One of the most interesting engagements we’ve seen at Nisos, and there have been many, is straight out of a binge-worthy Netflix drama. A publicly-traded company enters a new business partnership with a seemingly innocuous third party, only to have the FBI at its door several months later asking real questions about international organized crime syndicates and money laundering.
Unexpected, to say the least, but a reminder that third party risk management involves more than just making sure your vendors’ cyber risk ratings are accurate.
Not all surprises are bad though. In fact, a well-organized third party risk management program that analyzes data from a variety of sources is likely to find a few unexpected ways to contribute to the business.
To take a full view of the threat landscape, include open source intelligence collection from places like international press, social media, job review sites, and, of course, the dark web to unlock some surprising benefits for risk mitigation.
If the key motivation of a third party risk management program is to prevent a large scale network breach, it’s important to remember that connected people may represent as much risk as connected networks. Individual malicious contractors have been the source of several high profile breaches, but from an information security perspective, humans stealing information using existing permissions may be an even more difficult problem to solve.
In a highly competitive global environment, both individuals and organizations as a whole may be motivated to retain more information, in the form of intellectual property, data, or simple proprietary processes, than a contract would allow.
Treating contractors like the insiders they are, however, allows a third party risk team to immediately add value to an insider threat program.
For example, if a review of press articles conducted during a third party analysis uncovers multiple instances of intellectual property theft litigation involving a vendor, the third party risk team can alert the insider threat team, who in turn may be able to tune monitoring systems to look for potential offenders from current partners with histories of theft.
A third party with a corporate governance problem may or may not represent a direct information security threat. The value of third party risk management, though, is that it sits at the intersection of the business and security. Strong third party risk managers can translate security issues for procurement, strategic sourcing and other business teams and vice versa.
If social media analysis intended to shed light on possible lax security and privacy policies at a third party instead points to discrimination, bias, or reputational issues, the third party risk team can make sure other stakeholders are aware of these issues.
This may seem like an obvious thing that others would already be aware of, but other parts of the business may not be wired to look at risk the way a third party risk management team is, and flagging potential issues can have a major positive impact.
Your Third Parties
Chances are, a mature third party risk management team exists at a company much larger and with many more resources than most of the vendors it's tasked with evaluating. There are plenty of frustrating stories in the cyber security industry centered on mis-guided inquiries launched as a result of risk ratings tools sending alerts, and it’s unlikely that flagging missing certifications or a low-risk malware infection on a guest wifi network will add value.
That said, well-timed provision of actionable intelligence to an under-resourced third party may well be greatly appreciated.
For example, few companies have insight into dark web forums where their own data may be for sale. Even fewer have a program robust enough to analyze dark web findings to determine what actions can be taken to remediate an issue.
Taking the opportunity to work proactively with a partner to help them identify and action an incident discovered through dark web analysis can go a long way to not only improving your own security, but extending the reach of smaller third parties as well.