Data Insights Report
A spotlight on legacy systems
Continuous monitoring in third-party risk management (TPRM) is a lofty endeavour, yet hard to achieve in practice. This article sets out how to make it happen.
More than 60% of data breaches have some supply chain component such as a product or service vendor, professional or financial services firm, or perhaps even a customer. Protecting your organisation from a possible risk introduced by such business partners, or even their third-parties, must be a corporate imperative.
The most effective method of ensuring that your supply chain partners are not introducing vulnerabilities into your network or cloud instance, or pose other risks to the confidentiality, integrity or availability of your organisation’s and your customers’ data, is to get as close as possible to a continuous monitoring approach to third-party risk management. Traditional and highly manual point-in-time assessments based on spreadsheets, or even using more digital questionnaire tools, are no longer enough. These assessments, and the relative assurance they provide, could be out of date as soon as they are completed.
Regulators and security experts are thus increasingly pointing to the need for the continuous monitoring of third-party risk to ensure that critical suppliers don’t come to pose a risk to your organisation, or even to entire sectors.
But how can this be done? This article will try and shed some light on this question.
According to the National Institute of Standards and Technology (NIST), continuous security monitoring means “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organisational risk management decisions.”
In practice, continuous monitoring has mainly been done by organisations with the aid of tools, including SIEM, Network Detection and Response (NDR) as well as Endpoint Detection and Response (EDR) tools. They are utilised by organisations for the swift detection of compliance problems and security threats within their own IT infrastructure. Such tools equip SecOps teams with up-to-the-minute data from within their internal IT environments, and supporting vital security functions such as threat intelligence, forensics, root cause analysis, and incident response.
The core pillars of such an approach to continuous monitoring include:
In the context of supply chain risk management, however, the term denotes a more ongoing monitoring and thus management of third-party risk that moves beyond mere point-in-time assessments, which are usually done before entering into a new contractual relationship with a third-party service provider, and are, at best, repeated annually.
An increasing number of cyber security regulations now require such continuous monitoring of third-party risk in order to reduce the frequency and impact of supply chain attacks. To name just one recent example, the new EU DORA regulation, covering most financial institutions but also their critical ICT third parties, states that financial services entities covered by the regulation must “establish an appropriate Oversight Framework allowing for a continuous monitoring of the activities of ICT third-party service providers that are critical ICT third-party service providers to financial entities.”
In an ideal situation, achieving continuous monitoring in order to facilitate better and speedier threat detection would require identifying changes in any of the hundreds of relevant security controls across potentially thousands of suppliers and partners simultaneously in real-time. This is hardly a realistic proposition at this stage, especially if the assessments also focus on additional, yet crucial, internal security domains such as Security Governance, HR Security, Business Resilience or Physical Security in addition to Network & Cloud Security or IT operations controls.
So what are the options that currently exist for ensuring a more ongoing monitoring of third-party supplier risks?
The first and most widely used approach to facilitate continuous monitoring in the context of third-party risk management are external vulnerability scanners. These external scanning tools, or vulnerability scanners, are a type of tool that allows organisations to quickly understand the security strength of public-facing systems belonging to a company that they are potentially going to work with.
They are usually run automatically and highlight any potential vulnerabilities in public IP addresses, domains or other externally facing services. They scan the outer perimeter of a supplier’s digital infrastructure, allowing you to understand what systems they are using, which services they are running and to identify potential vulnerabilities. The scanners then check a list of known vulnerabilities related to the aforementioned systems. This information is compiled into a report which can tell an organisation where an attacker might look to exploit an external vulnerability to gain an initial entry foothold.
The downside of such external scanning tools is that they can also generate a large number of false positives, which impacts the overall ratings given and which would require manual intervention from the users to fix. Most importantly, however, these tools cannot measure the internal controls of an organisation - it only looks at surface-level information. This can give a false sense of security. The supplier may not have any known vulnerabilities in their externally facing systems, but that doesn’t mean they are immune to attack. Do they have MFA & password lockouts on their user accounts? No? An attacker will simply exploit such vulnerabilities instead.
So what are the alternatives to vulnerability scanners?
To approach the problem of how to monitor the security postures of their suppliers and supply chain risk more generally on a more continuous basis, Risk Ledger is putting forward an altogether different approach. We combine a Third-Party Risk Management platform with a secure social network. Similar to a social network like LinkedIn, each organisation has a profile on Risk Ledger, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is then shared with their clients and customers. Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them.
Organisations can use Risk Ledger as both suppliers and as clients, meaning they can simultaneously show their security posture to their clients and monitor the security posture of their own suppliers, all on the same platform. This reveals many connections in both directions. Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems and uncover interdependencies and risks past their immediate suppliers, into fourth, fifth, sixth and n-th parties (i.e. the suppliers connected to their suppliers and so forth). This, for the first time, allows for the mapping of organisations’ supply chain ecosystems as well as for the more continuous monitoring of suppliers’ security postures.
Here is how Risk Ledger’s social network approach enables this:
Since clients are using the same platform as their suppliers, they are continuously connected with all of their suppliers and can communicate and collaborate with them, as well as review the progress of their security assessments, at all times.
Risk Ledger provides clients with weekly updates on their suppliers’ security controls, highlighting any control changes that have been made across a client’s entire supplier base in line with its bespoke built policies. Risk Ledger’s activity feed, meanwhile, gives clients a historical overview of all the controls that have changed or been updated for the lifetime of the connection to that supplier.
Moreover, Risk Ledger asks suppliers to complete a re-assessment every 6 months. Suppliers will be notified and can start their re-assessment 4 weeks before this 'deadline'. This provides clients with the opportunity to re-review and re-approve suppliers much more regularly and easily as is possible with more traditional approaches to TPRM.
Because clients and suppliers both use the same platform, and because of clients’ often overlapping supply chains, especially within highly regulated industries, many organisations are reviewing the same suppliers on Risk Ledger at the same time. Because of Risk Ledger’s standardised assessment framework used for all supplier security assessments, clients can be confident that the more other clients are reviewing the same suppliers, the quality of the data output from the assessments increases continuously, providing an additional degree of assurance that their suppliers’ security postures are maintained to a high standard at all times.
Risk Ledger’s future roadmap will allow us to continuously monitor the security controls of suppliers using technical integrations. Risk Ledger’s vision is for the platform to act as a defacto security operations centre (SOC) for the supply chain, actively detecting, responding, and preventing attacks across a network of suppliers.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
