Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » mastering strategies to tackle fourth-party cyber risks, ET CISO

mastering strategies to tackle fourth-party cyber risks, ET CISO

mastering strategies to tackle fourth-party cyber risks, ET CISO

Cyber risks or the potential for an organization to experience loss or damage due to cyber attacks, data breaches, or other cyber-related incidents, have increasingly captured the attention of business leaders, as they represent significant operational challenges with the potential to cause severe financial losses and irreparable harm to an organization’s reputation. Such threats are never nearer that today where according to Check Point Threat Intelligence Report, an organization in India is being attacked on average 3304 times per week in the last 6 months, compared to 1854 attacks per organization globally. Among cyber risks, third-party or supply chain risks become one of the most challenging areas as heavy and unavoidable reliance on using third parties such as Cloud and SaaS providers is a reality of today’s IT and security operations. Organizations’ sensitive and proprietary data is transmitted to, processed by, and stored in third parties’ computing environments. However, when third parties also engage other external parties (i.e., fourth parties) to support their operations and handle your organization’s data, then how well do these parties protect it?

Figure 1: Fourth-Party Relationships in Supply Chain Management

How to identify fourth-party risks?

Since there may be many fourth parties involved in the supply chain, identifying who handles your organization’s sensitive information behind the scenes is the most important first step. The requirements of robust vendor due diligence from cyber security laws and guidelines for highly regulated sectors such as banking, insurance companies, health care service providers may have previously mandated risk managers to request fourth party information from third parties. The contractual stipulation of the required disclosure makes it easier to collect the information. But when there is no such clause in the already-signed contracts, and unwilling vendors push back or ignore efforts at providing the requested information, what else can organizations do?
External attack surface management (EASM) is the practice of identifying potential vulnerabilities and security gaps in an organization’s public-facing digital attack surfaces, including the SaaS providers that the organization is “linked” to as third parties and fourth parties. EASM, which is often a SaaS solution itself for dashboarding after scans, may not need to connect to the organization and performs scans only using minimal domain information of the organization. It works to identify IT assets that are publicly accessible and any vulnerabilities that might exist within them. One of the most powerful capabilities of EASM tools is its ability to discover internet-facing IT assets that the organization may or may not even know, which includes third parties and fourth parties. These AI-powered EASM tools constantly survey/scan the digital surface of the organization and identify new assets as they appear, reporting on the vulnerabilities, threats, and risks via the dashboard.

Figure 2: A sample dashboard from an EASM tool
How to manage fourth-party risks?

To manage fourth-party risks, organizations can request the third parties to explain the mechanisms they use to monitor the security controls of the fourth parties, including how and when they will be notified in case of security incidents that may affect an organization’s operations and data. Also, it is a good opportunity to review the third parties’ SLAs in security incident notification and determine if the timeframe aligns with your companies’ disaster recovery and business continuity policies and regulatory requirements.

As part of effective continuous monitoring on third parties, likely through the use of a commercial-grade security scoring tool, your organization should include the high-risk fourth parties and monitor their security scores and be proactively made aware of fourth parties’ direct breaches and even downtime that can cause outages or financial loss to your business. Additionally, with an EASM tool, continuous or regular scans can be performed to delve into vulnerabilities and misconfigurations of both the third parties and fourth parties, providing a base for the vendors to take timely remediation efforts.
What can be done to reduce your third parties’ concentration risk?

If the third parties rely heavily on one common vendor (i.e., fourth party) to deliver the services to your organization, you may not feel entirely comfortable with the risk of a single point of failure. Concentration risk can mean overly relying on a company to deliver critical services and/or on resources from a region that may have been plagued with recent civil unrest or war. Your organization could discuss the concentration risk with your third parties and raise this concern to them. In larger third parties, their risk management departments often have considered concentration risks and may have data to quantify the risk and plans to reduce such risks.

Who in your organization should monitor the fourth parties and their risk?

Managing third-party, fourth-party, and supply chain risks usually requires cross departmental efforts. The organization’s procurement and/or third-party vendor management departments may be centrally responsible for on-boarding vendors and completing initial and continuous due diligence. However, in a lot of cases, the direct interaction with the third parties – receiving the services, determining the service levels, and knowing who the fourth parties are – is done by the IT and application owners, which are decentralized from the enterprise-level departments.

IT and application owners are the exact persons who will be contacted by front-end users of the applications or the tools in cases of system outages, glitches, and security incidents, and may have collected such service and security data over time. Often disconnections between the enterprise-level departments and front-line owners who deal with the third-party relationships first-hand exist when actual service levels are not (timely) communicated. This is particularly imminent when there is not an enterprise-wide procurement, third-party vendor, or supply chain management platform in place.

To improve communication, organizations should mandate at least an annual update of third- and fourth-party information to the platform, preferably aligning with the timeline to review SLAs and renew contracts. Such a platform should ideally have the capability to integrate with a service that provides vendors’ security scores, displaying all the pertinent information in a single pane of glass. A RACI chart to detail the roles and responsibilities of the “centralized” and “decentralized” stakeholders should be created as well.

It takes a multi-faceted approach, such as an effective vendor risk management program, a commercial-grade vendor management platform, an EASM tool, and enhanced contractual agreements to include fourth-party disclosure, etc., to effectively manage supply chain risks. It is also evident that only amalgamating people, process, and technologies in a thoughtful and coherent way could make the management of fourth-party risks possible.

The author is Harish Kumar GS, Head of Sales, India and SAARC, Check Point Software Technologies

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.

  • Published On Dec 11, 2024 at 10:15 AM IST

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

  • Get Realtime updates
  • Save your favourite articles


Scan to download App

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket