BLOG: The Growing Challenge of Controlling Third-Party Risk in a Global Economy

In today’s global economy, businesses rely on an ever-growing network of third-party vendors, suppliers, and partners to achieve their goals. However, this dependence on third parties comes with an inherent risk, as companies are exposed to the security vulnerabilities and compliance issues of their partners. The challenge of controlling third-party risk is a growing concern for businesses across industries, and one that requires careful planning and management to mitigate.
Third-party risk is not an element of cybersecurity that is likely to disintegrate, each year we see organisations and companies blindsided by their third parties. On the 2nd of March 2023, WHSmith reported that they had suffered a cyber-attack resulting in illegal access to company data including that of current and former employees. The retailer has launched an investigation with support from third-party cybersecurity experts and notified relevant authorities.

The company has assured customers that their details and financial information were stored separately and were unaffected by the incident. WHSmith’s trading operations remain functional, suggesting the attack may not have been ransomware in nature. The incident follows a cyber attack on WH Smith’s subsidiary, greeting cards business Funky Pigeon, in April 2022. The company has been offering support to affected employees and is taking the issue of cybersecurity seriously. Instances like this highlight the focus that organisations need to have on their involvement with third parties.

Third-Party Risks

The risks associated with third-party vendors can take many forms. For example, third-party vendors may have access to sensitive company data or systems and may inadvertently or intentionally expose this data to unauthorized parties. Similarly, third-party vendors may be subject to compliance issues or legal liabilities that can put the parent company at risk. Finally, third-party vendors may suffer from operational or financial problems that can impact the parent company’s operations or reputation.

To manage these risks, companies must take a proactive approach to third-party risk management. This means implementing a comprehensive risk management program that includes due diligence, ongoing monitoring, and continuous improvement. Companies must also establish clear communication channels with their third-party vendors, to ensure that expectations and responsibilities are clearly defined and understood.

One key aspect of third-party risk management is due diligence. This involves conducting a thorough assessment of potential vendors before entering a partnership. Due diligence can include a review of the vendor’s financial and operational performance, as well as an evaluation of their cybersecurity and data protection policies. It can also involve checking for compliance with local laws and regulations, including anti-bribery and corruption laws.

Ongoing monitoring is another critical element of third-party risk management. This involves regularly reviewing and assessing the performance and security of third-party vendors, to ensure that they continue to meet the company’s standards and expectations. Monitoring can include regular security audits, financial reviews, and compliance checks.

Continuous improvement is essential to maintaining an effective third-party risk management program. Companies must regularly review and assess their risk management strategies, identify areas for improvement, and implement new measures to mitigate emerging risks. This can include adopting new security technologies, improving communication channels with third-party vendors, and investing in employee training and education.

The growing challenge of controlling third-party risk in a global economy requires a comprehensive and proactive approach to risk management. Companies must be diligent in their due diligence, ongoing monitoring, and continuous improvement efforts, to ensure that their partnerships with third-party vendors do not compromise their security, compliance, or reputation. By taking these steps, companies can manage third-party risk effectively and minimize the potential impact of security breaches or compliance issues.

Orpheus Cyber Approach

At Orpheus Cyber we have developed a unique approach to manage Third Party cyber risk management that combines our expertise as a cyber threat intelligence company with an assessment of the attack surface of the Third Parties. Our approach allows for continuous monitoring of Third Parties’ cyber risk rating as the threats they face and their attack surface change over time.

The platform displays a heat map highlighting organisations with the highest level of risk, along with the most critical vulnerabilities, which are linked to intelligence reports and Orpheus’ CVE scoring to provide context. This allows clients to work with their suppliers to improve their security, reducing the risk to the organization over time.

The platform requires no input from third-party organizations, making it quick and easy to set up, and clients can review the cyber risk of those they are working with within hours. Continuous monitoring reduces risk compared to point-in-time reviews, and clients can confirm that suppliers have taken necessary steps to reduce risk, rather than relying solely on their assurance. To find out more about this, click here.