urlscan.io logo urlscan.io
SecurityTrails logo

www.wsj.com Open in urlscan Pro
2600:9000:21f3:e200:3:4b0:de80:93a1  Public Scan

Back to summary
Submitted URL: https://www.venminder.com/e3t/Ctc/WW+113/c2Npz04/VWXpvm5FkyX4W5m7m_140n_5zW6TYKFS4KxSy0N3S9PH_3q3pBV1-WJV7CgTpHW1cTYK03xH9...
Effective URL: https://www.wsj.com/articles/third-party-cyber-risk-management-primer-11652990949?utm_campaign=Third%20Party%20Thurs...
Submission: On May 27 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form autocomplete="off">
  <div id="scrim-from-wrap" class="input-wrap">
    <label for="scrim-from">From</label>
    <textarea id="scrim-from" readonly="readonly" disabled="disabled" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
  </div>
  <div id="scrim-to-wrap" class="input-wrap">
    <label for="scrim-to">To</label>
    <input id="scrim-to" type="text" autocomplete="off" autocorrect="off" autocapitalize="none">
  </div>
  <div class="input-wrap">
    <label for="scrim-message">Message</label>
    <textarea id="scrim-message" class="msg" maxlength="500" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
  </div>
</form>

Text Content

WSJ.COMBANKRUPTCYCENTRAL BANKINGCYBERSECURITYPRIVATE EQUITYSUSTAINABLE
BUSINESSVENTURE CAPITAL

SubscribeSign In
Search
 * Home
 * News
 * Research
 * Newsletters
 * Events

SubscribeSign In
Search
 * Home
 * News
 * Research
 * Newsletters
 * Events

This copy is for your personal, non-commercial use only. To order
presentation-ready copies for distribution to your colleagues, clients or
customers visit https://www.djreprints.com.

https://www.wsj.com/articles/third-party-cyber-risk-management-primer-11652990949


Share
 * Facebook
 * Twitter
 * LinkedIn
 * Copy Link

WSJ Pro Cybersecurity Research


THIRD-PARTY CYBER RISK MANAGEMENT PRIMER

By
David Breg , Deputy Research Director, WSJ Pro
May 19, 2022 4:09 pm ET

Print

Text

Your browser does not support the audio tag.
Listen to article
Length (10 minutes)
AD
Loading advertisement...
00:00 / 10:20
1x

This article is in your queue.
Open Queue

KEY POINTS:

 * Hackers exploit the trust relationships between organizations and their
   third-party suppliers and vendors, resulting in potentially damaging targeted
   and untargeted attacks.
 * Understanding the organizations in a supply chain and critical dependencies
   is essential to reducing the risk, though some threats are nearly impossible
   to mitigate.
 * Multiple internal stakeholders working together with technology solutions and
   consultancy expertise can significantly reduce the risk of, or impact from,
   supply chain attacks.

“Gone are the days when organizations could wash their hands of liability or
damage to reputation from outsourced work due to ethics and compliance
failures.”

— Marjorie Doyle, principal with Marjorie Doyle & Associates and former chief
ethics & compliance officer at Dupont

Ms. Doyle’s warning should be evident for risk and compliance officers. A
mistake by a vendor or contractor can result in a costly and time-consuming
error for a company that can also lead to reputational damage if customers are
affected. This is especially true with cybersecurity, where there have been
numerous examples of companies adversely affected by preventable mistakes made
by vendors in their supply chains. One has to look no further than the recent
supply chain attacks on software manufacturer Solarwinds Corp. and Microsoft
Corp.’s Exchange email software. These attacks, which were very difficult for
customers to prevent, may have infected tens of thousands of companies globally
and the wide reaching effects are still not fully understood.

“583”

— Number of third-parties with which the average company shares data, according
to a 2018 Ponemon Institute survey of more than 1,000 IT and IT security
officials.

Perhaps the most high-profile third-party attack was the breach that affected
Target Corp., which started with compromised email credentials from a
refrigeration and air-conditioning contractor for the retail giant. The attack
resulted in approximately 40 million stolen credit and debit records, an $18.5
million multistate lawsuit settlement and a significant black eye for the
company’s reputation. This should be a cautionary tale for businesses around the
globe that have third-party suppliers.

THE CRUX OF THE CHALLENGE

The supplier ecosystem provides a highly desirable target for cybercriminals. A
successful attack on one company’s network opens up numerous opportunities to
expand into other connected businesses. It may take weeks before the intrusions
are revealed, if they are ever discovered, providing ample time for the
attackers to infiltrate multiple systems without being detected.

“44%”

— Organizations that suffered a third-party breach in the past 12 months,
according to a 2021 Pomemon Institute survey of 627 risk managers.

Complicating matters is the multiple attack vectors criminals can use to
infiltrate a supply chain. These include stealing login credentials from
third-parties (Target), exploiting third-party software updates (SolarWinds), or
injecting malicious code into vulnerable applications or software to steal
customer payment card information. 



And the potential damages from third-party breaches are substantial. Examples
include significant operational downtime, loss of sensitive information and
revenue, reputational damage, compliance issues and legal complications,
including fines.

DESIGNING AND IMPLEMENTING A PLAN

“38%”

— Organizations stating they had no way of knowing when or if an issue arises
with a third-party, according to a BlueVoyant survey of 1,200 chief information
officers, chief information security officers and chief procurement officers.

The dangers posed by third-party vendors are apparent, but what can be done to
minimize them? third-party cyber risk management is a strategic approach that
enables an organization to analyze and monitor cyber risks associated with
suppliers, vendors and other service providers. A well-organized program can
mitigate third- party cyber risks while facilitating the general process for
on-boarding and managing third-party suppliers.

There are a variety of approaches to third-party cyber risk management, some of
which can be found in this paper’s Resources section. Many adhere to the
following format:

 * Identify: Compile a current list of vendors and suppliers by working with an
   organization’s procurement office.

 * Prioritize: Develop a rating system that ranks and prioritizes the third
   parties based on the following considerations:
   * Their level of access to your network
   * The importance of the relationship to your business
   * Their cyber profile and precautions taken
   * The criticalness of data that can be accessed

 * Assess: Conduct a full audit of your partners and assign each one a score. 
   * This can be done by sending all of the relevant parties a questionnaire
     that will deliver insights into their cyber practices and potential risks
     to your operations.
   * An outside consultant with experience designing and analyzing the results
     of TPCRM questionnaires could be brought in. 
   * Technology solutions that ingest a list of third parties and provide
     scores, as well as providing on-going scanning, are also an option.

 * Respond: Take action with the organizations in the order of the risk they
   pose, with the following options:  
   * Accept the risk an organization poses
   * Work with the third-party to improve its posture to a tolerable level and
     monitor while it makes corrections
   * Remove the third-party based on the risk and seek a replacement with cyber
     posture in mind
 * Track: Conduct follow-up inquiries to measure progress.
 * Standardize: Establish an on-boarding process for every new partner with one
   of the stipulations being data breach notification requirements in the
   contract.
 * Revise: Conduct regular reviews of the program to enable enhancements.

HIGH-LEVEL GUIDANCE FROM A CYBER RISK EXPERT

Eric Fiedberg, co-founder and co-president of risk consulting firm Stroz
Friedberg, spoke with WSJ Pro Research and recommended the following best
practices for cyber risk management:

 * Design a thorough but ingestible questionnaire that identifies significant
   risks and promotes transparency and accountability, while obligating the
   vendor to provide hard data and allow an inspection if an incident happens.
 * Ensure that staffing and budgeting for the TPCRM process makes it possible to
   cycle through third-party vendors in a short amount of time so important
   vendors do not go unattended for years.
 * Pay attention to the risk posed by the trojanization – malware that misleads
   users of its actual intent – of software providers and the risk of installing
   malware during updates. Do you trust your software providers? Can you detect
   malware and see its potential exploitation?

INSIGHTS FROM THIRD PARTY CYBER RISK MANAGEMENT WORKSHOP HIGHLIGHTS

On May 10, 2022, the WSJ Risk & Compliance Forum included a workshop on
third-party cyber risk management. Kelli Tarala, principal and founder of
digital security firm Enclave Security and SANS Institute third-party cyber risk
instructor, and Anson Fong, chief information security officer at Los Angeles
World Airports, provided their ‘Insights from Third Party Cyber Risk
Management.’ The following key findings and professional tips were discussed
during the workshop.

Structuring for Success

Proper preparation and having safeguards in place are key first steps in the
development of a robust third-party cyber risk management program.

 * Know Your Network and Vendors: Organizations need to understand their
   networks, what they’re connected to, and where the data flows, because this
   will help to better understand how to protect them. It’s also important to
   conduct an assessment to see who the vendors are and what they can access.
 * Control Data Access: Due to increased reliance on cloud storage, there are
   more and more entry points for getting into a network. Emphasis should be
   placed on access control, including third-party consultant contractors who
   have to read, write or modify access to critical data.
 * Involve the Right People: When starting a program, coordinate with the chief
   information security officer, the chief information officer, the chief risk
   officer (if the business has one) and representatives from the legal,
   procurement and purchasing departments. It’s also important to keep the board
   of directors apprised of cyber risk so they aren’t blindsided if an incident
   happens.

“I see organizations doing good things and the documentation is lacking a little
bit. If we don’t document it, it didn’t actually happen.”

— Kelli Tarala, principal and founder of Enclave Security

Maturing the Program

Developing a mature and comprehensive third-party cyber risk management program
does not happen straight away. After a program is started, it may take months or
even years to assess the security questionnaire results from hundreds of
third-parties, prioritize which vendors have vulnerabilities that need to be
addressed and make necessary adjustments to the program to minimize risk.

 * Expand Your Toolkit: Researching the dark web can be a useful tool for
   tracking suppliers and vendors. Determining if a third-party has experienced
   a data breach or a data leak that is being sold on a dark web market can
   provide insight into its vulnerabilities and security posture.
 * Frameworks Matter: Find out what security controls framework third parties
   are using. Knowing a vendor is using an established framework such as the
   Center for Internet Security’s Critical Security Controls framework offers a
   level of confidence that those vendors have a plan and are taking security
   seriously.
 * Take the Next Steps: A mature program will have advanced from practicing
   basic hygiene, such as inquiring about a vendor’s information security policy
   and determining whether a third-party is sending data to fourth and
   fifth-parties; to intermediate hygiene, which involves documenting processes;
   then being proactive by reviewing the processes for their effectiveness,
   which will lead to a fully optimized vendor management program.

Key Takeaways

 * According to Mr. Fong, your organization is only as secure as your weakest
   link.
 * Risk isn’t just an IT concern, it is organization-wide.
 * Ms. Tarala said risk management is a contiguous approach involving threat
   monitoring, control implementation and validation, risk reporting and risk
   response.
 * You may not get a perfect solution the first time; keep refining in light of
   your company’s culture and needs.

RESOURCES

 * The National Institute of Standards and Technology’s Risk Management
   Framework
 * CSO: 6 steps for third-party cyber risk management
 * Venminder: 4 Best Practices to Reduce Third-Party Cybersecurity Risk
 * CyberGRX: Third-Party Cyber Risk Management for Dummies
 * Forbes: Understanding The Third-Party Impact On Cybersecurity Risk
 * centraleyes: Top Cybersecurity & Third-Party Risk Management Trends to Follow
   in 2022

Watch the ‘Insights from Third Party Cyber Risk Management’ workshop here. All
WSJ Pro Cybersecurity research reports, webinars, events and data are available
at www.wsj.com/pro/cybersecurity/research



WSJ Pro Research is a premium membership that supports executive decision making
on critical business issues by supplementing the news with timely, in-depth
research and data.

All WSJ Pro Cybersecurity research reports, webinars, events and data are
available at wsj.com/pro/cybersecurity/research

MEET THE AUTHOR

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved.
87990cbe856818d5eddac44c7b1cdeb8



David Breg is deputy research director at WSJ Pro, The Wall Street Journal’s
professional arm, where he writes and edits cybersecurity research and analysis
for executives and businesspeople. He also appears frequently at WSJ Pro events
as a moderator. Dave has prior experience managing the research unit at public
relations firm Burson-Marsteller and policy knowledge from serving as an analyst
at the Congressional Research Service.

Write to David at david.breg@wsj.com


RELATED PAPERS


 * PREPARING FOR ENERGY INDUSTRY CYBERATTACKS (APRIL 21, 2022)


 * CONFLICT IN UKRAINE: PREPARING FOR CYBERATTACKS (APRIL 11, 2022)


Close


THIRD-PARTY CYBER RISK MANAGEMENT PRIMER



From
To
Message

SEND

An error has occurred, please try again later.

Thank you

This article has been sent to



BACK TO TOP
Professional Resources
WSJ ConferencesFactivaRisk & Compliance JournalDow Jones Risk & ComplianceDow
Jones NewswiresCFO JournalCIO JournalCMOLogistics
FacebookTwitterPodcasts
Send us your feedback:pronewsletter@dowjones.com
Subscriber Agreement & Terms of UsePrivacy NoticeCookie NoticeCopyright
PolicyData Policy
2022 Dow Jones & Company, Inc.All Rights Reserved

Copyright 2022 Dow Jones & Company, Inc. All Rights Reserved

This copy is for your personal, non-commercial use only. Distribution and use of
this material are governed by our Subscriber Agreement and by copyright law. For
non-personal use or to order multiple copies, please contact Dow Jones Reprints
at 1-800-843-0008 or visit www.djreprints.com.