonstrate an affinity towards security.  Also note that just because an organization has a SOC 2 from a third-party, it doesn't necessarily mean that their security is any better or worse than the next organization.  It just means that they provided an auditor with a list of controls that they follow, and the auditor validated that list.  The devil is in the details when it comes to third-party attestations.

STEP 3: I'll refer to this as the "questionnaire approach".  The idea here is that we send the vendor a bunch of questions to answer and then gauge the risk of working with that vendor on the results.  Some good examples of this approach are the Shared Assessments SIG, CSA STAR and Educause's HECVAT.  Far too often, however, organizations will create their own custom questionnaires for their vendors to complete.  While this may get them answers for the specific questions they are looking for, this custom questionnaire approach truly sucks for the vendor that receives these assessments, as answering these assessments is no small feat.  Some vendors will even push back on these, instead opting to provide customers with one of the aforementioned standards.  At National Instruments, we used the SIG as our standard and many of the vendors we worked with had them already prepared, saving both of us precious time.  I also prepared a SIG for our customers to consume.

STEP 4 (OPTIONAL): I'll refer to this as the "scorecard approach".  Essentially some third-party gathers a handful of metrics on your vendors and gives you a score that is supposed to tell you how secure they are.  I looked at a number of scorecard tools when I ran the Information Security Program at National Instruments and many were based on relatively arbitrary factors.  The few that weren't could easily be gamed to show more positive results.  As an example, SimpleRisk has straight A's in one of these platforms because I had access to be able to see and fix each of the issues that they found for us.  You could probably argue that fixing these issues made us more secure, but in my opinion the things that were fixed were minor issues that were low to no impact on our overall security posture.  As an example, initially we had a deduction for redirecting HTTP on one site to HTTPS on another.  Their guidance was to redirect first to HTTPS on the same site before redirecting to the other.  An easy fix, but I think we can agree that the overall impact was pretty negligible.  While I've listed this as a "step" in assessing third-party risk, the truth is that I'm not a fan of this approach, and feel that most organizations could bypass this step completely, without any repercussions.

In SimpleRisk, we've implemented a questionnaire approach to third-party and vendor risk assessments, called our Risk Assessment Extra, because we feel that it does the best job in asking questions about the things you're truly interested in.  It helps to identify the real risks to your business, as opposed to arbitrary scorecards based on public-facing metrics.  Additionally, this approach can be expanded to demonstrate compliance against a specific control framework or even to show their current levels of maturity against a desired state.  I feel like this is far and away the more effective approach, but note that it does require time to evaluate the results of each assessment, and therefore can be difficult to scale.

In conclusion, I'd consider the first two steps outlined here as mandatory steps for any organization looking to work alongside third parties.  Especially where sensitive or confidential data is concerned, but as the Target breach shows us, even vendors who don't explicitly have that access can wind up creating issues for us.  I'd say that the questionnaire approach is by far the best way to actually understand the risks involved with the parties you are working with.  You should look to implement this once you have a solid approach for the first two steps, and prefer a standardized questionnaire as opposed to asking a custom set of questions.  As for scorecards, my advice would be to consider these as a "value add" or leave them out entirely.  At best, they provide a quick "gut check" on a vendor, and at worst, they are incredibly misleading.

Want to see more content like this? Sign up for the SimpleRisk mailing list to stay informed!


Related posts:

How to Perform Risk Assessments

Assessing Vendor Security Risks

Responding to Inbound Risk Assessments with SimpleRisk

assessment risk shared sig vendor