This is part two of a two-part series about third-party risks and cybersecurity frameworks. If you haven’t already read it, check out part one here.
In part one of this blog series, we explored increasing risks caused by third-party relationships and how they can introduce risk into your organization both short- and long-term.
Now, we’ll go a bit deeper with a closer look at how cybersecurity frameworks can help you reduce third-party risks for your organization.
What’s a cybersecurity framework?
A cybersecurity framework is a set of recommendations and guidelines to help you reduce cyber risks for your organization.
A cybersecurity framework can help you better understand and evaluate your cybersecurity posture within your organization so you can mitigate weaknesses, close gaps, and plan remediation.
A framework is also a great tool to help gauge how well you’re meeting your compliance standards and regulations and where you may need to make adjustments before an audit or attempted breach.
You can use a cybersecurity framework to create cybersecurity and compliance protocols for your organization, no matter how large or small your organization may be. It’s also a great supporting resource to help you mature those practices over time.
Organizations that deal with personally identifiable information (PII), personal health information (PHI), and other sensitive data are often required to have a cybersecurity framework to demonstrate compliance with a variety of state, federal, and industry-specific standards.
Although the focus of this article is on frameworks used to specifically address third-party risks, there are several types of cybersecurity frameworks to help you protect your business. For example:
- A cybersecurity program framework can guide you on how to create a security program and measure your program’s success and weaknesses. ISO 27001, for example, is a framework you can use to implement an information security management system (ISMS).
- A risk framework helps identify an organization’s risks, measure risk impact and then prioritize and plan how to address those risks. More mature organizations may also use a risk framework to help document practices and follow up on the steps to remediate risk. NIST 800-30 is an example of a risk management framework.
- A control framework creates baseline controls for your cybersecurity practice. From there, you can evaluate how well you’ve implemented those controls at any point in time and then use that information to make plans to improve where you have ineffective or insufficient controls in place. ISO 27002, for example, can be used to set controls for a security management program for your organization.
Because of an increasing number of data breaches and other cybersecurity attacks across multiple industries in recent years—and related fines and recovery costs that can easily cost larger enterprises millions of dollars—organizations today are making deep investments into cybersecurity.
While many organizations are making better investments in their overall cybersecurity and compliance programs, much of that focus is inward, ensuring that employees and the company meet requirements and decrease cyber risks to minimize impact of potential hacks or other malicious behaviors.
Unfortunately, this inward focus can overshadow attention to risks created by third-party relationships, even though when it comes to compliance in many industries, the organization may be liable for its vendors (and their vendors, too) as they are for what happens within the company’s own internal network and operations.
And attackers know that third-party security isn’t always vetted as closely as internal measures, and they’re constantly looking for new ways to exploit those relationships and access systems that contain critical and valuable data.
Earlier this year, for example, the FBI issued an alert about Kwampirs malware targeting supply chains. Attackers are using the COVID-19 pandemic to target more organizations, particularly those in the healthcare supply chain.
Kwampirs first appeared back in 2018 and is considered an advanced persistent threat (APT) that continues to infect networks across a variety of industries.
Kwampirs is a remote access trojan (RAT). Attackers use a variety of tactics—for example, phishing campaigns with malicious links—to initiate a malware infection. From there, it spreads across interconnected networks—for example, supply chain connections for industries such as healthcare, IT, finance, and the energy sector.
Kwampirs is one example of a way attackers exploit the weakest link in supply chains and other third-party relationships, but it’s not an isolated event. According to one study by Ponemon Research Institute, about 53% of organizations say they’ve had at least one third-party breach in the past two years with an average cost of $7.5 million dollars.
Not prepared for third-party risks
That same Ponemon study revealed that almost 60% of organizations say their programs for third-party risks are early stage, meaning not yet deployed or only partially deployed. This ultimately means that the majority of organizations have immature third-party risk programs.
And when those programs successfully discover gaps or issues, only about 24% work directly with their third-party vendors to mitigate known security issues. Rather than require, most only request those issues be resolved.
Response and mitigation strategies
For many organizations, third-party cybersecurity processes are directly connected to compliance standards, but is that enough to keep your organization safe?
While most organizations agree that third-party cybersecurity measures are important, many say their existing processes are ineffective, and less than half of those surveyed in the Ponemon study say their organization has funding specifically earmarked for third-party programs.
The study estimated the average annual cost to implement appropriate controls—regulatory compliance, procedures to enforce non-compliance with security requirements, evaluation and vetting for third-party security, third-party liability mitigation, data breach and cyber incident response procedures, and risk prioritization processes—exceeds $11.3 million.
Wide-spread adoption of these processes is not only costly, but can also be time-consuming. Many organizations still use manual processes to do them. So where do you begin? If you have limited funding, resources, or staffing, how can you build a third-party cybersecurity and compliance program to help keep your organization safe?
Using a cybersecurity framework for third-party risks is a great place to begin.
Selecting a third-party risk assessment framework
There are several third-party risk assessment frameworks you can use to build your program or help mature your existing processes. In some cases, your organization’s needs may be so diverse that you’ll benefit from adopting best practices from more than one framework.
Before selecting a framework, you’ll need to address a few key points:
- What are your organization’s goals and objectives?
- What are your organization’s acceptable levels of risks for doing business with a third party?
- What does your organization need to achieve from a compliance standpoint?
- Does your organization have an executive sponsor who can champion your risk assessment program?
- Does your organization have business associate agreements (BAAs), service level agreements (SLAs), or contract standards for third-party vendors?
If you’re new to the concept of cybersecurity frameworks for third-parties, a great starting point is the National Institute of Standards and Technology (NIST).
Another good resource is the International Standards Organization (ISO). ISO goes beyond just recommendations by allowing your organization to get certified for your risk-assessment processes and strategies through ISO.
Adopting a framework
If you’re adopting a new risk assessment or similar framework for your supply chain vendors, you can do so in increments and then build from there.
First, begin by creating policies, procedures, and standards for your vendor risk assessments. These assessments include your cybersecurity and compliance standards.
Next, do an inventory of all your existing supply chain vendors. For those vendors, do you have SLAs, BAAs or contracts in place that outline your cybersecurity and compliance requirements?
Here are a few examples of issues that should be addressed:
- What types of data does the vendor have access to?
- Does any of that data originate from your customers, further downstream in the supply chain?
- How much data can the vendor access?
- How does the vendor store that data?
- What processes does the vendor use to protect that data?
- How is your data transmitted?
- What happens if the vendor had a data breach?
- What happens if there is a disaster or disruptive event that affects the vendor’s operations? How will that affect your ability to do business?
- What happens to your data at the end of your contract or agreement? Does the vendor destroy the data or is the data returned to you?
You should determine risk level for each vendor in your supply chain. If the vendor exceeds your organization’s acceptable level of risk, or your customers’ acceptable levels of risk, how does that affect your relationship? Can the vendor quickly mitigate those risks, or do you need to modify the relationship?
After determining whether you’ll accept, mitigate, or reject vendor risk, it’s time to dive deeper into your vendor’s security and compliance policies. Can you find gaps in existing practices? If yes, you should work with your vendor to create a plan to resolve those issues.
Finally, don’t just set-it-and-forget-it when it comes to your vendor risk assessment practices. You should routinely evaluate your vendors’ practices, at least annually and at agreement renewals, but more frequently if you can. As your internal cybersecurity and compliance practices mature, make sure your vendors keep up.
And, if your vendors use third-party vendors for supplemental service, remember those vendors should also meet your same security and compliance standards.
Frameworks for third-party risks
NIST’s Cybersecurity Framework includes a component for supply chain risk management. This section includes criteria that organizations of all sizes can adopt to help them better manage security issues related to third-party vendors.
Here’s a quick overview of some of the supply chain risk issues addressed within the framework:
- Identify, establish, assess, and manage supply chain risk management processes
- Establish contracts with third-party vendors to ensure implementation of security measures that align with your organization’s cybersecurity, compliance, and risk management standards
- Routinely assess your third-party suppliers with audits and test results and other evaluations to ensure they’re meeting your contractual agreements
- Conduct response and recovery planning and testing with your supply chain partners
Rev. 4 of NIST 800-53 framework also includes a supply chain protection component including guidance on:
- Acquisition strategies
- Supplier reviews
- Limitation of harm
- Operational security
- Penetration testing
- Critical information components
- Identity and traceability
- Processes to address weaknesses
ISO 27011, which focuses on certification for information security management, is also a great framework for third-party risk mitigation. It can be used to help your organization—as well as your third-party vendors—identify risks to your cybersecurity program and adopt controls to reduce that risk.
Vendors who are ISO 27001 certified may introduce less risk into your organization than those without the certification. And if you’re an organization who is a third-party vendor for others, your IS0 27000 certification demonstrates that your organization has adopted best practices for cybersecurity.
In addition to these frameworks, many industries have industry-specific compliance standards that you should also include in your organization’s framework.
Earlier, we discussed how many organizations still use manual processes to manage their cybersecurity and compliance programs.
Once you take a closer look into compliance frameworks and the foundations they create for resilient programs, if you’re still using manual processes, you may struggle to keep up and mature your program as your organization grows.
The Ponemon study we mentioned earlier draws correlations between improved effectiveness and management of program controls with improved management of third-party risks. Together, they help increase efficiencies and decrease costs.
A cybersecurity management program may be beneficial in developing your third-party risk standards and managing them over time.
With a platform such as Apptega, for example, you can select a framework that best meets your organization’s goals and objectives, and from there, you can build on that framework to personalize it for your needs, including adding and adjusting controls over time.
But it’s more than just framework selection and creation. Over time, the cybersecurity framework management software should help you manage multiple frameworks, get clear visibility into your program—including identifying gaps that need your attention—and creating easy-to-understand reports that facilitate effective organizational-wide communication about your program. These core components can help your organization make better business-based decisions that align your cybersecurity and compliance protocols with your organization’s business goals and objectives.
If you’d like to know more about cybersecurity frameworks and how to choose the one that’s fits your organization’s needs, check out our on-demand webinar, “How to Choose Which Cybersecurity Framework to Follow” or contact an Apptega advisor today for more information.