Earlier this month, Panorays CEO and co-founder Matan Or-El spoke about third-party security at the secureCISO event in New York. Here are some of his remarks:
What challenges do companies face today with third party security?
As we know, the online world is filled with cyber threats. Every week we hear reports of massive data breaches. Often, hackers do this by targeting the weakest entry point: the third parties that do business with the company.
A recent study by the Ponemon Institute found that 61 percent of US respondents reported that their organizations experienced a data breach caused by one of their third parties. In 2017, this figure was 56 percent; in 2016, 49 percent. In the same survey, the vast majority of respondents said that they did not have sufficient resources to manage third-party relationships.
Meanwhile, the number of third parties that companies are doing business with is increasing. The average number of third parties increased from 378 in 2016 to 588 in 2018. Along with these numbers is a rise in the percentage of third parties that share organizations’ sensitive and confidential data, from 37 percent in 2016 to 43 percent in 2018.
What can happen if a company suffers a data breach? Besides losing consumer confidence and loyalty, companies can face costly penalties for violating data privacy regulations.
Which kinds of vendors / suppliers should be of the most concern?
It’s important to note that all suppliers pose a risk, because any data in the wrong hands could be a threat. I remember that we did business with a bank that insisted that we assess the security of their florist. When we inquired why, they responded that the florist had access to the contact information of the bank’s highest executives and best customers. That information was valuable, and in the wrong hands, could have been used against them.
That is exactly the point: companies need to understand what is their relationship with the supplier and what would be the impact to their business were that supplier breached. Based on that they can better focus their supplier security management efforts.
From our experience, we noticed that the suppliers with the greatest risk are those with access to a company’s IT systems, because a data breach through such third parties could be disastrous to the company.
Critical suppliers must be assessed and continuously monitored.
What’s typically being done to mitigate the risk emanating from third parties?
There are typically two assessment methodologies: an inside-out approach and outside-in approach.
With the inside-out approach, companies attempt to assess the security awareness of the third party. They typically do this by sending questions related to the company's security practices using spreadsheets. Several problems arise with the spreadsheet usage. First, it takes a lot of time. Vendors might not answer questions correctly, or they might leave them blank entirely. Companies must then follow up and wait for more answers. Second, this method does not allow for scalability. Companies that are trying to hire more vendors are finding it impossible to do so because they are bogged down by the time and effort needed for this process. Third, and this is the biggest problem, is that this method is simply ineffective. By the time the questionnaire is completed, it is already outdated.
The outside-in approach, looks at a third party’s digital footprint. However, it only provides part of the picture of overall cybersecurity posture, not taking into consideration the security awareness and standards that the third party put in place.
How does the process look from the supplier side?
When it comes to the inside-out approach, we find that there’s often a lot of friction between companies and their third parties. Many times, the suppliers are not equipped to thoroughly answer security questionnaires.
With the outside-in approach, if the suppliers want to dispute findings, there’s no way to do so. Then, if cyber gaps are found, they don’t know how to mitigate them.
At its essence, this is a business transaction: The company wants to hire a third party, and the third party wants the business. But the security requirements are so complicated that everyone just gets frustrated.
What is Panorays’ approach to evaluating third parties?
At Panorays, we perform a non-invasive outside-in assessment of digital assets, much like a hacker would perform reconnaissance on a potential target. We combine this with an inside-out view using automated security assessments, which check for GDPR compliance and that third parties abide by companies’ internal policies.
Using both methods, we get a complete picture of a third party’s security posture.
How do suppliers view this approach?
At Panorays, suppliers and companies engage on one platform, so it simplifies the process for everyone. We help suppliers answer their automated questionnaires, and we provide guidance for how they can close their cyber gaps. By providing a way for companies and suppliers to easily engage with each other, the friction is eliminated. This is actually very cool as it enables service providers to dramatically shorten their lengthy sales cycles as there is no more need for those security ping-pongs between both parties.