Su Casa es Mi Casa

by Hank Berkley
Contributing editor

The concept of a fully integrated business ended with Henry Ford. It has been replaced by strategic outsourcing, coordinated partnerships and a focus on core strengths. While a key benefit of distributing responsibility is the distribution of problems, the responsibility for cyber security not only can’t be pushed out to others, your organization assumes all of the security aspects of every company with which you work.

In security audits these “shared” responsibilities are referred to as third-party risk; a misnomer since the risk all sits with you. But unlike primary security issues, with third party risks there are far fewer options to manage them. Risk registers typically have a single entry to reflect that third-party risk exists, but measuring it can be a rabbit hole which is why many businesses do the minimum they can get away with just to check the box. Regulators 1; Risk Management 0.

As a side note, many firms add third-party risk management in with existing vendor management teams. While this can be done, it requires different skills than the typical accounting and contract management skills found in vendor management departments. Third-party risk is not the same as vendor management!

Even in a small business, the amount of outside risk can be significant. We tend to focus on vendors who have connections into our networks. The breach at Target is a favorite example having allowed the air conditioning support company to access their network to monitor equipment. The truth is that those situations are the least common and the easiest to mediate. Among the third-party relationships that need to be considered are:

• Entities with remote access to your network
• Entities with access to your systems (including websites)
• Those with whom you exchange data – real-time or batch exchanges
• Manufacturers of equipment you use

The best practice is not to trust anyone, but this is not always practical. For example, the U.S. government has expressed fear that network equipment made by Huawei, a large Chinese company, may be secretly stealing information and sending it back to the Chinese government. Whether this is true or not doesn’t matter here. What matters is whether you should take a chance. With everything else being equal, why would you risk this? What if the Huawei equipment cost 25% less than the competition? What if it was faster or more reliable? You may make the choice to use or not use Huawei, but what if a vendor connected to your network chose to use Huawei gear? How would you know and how far down the chain can you try to manage things on such a micro-level?

There are three basic aspects that should be considered as part of managing cyber security with respect to vendors – contractual, certification and verification. These are applied to varying degrees based on the situation. However, no matter what steps you take it is important to recognize that you cannot walk away from owning the ultimate responsibility for security.

Of course, before determining the appropriate actions for each third-party one must identify who the third-parties are. A good starting point is the list of vendors in your accounts payable system. Many won’t be pertinent, like the florist down the street, and some will be missed, like the equipment manufacturers whose hardware comes through resellers. And it will likely not cover third-parties who have a non-vendor relationship with your company. For instance, it would omit government agencies with whom you exchange data and distributors whose systems are directly connected to your inventory system. As with building the risk register, creating a list of third-parties is a manual endeavor that could require input from many parts of your organization, but AP is a great start. And like the risk register, it doesn’t have to be perfect to be put to use.

Unlike the risk register where new risks can come from any part of your business, maintaining a list of third-parties as they change can be a straight forward procedure since they are introduced from a limited number of sources. There may be little or no risk involved with a new third-party, but at the very least, adding it to an inventory should become a part of vendor management’s process as well as SOP when external network connections are implemented.

With the list in hand, the next step is to triage the members as it is impossible to evaluate each of them fully. Next time we will discuss the triage and vendor evaluation processes.