Third-Party Risk management

The Shortcomings of Third-Party Risk Management and How to Get it Right for Your Organization

Data breaches targeting third-party vendor relationships are on the rise.  Especially those leveraging phishing and other social engineering methods. This fact reveals a weakness in most organizations’ cyber security regimens.  It’s not that information security leaders – CSOs, CISOs and others – are unaware of the risks.  It’s just that despite what they may consider to be robust practices internally, most are unintentionally missing the critical success factors of third-party risk management (TPRM) necessary to prevent breaches via third-party vendor channels.   

This paper contains research aimed at assessing the “as-is” state of third-party vendor risk management for cybersecurity.  We’ll review real-world examples from the last five years wherein successful companies were victimized via attacks originating with their vendors/supply chains.  We’ll show the correlation between the shortcomings of contemporary approaches to third party risk management and mitigation strategies and the resulting failures.  Then, we’ll examine what must be done to successfully mitigate this exigent risk, arriving at the recommended “to-be” state for organizations serious about this challenge.

Defining the “As-Is” State of Third-Party Risk Management (TPRM)

There’s evidence to support the position that the profile of third party risk management has grown in stature in the last several years.  Consider that the Mastercard RiskRecon and Cyentia Institute’s 2020 research report “State of Third-Party Risk Management in 2020” found the following facts through its survey of 154 active third-party risk management professionals, members of the Third Party Risk Association and a large LinkedIn Peer Group.  This exhaustive survey revealed:

  • 79% of organizations had formal programs in place to manage third-party risk in 2020
  • 84% of companies used vendor questionnaires as their most common risk assessment method
  • 69% used documentation reviews
  • 50% used remote assessments
  • 42% used cybersecurity ratings and,
  • 34% used onsite security evaluations

Taken at face value, any or all these methods seem to be useful and appropriate.  Yet, even at the time of this survey in 2020, those responsible for TPRM in their organizations were not confident that any of these efforts were effective.  The same survey found:

  • 34% of respondents said they believed their vendors’ responses to the questionnaires (the most popular method at the time)
  • 14% expressed a high degree of confidence their vendors were meeting the security requirements they were asked to observe

Despite all these efforts, the lack of confidence reported by respondents to this landmark survey were borne out by the results these efforts yielded.  And the results were not good!  Consider the following five examples of companies that experienced significant and damaging data breaches between 2018 and 2021.  Remember that each of these organizations had initiatives in place for TPRM when they were breached.

NutriBullet Breach (2018)

In 2018, a vendor serving NutriBullet – a manufacturer of popular blenders and other kitchen appliances – was targeted by a phishing scam.  One of NutriBullet’s employees fell victim to this social engineering strategy which continues to grow in popularity among criminals.  As a result, the attackers were able to penetrate NutriBullet’s information systems through the third-party vendor’s access credentials and stole the personal information of NutriBullet’s customers including names, addresses and credit card information!

Macy’s Breach (2019)

An employee of a third-party financial processing service provider serving Macy’s online retail sales sites was targeted by a phishing email.  As a result, unauthorized access to Macy’s website data resulted in attackers capturing names, addresses and credit card information of Macy’s customers.

BlackBaud Breach (2020)

This cloud computing provider serving the non-profit sector suffered a data breach in 2020.  Again, the result of a phishing scam targeting a third-party service provider, BlackBaud suffered a data breach revealing highly sensitive donor data including names, addresses and donation histories of thousands of donors representing millions of dollars of donations. 

Verkada Breach (2021)

Verkada Inc. is a California-based company that develops cloud-based building security and operating systems. The company develops and markets security equipment such as video cameras, access control systems and environmental sensors.  Verkada suffered a data breach when an employee of one of it’s third-party contractors was targeted by a phishing attack.  Attackers gained access to Verkada’s internal systems and were able to view live feeds from Verkada customers’ cameras!  This example highlights the compounded risk of security failures within organizations in the business of protecting security and privacy.  Much like the hacking of Data Broker Sites where enormous volumes of PII are stored under unregulated/uncontrolled conditions.

SITA Breach (2021)

SITA provides IT services specific to the airline industry.  As an IT organization, one might expect they’d have a better handle than most on cybersecurity and TPRM.  Yet SITA also fell prey to attackers who fooled a SITA employee with a phishing email, exposing the personal information of hundreds of thousands of airline passengers across numerous air carriers.

These examples are but a few of many breaches causing untold levels of financial and reputational damage to victimized organizations.  To say nothing of those individuals whose sensitive personal data was stolen in the process.  Most importantly, it should be noted that in each of these five examples (and the hundreds more we didn’t recount) it was a phishing scam, targeting a third-party vendor, leading to the breach and damaging repercussions.

Relying on questionnaires and other self-reporting strategies – wherein an organization asks or requires vendors to report on internal compliance with privacy protocols, awareness training and other practices – is wholly inadequate to the challenge.

Equally important is discussion of why the prevailing reported strategies for preventing these breaches failed to protect against unwanted or otherwise unauthorized access to secure data stores.  Put simply, relying on questionnaires and other self-reporting strategies – wherein an organization asks or requires vendors to report on internal compliance with privacy protocols, awareness training and other practices – is wholly inadequate to the challenge.  Naturally, seeking to retain the business relationship with its customer, a vendor is inclined to provide the responses they think a customer wants to hear as it regards their adherence to risk compliance business rules. 

Newer Third-Party Risk Management Strategies Are More Effective at Preventing Breaches – Right?

It would be gratifying to say this were true.  Sadly, in spite of advancements and the growing awareness of the threat of data breaches originating from third-party vendor employees, phishing and other social engineering attacks continue to be a successful vector for attacks. 

In 2023, according to leading security awareness solutions provider KnowBe4, a staggering 91% of all cyber attacks begin with a spear-phishing email.  Just like the ones directed toward all five of the examples from 2019-2021 recounted above.  Pre-eminent privacy, data protection and information security policy research center, the Ponemon Institute reports that 53% of companies have experienced a third-party data breach in the past year.  Further reinforcing the notion that CIOs and CISOs are still very much aware of the broad vulnerability of their organizations to this type of third-party attack, Ponemon also reports that 67% of organizations believe they’re vulnerable to insider threats. 

Evidence exists that organizations are taking steps to more aggressively address the risks presented by third-party breaches.  Governance, Risk & Compliance (GRC) and Vendor Risk Management (VRM) are the two strategies Gartner Group recommends in its Market Guide for IT Vendor Risk Management Solutions report.  Of course, this report focuses only on IT Vendor Risk Management since software supply chain risks are among the most prevalent, damaging and pernicious.  (For more details and information on software supply chain risk, read the Privacy Bee White Paper titled, “Supply Chain Attacks are On the Rise – A Primer on Supply Chain Privacy Risk”)However, the fundamental motivation for guarding against third party exposure is the same. 

GRC is critical because as famous management consultant Peter Drucker said, “If you can’t measure it, you can’t manage it.”  Organizations are aware that they must set and enforce thresholds and tolerances for risk mitigation both internally and extensively across all their third-party business relationships.  GRC planning helps companies articulate their business rules and then includes them in all procurement activities to ensure that all vendors and contractors are compliant as a condition of awarding business contracts.  Yet, it would be difficult and rather pointless to develop GRC guidelines without some way to track and quantify risk.  That’s where Vendor Risk Management comes into the picture.

Gartner says VRM is an essential requirement and goes on to define the functions of effective VRM solutions.  They suggest critical capabilities should include:

  • Automation of part or all the assessment, analysis and control validation process
  • Providing remediation and mitigation guidance
  • Facilitating the monitoring of risks associated with vendors and other third parties that access, support or control information assets
  • Acquisition, analysis and reporting of vendor risk data sourced from public and private sources

With the cost of cyber attacks projected to top $6 trillion in damages in 2023, it is safe to characterize the need for effective solutions as extremely critical.   Yet in the years between 2019 and today, despite the expanded awareness and proliferation of new strategies for mitigating the risk, third-party risk management continues to be a contest many organizations are losing. Below are sadly familiar examples of third-party data breaches ripped from the headlines at the time of this writing in 2023.

Webster Bank Breach (2023)

In April 2023, thousands of Webster Bank customers were informed their personal information – including financial data – was exposed via a data breach of the Webster Bank.  The breach occurred via a third-party vendor, Guardian Analytics which – ironically – provides fraud protection services to Webster Bank.  The Connecticut Attorney General says the breach impacted more than 150,000 people in that state and that of those nearly 120,000 people had their name and account numbers exposed and almost 40,000 had their social security numbers exposed in addition to name and account numbers.

This example is especially vexing because the weak link was a vendor that provides fraud protection services. In fact, data brokers and other organizations that stockpile PII are targeted more often by cybercriminals because that’s where deep pools of PII exist.

Aetna Insurance Breach (2023)

In May 2023, a leading insurance provider, Aetna Insurance, announced a suspected cyber-attack on one of their third-party vendors had resulted in a significant data breach.  Aetna said the company NationsBenefits which provides hearing and flex card benefits to select Aetna customers had been breached by a malicious actor via third-party software used in file exchanges between the two companies.  The data revealed included names, gender, health plan ID number, address, date of birth and phone number.   

NextGen Healthcare Breach (2023)

In May 2023, a class action lawsuit was filed in U.S. District Court for the Northern District of Georgia against NextGen Healthcare – an electronic health record and practice management development company.  The plaintiffs were victimized when their sensitive data was accessed via a data breach exposing their names, birthdates, social security numbers and addresses in March and April of this year.  The suspected source of the breach was credentials stolen from third party sources.

“We have determined that an unknown third party – using provider credentials that appear to have been stolen from sources or incidents unrelated to NextGen – gained unauthorized access to a limited set of personal information electronically stored on the NextGen Office system,” the company told Healthcare IT News.

The Correlation Between Today’s Third-Party Risk Management Strategies and Security Failures

As we’ve seen, there are plenty of actions being taken by organizations to get a handle on vendor risk mitigation and to avoid third-party breaches.  The evidence above suggests many organizations have some kind of formal program in place.  Most are already leveraging vendor questionnaires, documentation reviews, and both onsite and remote security evaluations and assessments.  Many are also assigning ratings to their vendors.  The most contemporary thinking, as Gartner confirms, involves implementing strong governance and compliance policies.  Doing so necessarily requires having the capacity to establish, monitor and analyze vendor risk levels.

In the absence of any portion of these recommendations, the entire endeavor fails.  In short, organizations know they need to ask probative questions of their vendors, but they may not be asking the right questions.  Organizations may establish seemingly relevant governance and compliance standards, but they often lack the capacity to track and measure compliance with their strictures.  Success in this effort will require all pieces of the VRM and GRC infrastructure to be in place supporting functional defenses against the phishing and other social engineering attack vectors being used to exploit third-party relationships.

Defining the “To-Be” State of Third-Party Risk Management and Mitigation Practices

Establishing an effective structure for governance, risk and compliance must rely heavily on an organization’s ability to accurately assess the risk posed by third-party employees and the exposure of their Personally Identifiable Information (PII) on the internet.  There is a direct correlation between the amount of unsecured external data/PII and the ease with which cybercriminals are able to successfully execute phishing scams that result in damaging breaches like those recounted above. 

The Privacy Bee platform – specifically the Vendor Risk Management element – enables organizations to not only assess and enforce privacy risk compliance among its internal workforce, but also provides the same set of tools to “cover” the employees within all third-party workforces.  “Coverage” involves the removal of exposed PII from internet sources like Data Broker sites, People Search Sites, public records, social media sites, corporate websites and other publicly available sources.  Whether an organization uses internal resources to remove the exposed PII or engages the Privacy Bee service to perform this work, Privacy Bee technology and services address all the elements required to field a successful privacy and vendor risk management practice as defined earlier in this document. 

The process begins with the Privacy Bee “PRA” or Privacy Risk Assessment features which are akin to the questionnaires nearly all organizations polled by the Mastercard survey reported already producing.  The Privacy Bee platform automates the process of delivering in-depth surveys to internal and external vendor employees alike.   The two screen captures below illustrate how the surveys are administered.

With the responses captured by the exhaustive PRA process, the Privacy Bee platform is able to populate a risk assessment visualization for each and every individual within the organization and its external partners with access to sensitive data.  All the data for each discrete vendor is then aggregated by the solution to provide an overall risk calculation and profile for every vendor or partner organization.  In the screen capture below, we see a representation of a vendor risk management profile for a Privacy Bee for Business customer.  On these screens, each vendor organization is assigned a risk score according to the volume of exposure identified among its workforce during the PRA.  Columns on this visualization identify important metrics such as:

  • Which department the vendor serves within the organization
  • The number of employees within the vendor organization with access to your information systems
  • The extent to which external data on employees within the organization has been removed from public records
  • The percentage of change between privacy protection at the outset versus current state following cleansing activity

The VRM dashboard then derives a risk level for each vendor (which changes as Privacy Bee works to improve privacy within the relevant workforce elements of each vendor).  It also provides an aggregate risk score for your entire base of vendors, helping your organization understand its relative risk of suffering a breach via social engineering and other attack vectors.  The data can be segmented by internal department to isolate functional areas within your operation where the risk is highest so these problem areas can be targeted for more aggressive action.  Or so departmental leaders can be held to internal governance regarding vendor risk levels.

This data can also be used to illustrate to vendors whose risk scores fall below acceptable tolerances their non-compliance with your governance rules/guidelines.  Having such visibility and control over privacy risk helps enforce governance and minimum thresholds for acceptable privacy controls within your entire supply chain of vendors, service providers and any other external group with any level of access to your internal information systems.  Procurement departments may also use these assessments in their RFx process, to set and enforce compliance goals.  Vendors whose privacy scores fall below acceptable tolerances can be removed from service.

The VRM dashboard also provides the ability to understand the progress of risk mitigation activities over time.  Either on an aggregate basis or on an individual vendor basis, the visualization illustrates the extent to which efforts to remove vendor-employee PII from accessibility on the internet are having the desired effect on lowering risk.

In sum, the Privacy Bee for Business VRM suite checks all the boxes for effective GRC and VRM as defined in this paper, beginning with questionnaire-type activity, review of documentation and the ability to perform risk assessments remotely.  It then provides the crucial infrastructure to derive security ratings and delivers the tools to perform security evaluations.  At the same time, the Privacy Bee for Business solution comprehensively supports governance, risk and compliance practices by delivering detailed, accurate data on the real risk profile of every third party vendor and each of the employees therein.  Real-time, data that may be used to support purchasing/procurement processes and which ensures only risk-hardened vendors are provided access – to any degree – to your internal information systems. 

The Privacy Bee for Business is the only commercially available solution that brings together all the elements necessary to ensure third party risk is successfully neutralized.  For more information on the Privacy Bee platform and the VRM segments of the broader solution, reach out for a product demo and consultation.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: