How to mitigate third-party security risks

Third-party products and services are an integral part of business operations. Organizations depend heavily on optimizing their solutions by reducing costs; thus, bringing about the need for external expertise. Third-party organizations promise timely delivery of products and services, meeting compliance requirements, and optimizing the organization’s overall business performance.

Reasons for bringing in a third party for various business operations include:

• Providing tools and/or applications for internal or external use
• Administering services for software components
• Consulting expertise for other tools/services
• Contributing professional services for customers
• Auditing
• Achieving compliance goals

What are third-party risks?

With the engagement of organizations other than your own in business operations, exposure to threats and risks increases. Threats arising from third-party engagements require enterprises to adopt a risk management approach for these assets.

If these risks are not mitigated, consequences may include:

• Reputational damage to brand, products, and/or services
• Loss of confidential and personally identifiable data
• Loss of customer trust and relationship (as is the case when a breach occurs)
• Downtime of critical systems/network resources due to outsourcing infrastructure
• Unauthorized access to systems, tools, applications, and data by third parties
• Public disclosure or loss of intellectual property, trade secrets, copyrights, etc.

What is an ideal third-party risk mitigation approach?

Creating a risk mitigation strategy for a third-party organization can be a tedious task. The identification and mitigation of risks requires a well-established and automated risk management program. This program can be used for both internal applications and services, and external tools and services.

Let’s examine an approach to identify, assess, and mitigate third-party risks:

• Identification. Risks can be identified at any level of engagement with a third party. This should account for all tools or services used on premise or hosted on an external network.
• Assessment. Once the risk has been identified, an assessment is conducted to carefully evaluate and account for the impact. A risk ranking system allows for the prioritization of risks.
• Mitigation. Assessed risks and threats must be mitigated in a cost- and time-effective manner. Risks must be communicated through an open channel to the third party for remediation.

Step 1: Identify third-party security risks

Based on the scope of work, third-party tools and services are allowed access to various systems, resources, network appliances, applications, and data (either stored or in transit). Potential risks accompany access. Determining the security risks in these circumstances can be tricky.

At a high level, organizations should follow these best practices to identify security risks from third-party engagements:

• Recognize risks by conducting a threat model to analyze critical assets in which a third-party tool will interact.
• Analyze entry and exit points for all third-party tools and services.
• Classify risks for third-party tools and applications by performing penetration testing and source code analysis.
• Review all on-site engagements and interactions (e.g., consulting) with the third parties.
• Diagnose additional risks by performing a red teaming assessment for the services provided by third parties.
• Account for any and all open vulnerabilities that are publicly disclosed against the tool or service in use from a third party.

Step 2: Assess third-party security risks

Evaluation and assessment are important steps to comprehensively mitigate risks. This step prioritizes risks to see them through to mitigation in a time- and cost-effective manner. A risk management program cannot be successful if the assessment of each security risk (based on its impact to the business) isn’t calculated.

To best assess third-party security risks:

• Prioritize the evaluation of critical third-party tools and services to manage the additional assessment cost to the security program.
• Assess the overall potential business impact of each critical third-party tool risk.
• Evaluate the third-party tools or services with the help of a non-biased resource
• Conduct periodic assessments regarding access to authorized and unauthorized resources for third-party tools and services.

Step 3: Mitigate third-party security risks

Identifying and assessing vulnerabilities also requires a mitigation strategy. This strategy is used to reduce the severity of the identified risks and/or remediate them.

Follow these practices to help your organization mitigate and prevent threats and risks posed by third parties:

• Maintain an inventory of all third-party assets, in addition to their interactions with upstream and downstream assets in the organization.
• Advocate asset ownership for each third-party service or tool in the inventory.
• Create and periodically review third-party service level agreements (SLAs) and non-disclosure agreements (NDAs).
• Communicate the risk management approach to the third party and expectations prior to onboarding the tool or service.
• Establish an open channel for communicating threats and risks to the third party.
• Construct risk profiles for each third-party asset. Risk profiles provide an overall impact to the business (e.g., revenue, services, etc.) in case of security risks.
• Implement mitigating controls for securing all third-party entry and exit points.
• Devise a remediation activity timeline for each third-party risk identified during the assessment phase (e.g., include threat modeling, application penetration testing, and source code analysis).
• Centralize and review changes from a third party before distribution to customers and employees.
• Audit security controls implemented by the third party for customer or client data. Data segregation with other organizations is important in case of a breach.
• Take control and ownership of key management, data stores, and other critical assets hosted by the third party.
• Examine authorized and unauthorized access to systems from third-party assets.
• Monitor on-site staff and their activities from a third party.