To better manage cybersecurity risk, extend zero-trust principles to third parties

Today’s cybersecurity landscape requires an agile and data-driven risk management strategy to deal with the ever-expanding third-party attack surface.

When a business outsources services by sharing data and network access, it inherits the cyber risk from its vendors across their people, processes, technolog, and that vendor’s third parties. The typical enterprise works with an average of nearly 5,900 third parties, which means companies face a huge amount of risk, regardless of how well they cover their own bases.

For instance, 81 individual third-party incidents led to more than 200 publicly disclosed breaches and thousands of ripple-effect breaches throughout 2021, according to a report by Black Kite.

The current outside-in approach to managing third-party risk is inadequate. Instead, the industry needs to move toward a new third-party risk management approach by initiating conversations beyond outside-in assessments. Specifically, businesses should establish zero-trust principles for all vendors, assess risk across external and internal assets with inside-out assessments and measure cyber risk in real time.

The zero-trust principle of “Never trust, always verify” has been adopted widely to manage internal environments, and organizations should extend this notion to third-party risk management.

To combat this, enterprises need to consider vendors as subsets of their business.

The looming threat

The amount of data and business-critical information one enterprise shares with its vendors is staggering. For instance, a company might share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers to share with insurers and allow marketing agencies access to customer data and personally identifiable information (PII).

This is just the tip of the iceberg, and most businesses often don’t know how big the iceberg really is. In a survey conducted by Ponemon Institute, 51% of the companies surveyed said they do not assess the cyber risk posture of third parties before allowing them access to confidential information. What’s more, 63% of the companies surveyed said they do not have visibility into what data and system configurations vendors can access, why they have access to it, who has permissions and how the data is stored and shared.

This massive network of businesses sharing information in real-time results in a vast attack surface that is becoming increasingly difficult to manage. To overcome this challenge, businesses use cybersecurity initiatives such as questionnaire-based onboarding surveys and security rating services in their third-party risk management strategies.

While these tools have definite use cases, they also have severe limitations.

Cybersecurity rating services are a quick and economical approach to third-party risk assessments. Their simplicity — representing a vendor’s cyber risk as a score, like credit ratings in financial services — make them a popular choice, despite the limitations.

The recent data breach involving Okta is a good example of how third-party exposure can affect a company. Okta’s subcontractor, Sitel, was targeted by the Lapsus$ group in March, when a Sitel’s employee’s device with sensitive information on Okta was breached. Okta trusted Sitel’s cyber risk posture because their outside-in assessment yielded a score of 4.3 out of 5, or an “A” grade, which could be considered above the industry average.

So, how did this breach happen if Sitel’s score was higher than the industry average?

Unfortunately, Okta did not consider the inside-out risk posture of its vendors — including risk across internal assets such as endpoints, cloud assets and employees, among other factors — leaving a blind spot in its third-party risk management strategy.

Cybersecurity rating services, such as those trusted by Okta, have significant shortcomings when used in isolation:

  • They only provide a snapshot and point-in-time view of third-party cyber risk and can’t provide real-time and dynamic risk assessment.
  • The rating services do not cover the full extent of vulnerability areas and only assess public-facing assets. They don’t account for internal vulnerabilities within the vendor enterprise, such as endpoints, cloud assets, cybersecurity policies and employee awareness.
  • Their output often reveals a high number of false positives, misleading security teams into action or inaction and also resulting in low confidence from boards in cybersecurity initiatives.

The journey to inside-out risk assessment for third parties

To overcome these limitations, businesses must revisit the fundamentals. For example, the zero-trust principle of “Never trust, always verify” has been adopted widely to manage internal environments, and organizations should extend this notion to third-party risk management.

Although achieving this standard is not easy, organizations should think about the zero-trust transformation as a journey.

1. Identify critical vendors

Instead of going all-in on day one, it is easier to identify and focus on critical vendors first. Vendor “criticality” depends upon the type of data and applications shared, and the importance of the vendor to continued business operations.

2. Define the “extended” attack surface within these critical vendors

For each of these critical vendors, identify the assets (technology, people and processes) that matter to define the “extended” attack surface. For example, your vendor may be building a code that is hosted on a public cloud instance. This application and the public cloud instance then become part of the extended attack surface.

3. Initiate a dialogue and decide on a framework

This is a crucial step, and it is imperative to set expectations with partners.

Identify concerns on data sharing, conflicts with cybersecurity philosophies, regulatory hurdles and other challenges. Businesses must work with vendors to delineate their own extended attack surface from a vendor’s internal environment.

4. Get the right tools

This is where the benefits of an inside-out assessment tool will help organizations assess risk in real time. Ideally, these tools should collect signals from the extended attack surface through APIs, aggregate them across a vendor’s portfolio, and give security and risk management leaders a unified and quantitative view of their vendor risk profile.

An inside-out assessment of vendor risk augments a cybersecurity rating by letting business analyze the third-party’s people, policy and permissions, and technology risk, as well as its cyber reputation.

The shift to 360-degree third-party risk visibility

With insights into every vendor’s cyber risk posture, security teams can prioritize risk by choosing to accept, mitigate or transfer some or all third-party risk. Cybersecurity rating services play a big role in the current cyber risk management ecosystem, but they also create a false sense of security and can mislead businesses into complacency over their actual third-party risk.

Adopting an inside-out focus will give you a holistic, real-time and quantified way to proactively manage third-party cyber risk.