Awareness of the risks posed by third-party vendors is high among organizations across industries, but visibility into those webs of business connections remains low, a survey released by a provider of third-party risk management services has found.
The survey of 100 security executives, conducted in June by Panorays, found that 84% of executives said their organizations are prioritizing third-party risk management — suggesting that awareness of the risks posed by vendor relationships is growing.
Daniel Kennedy, research director for information security and networking at 451 Research, part of S&P Global Market Intelligence, said the interest in third-party risk is based largely on some key factors, including:
- Well-publicized attacks that have led to downstream intrusions that caused the leak of end-customer, nonpublic information
- Breach notifications required because of something that happened at a third party
- Increased compliance requirements around vetting suppliers, especially those given liberal access or a lot of data
"Since almost all organizations leverage suppliers, the question I have is why it isn’t a priority at some level for 100% of organizations?"
—Daniel Kennedy
Here's what your app sec team has to know about third-party risk management — and why you need to prioritize comprehensive supply chain security.
[ See the IT GRC Webinar: Innovating third-party security risk monitoring and management | See report: Why dev and SOC teams must shift left together ]
Financial and reputational damage gets real
Erich Kron, the security awareness advocate at the training provider KnowBe4, said the rise of attacks on supply chains via third-party vendors has put the risks they pose on the radar of many organizations.
"With the recent newsworthy attacks demonstrating the dangers that supply chain vendors can pose, it makes sense that organizations are prioritizing a once largely overlooked threat. Many organizations have come to the realization that this risks are underappreciated and are taking steps to mitigate them."
—Erich Kron
Matt Rose, a field CISO at ReversingLabs, said the supply chain security problem affects both sides of the security house: application security and the SOC.
"If software supply chain security is a problem, it's a problem for not only the creators of the software, but also the consumers of the software. You control what's happening in your house, but you also need to control what you let into your house, too."
—Matt Rose
Rose said software development and release teams all want their applications to be free of malware — and free of risk to your organization. But third-party risk management means you have to expand your scope to things that are under the purview and responsibility of people who aren't technical.
"What if a secretary downloads the latest shipping app? That stuff is difficult to police unless there are processes in place that require vetting of those third-party apps."
—Matt Rose
Dror Liwer, co-founder of the security firm Coro, said third-party risk is also garnering increased attention from organizations because of the potential financial and reputational effect it can have on a business.
"If one of your vendors leaks your customer’s information, your name will be tarnished and lawsuits will be directed at you. Most organizations now realize that, and so do their insurance companies, which are requiring them to tighten their third-party risk exposure."
—Dror Liwer
Get on the right path to managing third-party risk
If organizations are prioritizing third-party risk management, is that being translated into action? Michael Amiri, a senior digital security analyst at the technology intelligence firm ABI, said organizations need to dig deeper into that question "to reveal what they are exactly doing to gain insight into their supply chains."
"If this means they are generating an SBOM [software bill of materials] for their products on a regular basis, analyzing those SBOMs — either themselves or through service providers that provide SBOM generation and software security lifecycle analysis — in order to screen their third-party components and potential breaches and vulnerabilities, then they are on the right path."
—Michael Amiri
Amiri said ABI Research found in talking to SBOM management providers that only about half of industrial device manufacturers are suppliers for SBOMs, which reveals that "prioritizing is very different than actually doing something."
Even for organizations with the best intentions, gaining visibility into their vendor networks can be challenging, said Tom Goings, director of product management at the endpoint security firm Tanium.
"You might have great visibility into SBOMs for newly purchased software but lack complete visibility into older software or one-off tools used by employees."
—Tom Goings
Third-party risk is extremely hard to manage in any organization, noted Panorays advisory CISO Sue Bergamo, because organizations today are not just dealing with one vendor. "There's a multitude of vendors that can be involved in the processing of information on a daily basis," she said.
"When you have that many organizations helping to process data, the threat landscape and attack surface increase with every single integration point that you have. That's why it's hard to manage."
—Sue Bergamo
Bergamo said that not enough organizations are focused on third-party risk management, "but they should be because of the attacks that are happening out there."
Third-party risk management: Why monitoring matters
The survey also found that only 13% of organizations continually monitor their third-party security risks. That reflects a significant shortfall in ongoing vigilance by organizations, the report noted.
This lapse can be particularly detrimental when dealing with critical third-party relationships, it continued, where risks can rapidly change and have a substantial impact. Effective risk management demands not only robust assessment techniques but also a commitment to continuous monitoring and vigilance.
"Continuous monitoring is needed because the landscape is changing constantly. Security threats continue to grow."
—Sue Bergamo
Lisa Cook, a technical research manager at IT professional organization ISACA, said organizations have a responsibility to put mechanisms in place to ensure that third parties are managing risk according to standards set by that organization.
"Monitoring becomes a challenge," she said, "when language is not built into contracts requiring periodic evidence of robust risk management practices, timely disclosure of issues — such as security breaches — and information on which of the third party's subcontractors are essential to the delivery of products or services to the organization."
"Nothing is static," Liwer said. "During contract negotiations and signing, a vendor can comply with security and regulatory requirements, but as new threats emerge and new regulations get enforced, the exposure could change dramatically. This requires organizations to maintain constant vigilance over their third-party risk."
Kennedy explained that the majority of third-party risk is typically managed with manual questionnaires and spreadsheets, usually at the time of procurement. "It is difficult to assess the security posture of third parties in a meaningful way, especially on a continuous basis," he said. "You need their agreement, coordinated testing activities, and the like. Many of the solutions that perform third-party security today primarily rely on data that can be gathered from outside an organization’s perimeter."
Fourth-party risks on the rise
Fourth-party risks also pose a problem for organizations, the survey found, with 43% of businesses acknowledging they had an insufficient view of those risks.
"The further down the supply chain you go, the harder it is to understand the risks these vendors pose."
—Erich Kron
Kennedy said that fourth-party risks pose a difficult problem for an organization's supply chain, because they're arrangements between a supplier and other companies.
"The toolkit to manage this starts with asking about and requiring updates on any downstream companies that could have access to your organization’s or customers’ data, or pathways that allow access to your organization. In my personal experience as a CISO, it is very difficult to get some large suppliers to agree to this."
—Daniel Kennedy
Prioritizing third-party risk management is key
Panorays co-founder and CEO Matan Or-El said in a statement that it's clear third-party risk management needs to be a priority for businesses in all sectors. "However, our report indicates that many companies are not fully utilizing effective strategies for continuous risk monitoring and visibility across the digital supply chain."
"[The survey also] highlights the need for strategic refinement and ongoing adaptation in third-party risk management methodologies," Panorays co-founder and CEO Demi Ben-Ari said in the statement.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.