Third-Party Cybersecurity Risk Management: A Short Guide for 2024

Third-parties are an important part of your extended enterprise. They’re your vendors, your partners, and your suppliers. They provide some of your business’s most critical services: billing, data storage, or sales. Unfortunately, vendors and suppliers also come along with significant third party cybersecurity risk.

Early in January, Gartner named third-party risk cyber management (TPCRM) a top trend for 2024. This year, it’s expected that security teams will implement new third-party cybersecurity risk techniques to adopt more proactive risk-management measures.

How Likely is a Third-Party-Related Breach?

Third parties have become increasingly attractive targets for threat actors over the past few years. The reasons for this unwanted popularity are simple: vendors have access to their clients’ data and systems, and many third parties do business with multiple enterprises. If a criminal can compromise a vendor, they can access much more data for a fraction of the work it would take to attack every enterprise separately. The fact that third-party attacks are on the rise shows that many criminals have done this math for themselves. 

Many organizations have already faced third-party breaches and attacks. According to the ITRC, supply chain breaches reached an all-time high in 2023, including one of the largest ever third-party breaches. Out of 3205 breaches last year, 242 were third-party-related, affecting 2769 organizations and 54 million individual victims. The 2023 breaches included a large-scale attack on a third party; an attack on MOVEit file transfer software directly impacted 102 organizations. However, the data breach indirectly impacted many more entities; 1,271 organizations were indirectly affected when information stored in or accessed by a MOVEit product or service was compromised by their own vendors. 

With so many attacks, it’s not surprising that so many security teams have already dealt with supply chain attacks; a Gartner survey conducted in summer of 2023 found that 45% of all respondents had already experienced third-party related compromises. 

Aside from being a common occurrence, supply-side breaches also tend to have more of an impact than other types of branches. Because they are more difficult to detect, for example, they tend to last longer and cost more. According to a report from IBM and the Ponemon Institute, third party compromises cost an average of 12% more than a typical breach, and also take 13% longer to find and contain. 

New Approaches to Third-Party Risk 

Until recently, businesses have been focusing on due diligence as the means for managing third party risk: lengthy questionnaires, requiring certifications, and working with vendors to confirm security controls have all been part of cyber risk management programs. 

Gartner’s survey found that 65% of security leaders increased their third-party risk management budgets and 76% are spending more time on third-party cybersecurity risk management initiatives than they did two years ago. However, the extra time and money haven’t had the intended effect;  45% of respondents saw an increase in disruptions thanks to third-party-related incidents. 

For that reason, security leaders are turning to new ways of managing third-party risk with more of a focus on a resilience-driven, resource-efficient approach to TPCRM.

How Does this New Approach to Third-Party Management Look? 

1. Collaborative: Businesses are increasingly seeing third parties as their allies, rather than as risks to be contained. There are advantages to partneringwith key vendors to build security controls that work for everyone. Building strong relationships with vendors also means greater transparency and better collaboration if a breach occurs. 
2. Aligned with business goals: Effective TPCRM starts at the top. Without champions in the c-suite, it’s impossible to create a program that is able to holistically protect your data and systems. This also means business leaders must clearly be informed about the risk associated with doing business with a third party. By involving company leaders in third party risk management, security leaders are able to tie risk management to business goals, and also make better risk-based decisions more quickly.  Effectively tracking all decisions related to all third parties your organization is doing business with is important, so that cybersecurity teams can adjust controls for vendors that are particularly risky.
3. Consistent: Having a consistent set of policies and processes across your organization is critical for a strong TPCRM program. For example, creating a clear offboarding process for vendors to ensure that permissions are revoked and data is destroyed can help all departments limit the risk from previous partners and vendors.
4. Efficient: For a long time, businesses have attempted to control third party risk by creating increasingly long, complex questionnaires. This wasn’t efficient for the vendors (who had to fill them out) or for the companies (who had to review the responses). Lately security leaders are pulling back on long questionnaires, opting instead to use standard questionnaires, such as the Standardized Information Gathering (SIG) Questionnaire. This approach channels the energy that might have been spent on due diligence into higher-value activities, such as planning for incident response and improving controls. 
5. Tailored to each vendor: Rather than rely on due diligence alone, it’s recommended that recommends security leaders create scenario-based materials, using vendor-specific playbooks and tabletop exercises to plan for possible breaches. Security teams should also be working with less mature vendors to improve their security controls. 

How Does this New Approach to Third-Party Management Look? 

1. Collaborative: Businesses are increasingly seeing third parties as their allies, rather than as risks to be contained. There are advantages to partneringwith key vendors to build security controls that work for everyone. Building strong relationships with vendors also means greater transparency and better collaboration if a breach occurs. 
2. Aligned with business goals: Effective TPCRM starts at the top. Without champions in the c-suite, it’s impossible to create a program that is able to holistically protect your data and systems. This also means business leaders must clearly be informed about the risk associated with doing business with a third party. By involving company leaders in third party risk management, security leaders are able to tie risk management to business goals, and also make better risk-based decisions more quickly.  Effectively tracking all decisions related to all third parties your organization is doing business with is important, so that cybersecurity teams can adjust controls for vendors that are particularly risky.
3. Consistent: Having a consistent set of policies and processes across your organization is critical for a strong TPCRM program. For example, creating a clear off-boarding process for vendors to ensure that permissions are revoked and data is destroyed can help all departments limit the risk from previous partners and vendors.
4. Efficient: For a long time, businesses have attempted to control third party risk by creating increasingly long, complex questionnaires. This wasn’t efficient for the vendors (who had to fill them out) or for the companies (who had to review the responses). Lately security teams are pulling back on long questionnaires, opting instead to use standard questionnaires, such as the Standardized Information Gathering (SIG) Questionnaire. This approach channels the energy that might have been spent on due diligence into higher-value activities, such as planning for incident response and improving controls. 
5. Tailored to each vendor: Rather than rely on due diligence alone, It’s recommended that recommends security leaders create scenario-based materials, using vendor-specific playbooks and tabletop exercises to plan for possible breaches. Security teams should also be working with less mature vendors to improve their security controls.

Third-Party Cyber Risk Management with Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence on your organization’s extended attack surface, which you can use instantly to improve security. Use this actionable intelligence to work with your third-party partners/suppliers/vendors to improve their security controls.

With Flare Supply Chain Ransomware Exposure Monitoring, gain unique visibility and proactive security across your extended supply chain to efficiently mitigate threat exposures that exist within ransomware data leaks. Learn more by signing up for our free trial.