Maintaining organizational partnerships with external parties is a commonplace and often necessary practice for companies in the modern business world. In order to function, most companies must outsource factors of their operations to third parties.
These third-party relationships can pose risks for the company, as the attack surface increases when sensitive corporate data is shared. But unfortunately, it doesn’t stop there. These days, third parties often share said data with their own contractors, meaning organizations must also take on fourth-party risk management.
Fourth-Party Risk Is a Growing Threat
Enterprise risk management involves accounting for threats at each step of operations. Fourth-party risks are the security threats that occur when nth party suppliers gain access to a company’s sensitive data through its third-party relationships.
The cybersecurity industry has been developing ways to increase safety for companies with extended external partnerships. Two of these organizations include MorganFranklin Consulting, a management advisory firm specializing in cybersecurity technology and business objectives, and SAFE Security, a cybersecurity risk quantification platform.
To learn more about how these companies are approaching the topic of fourth-party risks, CIO Insight interviewed Michael Welch, the Managing Director at MorganFranklin Consulting, and Saket Modi, co-founder and CEO at Safe Security. We conducted separate correspondence with these cybersecurity company representatives to gain insight into the importance of fourth-party risk management, and how technological advancements can help improve cybersecurity.
What Is Fourth-Party Risk?
CIO Insight: How would you define fourth-party risks, and what is their importance?
Michael Welch: Fourth-party risks are the unseen risks introduced by your third-party partners. As an organization’s vendors maintain relationships with other vendors and partners, they become fourth parties to the organization. Depending on the relationship and role your third party plays in your everyday operations, it could determine the level of risk introduced to your organization.
The cybersecurity effectiveness of these fourth parties ultimately impacts the primary organization’s security because an attacker can exploit a chain of trusted relationships to gain access to the primary organization.
An attacker can exploit a chain of trusted relationships to gain access to the primary organization.
Saket Modi: Most organizations today outsource parts of their operations to external vendors, and in turn, those vendors outsource their operations to another vendor. Cyber risks arising from such vendors are known as fourth-party risks.
In today’s hyper-connected digital ecosystem, an organization inherits most of its cyber risks from its direct and extended vendor network. Led by the rapid adoption of digital transformation, organizations’ dependence on external vendors has significantly increased, and likewise so have their cyber risks.
While an organization may have effective cybersecurity practices in place, its vendors may not — making third and fourth-party risks a valid, yet unaddressed threat. Hence, it is significantly important to have a proactive and real-time risk management strategy to predict and prevent breaches from third, fourth, and nth parties.
Read more on Enterprise Networking Planet: Top Risk Management Tools for Enterprise 2021
CIO Insight: In what ways are fourth-party risks different from third-party risks?
Welch: As an organization, you have services agreements with your third parties, so you can manage your risk based on the controls you require to be in place. However, that flow-down of control processes does not always extend down to the fourth party.
Modi: On average, an organization deploys 5,800 third-party vendors, so imagine the size of the fourth-party vendor ecosystem that exists. Most organizations rely on third parties to conduct regular security checks of their vendors (your fourth party) and often use point-in-time assessments, passive monitoring tools, and lack a real-time view of the cyber risk posture for this purpose.
While your organization may have a strategy to manage third party risks, those arising from fourth-party vendors often are not monitored.
While your organization may have a strong risk management strategy to manage third party risks, those arising from fourth-party vendors often are not monitored. Without a clear understanding of the business relationships and risk surface of your extended ecosystem, any type of data compromise can threaten your organization — creating liability for any form of data loss.
This makes it difficult to achieve cyber resiliency and understanding of your true cyber risk posture.
The Current State of Fourth-Party Security
CIO Insight: What factors right now contribute to the importance of ensuring supply chain and operational security?
Welch: Supply chain has become one of the primary attack vectors today. As organizations are now being required to verify security controls, it is important to make sure you know the role your suppliers play — and the role their suppliers play — that could impact your operations. At the minimum, we must also verify security processes as a vendor becomes more critical to your operations.
I would recommend you take a zero-trust approach and verify all controls to mitigate any residual risk in your environment. As it relates to fourth parties, you must know who they are, what function they play, whether they are significant to your operations, and what they have done to secure their environment. What due diligence does your third parties conduct for their suppliers?
Modern day supply chains have a large attack surface, resulting in potential threats from cyberattacks at any stage of the supply chain.
Modi: In the last few years, we have witnessed major outages resulting in business disruption from supply chain cyberattacks. Modern day supply chains have a large attack surface, resulting in potential threats from cyberattacks at any stage of the supply chain.
The COVID-19 pandemic has further pushed dependence on third and fourth parties, making supply chain security even more crucial for business continuity.
Operational security, especially, has evolved significantly during the pandemic. Employees working from home, having a new set of work policies, etc., have made operational security even more complicated yet crucial.
Employees, for example, are often the biggest cyber threat to an organization and monitoring the hardware and software that employees use while working remotely is a major challenge for large organizations.
CIO Insight: Has the pandemic subjected organizations to more security risks from fourth parties?
Welch: The pandemic has changed the operational work environment. Companies are now relying on third parties more and, in turn, they also leverage their supplier. This shift as a whole increases risk in the primary organization’s environment.
Modi: Businesses have shifted from regular and planned touchpoints with their contractors to making several cybersecurity exceptions to facilitate seamless remote work. This change, while aiding speed and efficiency, made cybersecurity an afterthought, due to reduced insights and increased the potential for [fourth-party security risks].
Promoting Security in External Partnerships
CIO Insight: What strategies are needed to ensure all parties maintain appropriate data security levels?
Welch: An organization has the responsibility to protect sensitive data at all points within its supply chain, including fourth parties and beyond. This effort encompasses implementing plans to ensure all parties maintain appropriate levels of data security and protection, and that they monitor this protection throughout their supply chain to identify potential vulnerabilities.
The most important strategy is understanding the role, function, and activities that are required by third parties to do their job. Third parties are many times trusted in your environment, but the concept of least-privilege access must still be maintained.
Only the level of access needed should be provided and continuous monitoring needs to be maintained. You need to know the financial and reputational impact that your third parties and their downstream suppliers can have on your organization.
The most important strategy is understanding the role, function, and activities that are required by third parties to do their job.
Modi: Third parties must build a robust risk management strategy of their own to ensure fourth parties are assessed efficiently. While SOC 1 and 2 certification and Statement on Standards for Attestation Engagements (SSAE) 18 have made fourth-party cyber risk identification transparent, it is still a manual process that is often overlooked.
An automated, real-time, nth-party risk management approach is essential for businesses. It must also have a 360-degree view with an inside-out and outside-in assessment of their digital footprint — including endpoints, cloud assets, and SaaS applications.
To do this, organizations must adopt dynamic risk quantification platforms, which provide one integrated score that matters and is actionable and insightful.
CIO Insight: What standards should companies follow to address fourth-party risks and improve overall supply chain security?
Welch: There are many good standards: NIST, ISO, CIS, CSA. But I don’t believe there is any one standard that covers all needed security areas. While you should have a standards program, how you assess your suppliers should be based on the service they supply to you.
Another item to note is that certain industries now have regulations in place around how your third-party risk should extend downstream to suppliers. These requirements include CMMC, NERC CIP, and DORA.
Modi: While compliance and guidelines mandate certain cybersecurity practices, most businesses perform their audits as a checklist of activity. Beyond the regular questionnaire-based assessments, businesses must build a robust risk management strategy that tiers vendors by their criticality and performs real-time cyber risk analyses to ensure the riskiest vendors are prioritized through nth-party breach likelihood scores.
Beyond the regular questionnaire-based assessments, businesses must build a robust risk management strategy that tiers vendors by their criticality.
This score will demystify vendor risks and prioritize management and risk mitigation. Deployment-less, automated risk assessment for vendor cybersecurity will be possible only when enterprises begin assessing their suppliers’ inside-out risk postures along with outside-in assessments.
In other words, it will include a continuous assessment of not only the employees of the third-party business, but also the multiple software (SaaS) configurations leveraged by the nth party.
When cybersecurity assessments begin spanning across the people, processes, and technology in their internal environment, then and only then will an enterprise have transparent and 360-degree cyber risk visibility of their nth party “web,” in the truest sense of the word.
Cybersecurity Services and Software
CIO Insight: How are your organizations currently working to defend against fourth-party risks for your clients?
Welch: Managing third-party and fourth-party risks can be complex. Most companies have many trusted direct partners and even more fourth-party vendors. The supply chain is longer and more connected than ever before, due to online operational environments.
Attempting to secure your entire supply chain at once can be overwhelming and infeasible. MorganFranklin’s supply chain practice can help with every stage of the supply chain management process from identifying “critical” vendors that need security vetting, to putting tools and processes in place to manage an organization’s supply chain risk more efficiently in the future.
While a number of third-party risk management tools are available, they are of limited value without the expertise required to configure them correctly, interpret the results, and develop action plans based on the available data.
Attempting to secure your entire supply chain at once can be overwhelming and infeasible.
Modi: SAFE is the only cybersecurity and digital business risk quantification platform that provides a truly 360-degree view on every vendor a business contacts, directly or indirectly. We are already helping multiple Fortune 500 and Fortune 2000 companies measure, manage, and mitigate their vendor risks in real-time with our cyber risk quantification platform.
SAFE assesses and tiers nth party vendor risks by analyzing the digital footprint of their domain names, the industry, size and geography of operations, and gives each nth party vendor a breach-likelihood score.
This real-time score represents the dollar risk a vendor poses to the business and the possibility of a data breach happening because of them. It nullifies the belief that the largest vendors might be your riskiest — which is what most businesses assume.
The SAFE score helps businesses tier vendors as per their cyber risk posture, streamline assessments, and prioritize their next steps to reduce nth party breach likelihood.
CIO Insight: Are there any strategies or technological features that your organization is looking to utilize for this purpose in the future?
Welch: Managing supply chain risk is a complex process. In most cases, it is impossible to eliminate or completely manage the cybersecurity risk inherited from an organization’s suppliers, contractors, and other third-party partners.
MorganFranklin analysts help map and prioritize your third-party and fourth-party risk relationships while developing a strategy for managing risks and improving the security of your organization’s supply chain by partnering with some of the best platforms supported by our consulting experts.
Modi: Secure Assessments Framework for Enterprises (SAFE) used a patented breach likelihood prediction algorithm. The only input required for the assessment is the primary domain of the vendor, along with its location and industry, which initiates automated digital foot-printing.
A security rating is formulated based on a Bayesian Network-based risk quantification engine that incorporates the attack propensity of the organization based on its industry type, size, and geography with its digital footprint. to give each vendor a breach-likelihood SAFE Score — representing the overall health of the organization’s security measures. We also provide prioritized best practices to mitigate risks.
The Fourth-Party Operational Security of Tomorrow
CIO Insight: What are the most effective solutions that IT security companies can offer for mitigating fourth-party risks?
Welch: Risks do not stop at fourth parties; they can continue to extend to fifth and sixth parties and beyond. The most effective solution is working with your vendor to review how they deliver their service and what will be required to protect your environment.
This risk assessment must include a flow-down and understanding of each vendor in order to meet proper cyber hygiene processes.
A standard operating procedure should be defined to categorize vendors into three tiers, based on their size and the level of critical data access available to them.
Modi: A standard operating procedure should be defined to categorize vendors into three tiers, based on their size and the level of critical data access available to them. Tier 1 vendors with high cyber risk should be assessed in real-time, followed by Tier 2 vendors that should be assessed daily, and Tier 3 vendors (with the lowest cyber risk) should undergo weekly assessments.
They should assess the entire digital footprint of all parties through a non-intrusive, outside-in risk assessment including email, DNS, application, network, and system security along with breach exposure, compromised systems, and cyber reputation.
Lastly, businesses should use digital business risk quantification to their advantage. To simplify the procedure, they can use a consistent risk metric, such as their breach likelihood.
CIO Insight: What do you think the future looks like for fourth-party operational security?
Welch: Third parties will be required to hold their suppliers more accountable and to implement sound security practices, as legal teams begin to address these topics in contracts and service-level agreements.
Modi: We are envisioning a future where real-time risk quantification and management become a de-facto standard before onboarding any third or fourth-party vendor. This will result in better visibility and management of fourth-party operational security. Organizations must depend on the tools that provide a breach-likelihood score to measure, manage and mitigate risks arising from third and nth parties.
Exploring Innovations in Risk Management
CIO Insight: What is a recent innovation in supply chain security that you’re particularly excited about? Do you have anything more you would like to add?
Welch: I’m excited about the continued advancement of Third-Party Risk platforms. To be successful, companies must move away from manual spreadsheets and automate the risk management process for scalability and efficiency.
Third-party risk can’t be a compliance checkbox. Organizations must follow a trust-but-verify model, and use built-in processes for the validation of the controls suppliers provide as a service to ensure operations run as intended.
Companies must move away from manual spreadsheets and automate the risk management process for scalability and efficiency.
Modi: Vendors are a friendly dark web! Friendly, because they have unsupervised access to an enterprise’s critical data. The dark web, because an organization’s nth-party ecosystem can become a source of data leaks, exposures, and breaches.
To date, questionnaire-based manual vendor risk assessment has been the go-to. These approaches serve as a covenant between the involved parties to ensure a good cybersecurity posture. However, now, outside-in assessments have gained momentum. While they are automated and better than manual processes, they are still reactive and provide an incomplete picture of vendor risk.
A trend I’m looking forward to is the move to proactive TPRM via cyber risk quantification for nth-party risks. The Deloitte Global Third-Party Risk Management Survey for 2021 states that more than 50% of organizations want to improve real-time information, risk metrics, and reporting in the year ahead so they have a single, up-to-date picture of their nth parties and the risks they may pose.
Some organizations have started looking into the multiple tiers of their critical third-party relationships to assess the benefits of bringing outsourced activities back in-house. These tiers include, for instance, subcontractors (fourth parties) and their subcontractors (fifth parties).
Note: These interviews occurred separately, and have been edited for clarity.
About Michael Welch
Michael Welch is the Managing Director at MorganFranklin Consulting, where he provides leadership in the development of security initiatives and works with business leaders on cybersecurity strategy and risk consulting. Mr. Welch has expertise in security risk management through his experience with the firm addressing critical cyber security, finance, technology, and business objectives.
Mr. Welch was previously an instructor at the Loyola University New Orleans HackerU Program, teaching CyberSecurity. Prior to this, he was a Managing Director at Vaco, where he worked in information security, strategy, risk, and security operations. Mr. Welch has over 20 years of experience holding positions in the field of security management.
About Saket Modi
Saket Modi is the co-founder and CEO of SAFE Security, which deals with cybersecurity and digital business risk quantification. Modi founded SAFE Security in 2012 while completing his education in computer science engineering. SAFE Security provides security services and cyber risk measurement to organizations through its mitigation platform, SAFE.
Modi has gained experience in the cybersecurity field throughout the past eight years working with his enterprise platform company. He has had success throughout his time protecting the digital infrastructure of organizations through SAFE Security, and his expertise is supported by his business accomplishments and the multiple awards that SAFE Security has received under his leadership.