Third party risk must be better managed to reduce a range of risks facing South African organisations.

This emerged during a recent webinar hosted by the Cybersecurity Special Interest Group (SIGCyber) of the Institute of Information Technology Professionals South Africa (IITPSA), where SIGCyber committee members who are experts in cyber security and risk management emphasised the importance of Third Party Risk Management (TPRM) to mitigate both cyber risk and many broader business risks.

Why TPRM is vital

Andrew Henwood said: “You’re only as strong as the weakest link in your supply chain. Recent exploits have illustrated this. It's far easier to perpetrate attacks against a less secure critical supplier of say a large bank, than to attempt to breach the bank itself. TPRM is all about making sure third parties such as vendors, suppliers, partners and managed service providers are not the biggest risk exposing you as an organisation. If third parties touch your sensitive information or infrastructure, they all need to be considered in your risk management strategy.”

Richard Frost said: “There is a tendency to consider only third party cyber security risk, however TPRM should go further. For example, it needs to monitor the performance of those third parties and ensure that you are granting them access to only that part of your environment that they require - no more and no less.”

Doctor Mafuwafuwane said: “In today’s interconnected environment, managing third party risk is no longer optional - it’s essential. Everyone has to be doing it, regardless of the size of the business. TPRM has not enjoyed enough attention in South Africa. It’s about identifying and managing risk - this doesn’t just apply to cyber security, but also to areas like reputational, legal and financial risk throughout the vendor life cycle, with comprehensive onboarding, offboarding and management of vendors and partners. People who have access to our data should be a high priority, because most of the data breaches we see today are due to third parties who had access to data.”

Moving away from manual

The panellists said organisations needed to move away from traditional TPRM approaches, using simple questionnaires sent out just once a year.

Henwood said: “TPRM has involved sending out an Excel spreadsheet or Word document with a lot of questions pulled from an open infosec standard. There is a place for this approach, and it can help define how you expect your third parties to operate. But unfortunately, suppliers may just tell you what you want to hear in order to retain your business – for example, it is unlikely that a supplier will admit they actually don’t patch their systems regularly, in answering one of these questions.”

Frost added: “They may laboriously and honestly fill in a 300-page form, but environments change. So being compliant today doesn’t mean they are compliant in a year’s time.”

Mafuwafuwane said: “We advise people to move away from spreadsheets where possible. Instead, they should look at tools to automate these processes and use performance monitoring. We also recommend categorising suppliers by the level of risk associated with them.”

Mafuwafuwane said a proper Zero Trust strategy, and identifying, classifying and masking data could be used to better protect data that third parties had access to.

Henwood noted: “There are a number of tools to do outside-in validation and monitoring, such as technology that makes use of open source threat intelligence that gives you a ‘hacker perspective’ of external vulnerabilities and these tools can operate on an almost continual basis.”

The costs of compliance

Frost asked: “At what point does the cost of compliance outweigh the revenue a third party agreement would bring in to a supplier? How can large organisations ensure that suppliers are risk averse without financially burdening them?”

Henwood said: “Anyone doing business in the modern age, where you’re handling sensitive data, you have an obligation to be secure and compliant.”

“What's encouraging is that the larger corporates have implemented TPRM programmes, and their obligations for the smaller organisations aren’t always excessive. They require bare minimum measures all organisations should be implementing to be inherently secure,” Henwood said.

“If organisations get the basics right and run these basic assessments, they can start understanding what they have exposed to the internet. For example, a simple 20-minute assessment can expose your entire external footprint, exposed servers and open ports. You need to bring your own house in order. Of course, addressing the human element, every organisation also needs ongoing cyber security awareness and training programmes.”