New approach to risk management needed, says Gartner

The majority (83%) of organisations that engage third parties to provide business services identified third-party risks after conducting due diligence, a Gartner study has revealed.

The survey of more than 250 legal and compliance leaders reveals that the standard point-in-time approach to risk management is no longer effective in the light of today’s fast-paced, rapidly changing business relationships.

With an increasing number of third parties performing “-in-kind” and non-core services for organisations, the Gartner report said material risks cannot always be identified prior to the start of a business relationship.

The report’s finding is significant in light of the fact that a growing number of cyber attacks are related to vulnerabilities in suppliers that are exploited to target partners, highlighting the need for greater emphasis on supply chain security.

Only 29% of business and IT executives globally know how diligently their partners are working regarding security, with 56% relying on trust alone, a recent survey revealed.

Modern risk management, the Gartner report said, must account for ongoing changes in third-party relationships and mitigate risks in an “iterative way” or on a continual basis, rather than at specified intervals.

“Legal and compliance leaders have relied on a point-in-time approach to third-party risk management, which emphasises exhaustive upfront due diligence and recertification for risk mitigation,” said Chris Audet, research director for Gartner’s legal and compliance practice.

“Our research shows an iterative approach to third-party risk management is the new imperative for meeting business demands for speed and stakeholder demands for risk mitigation.”

According to Gartner, a number of factors have contributed to the shift in the nature of third-party risk, including that fact that:

• Third parties provide new-in-kind technology services for 80% of organisations polled, including startups and business model innovators;
• Two-thirds of legal and compliance leaders find third parties are providing services outside of the company’s core business model;
• Third parties now have greater access to organisational data;
• There is increasing variability in the maturity of organisations’ third-party networks;
• Third parties are working with an increasing number of their own third parties.

With a point-in-time risk management approach, compliance leaders attempt to identify potential third-party risks upfront with extensive due diligence before contracting and again at recertification, but this fails to capture any risks that may arise due to ongoing changes throughout the relationship.

Among survey respondents who identified risks post-due diligence, 31% of those risks had a material impact on the business.

“Ninety-two percent of legal and compliance leaders told us that those material risks could not have been identified through due diligence,” said Audet. “The only way to surface those risks was through actual engagement with the third party and through ongoing risk identification over the course of the third-party relationship.”

The Gartner report said the survey data shows that an iterative approach to risk management allows legal and compliance leaders to improve risk and business outcomes in terms of speed to engage, and by remediating and identifying third-party risks before their impacts materialise.

Organisations that applied an iterative approach experienced a doubling in capacity to remediate risks prior to impact and 1.5 times greater ability to identify risks prior to impact.

“An iterative approach will enable legal and compliance leaders to manage their changing and expanding third-party networks, while also satisfying business demands for quicker onboarding,” said Audet.

“To effectively mitigate third-party risks, compliance leaders must streamline their current due diligence processes to focus on critical risks to eliminate burdensome duplicative process and focus attention on the risks that have the biggest impact on the organisation,” he said.

Nigel Ng, vice-president of international at digital risk management firm RSA Security, said that part of the problem with gaining full visibility is the “sheer intricacy” of today’s digital ecosystems.

“Companies are increasingly reliant on third parties to deliver core services, and while these partners create a lot of value for businesses, they also digital risks that need to be managed and can significantly add to the complexity of the security protocols required.

“Third parties – such as systems integrators or contractors – often need direct access to your systems. In these instances, firms need a clear understanding of their security protocols to determine how much trust to place in them and how much access to grant.

“Businesses also need even stronger identity and access management [IAM] processes to authenticate third-party users, ensure they are who they say they are, can only access what they’re allowed to access, and that their credentials have not been compromised.”

John Sheehy, director of strategic security services at security services and research firm IOActive, said any organisation not protecting is own own network against basic threat actors, doing due diligence to properly patch, and holding suppliers accountable for securing their own networks has no hope of protecting against threat actors.

“This is where third-party testing comes in handy to trust and verify your suppliers,” he said.

To build a supply chain security programme, Sheehy recommends that organisations:

• Ensure they know all suppliers and take a full inventory of who they do business with so they can identify any weak links;
• Conduct a risk assessment of each supplier’s cyber security posture, including software and hardware components, to identify the risks they may pose;
• Use third-party testing to test internal security systems and those of suppliers to identify and prioritise what needs to be fixed;
• Regularly scan and patch all vulnerable systems;
• Teach employees about the importance of using strong passwords and not recycling them across accounts;
• Ensure staff has set up multifactor authentication everywhere possible;
• Conduct regular security awareness training to teach employees how to identify phishing scams, update software and become more security-conscious;
• Harden the security of the devices connected to your networks.