Cybercrime is not only a very real threat to online activity, it’s also growing at an alarming rate. With a projected cost of $9.22 trillion in 2024, that figure is expected to rise to $13.82 trillion by 2028. Cybersecurity experts are continually trying to fight that encroaching tide, with measures from awareness training to programs to detect cyberattacks.
Like any war, the effort against cybercrime is being fought on many fronts, and input is needed by businesses, governments, and individuals, as well as cybersecurity experts. One area gaining more attention is the threat from interactions with third parties and the need for more stringent third-party cyber risk management.
So, what is cybercrime, and how can third-party cyber risk management help?
What is cybercrime?
Cybercrime refers to any form of criminal activity targeting computers, computer networks, or any device linked to a network. In most cases, cybercriminals are looking for financial gain, but there can be other reasons for their activity, from industrial espionage to political or personal reasons.
While some cybercriminals act alone, the majority work together, either as part of organised crime syndicates, or as groups who have come together over the internet. There are also many different types of cybercrime with varying degrees of malice and/or potential damage. These include:
- Internet-based fraud (including via emails).
- Identity fraud.
- Industrial espionage (stealing and selling corporate data).
- Cyberextortion (demanding money from a business to prevent attacks such as DDoS— Distributed Denial-of-Service); this also includes ransomware.
- Financial crimes (including theft of card or bank details).
- Theft of financial or card payment data.
- Cyber-espionage (the theft of government data or information).
- Copyright infringement.
- Illegal pornography.
This list is not exhaustive, which shows you just how widespread and problematic cybercrime has become in this digital era.
What is third-party cyber risk management?
Third-party cyber risk management (TPCRM) is the process of identifying, assessing, and managing (or mitigating) any potential cyber threats that may arise due to interactions with third parties. Those interactions could occur anywhere in your online activities, from your supply chain to working with affiliates.
TPCRM looks to provide a robust wall of protection against cybercrime by implementing policies that cover all online interactions with third parties and ensure that those parties follow a number of rules and regulations.
We’ve listed some of these below:
- Comply with any regulations you may decide on or which are part of your sector’s regulatory framework.
- Avoid any unethical or questionable practices.
- Ensure that all confidential data and information is protected and not released into the public domain or passed on to others.
- Build a high level of security within your supply chain.
- Have contingency and mitigation plans in the event of cyberattacks, including a disaster recovery plan.
- Provide a safe working environment and raise cybersecurity risk awareness amongst employees.
Why is third-party cyber risk management essential?
In today’s world, where digital innovation technology is commonplace, things are rarely a linear path from business to customer. Most organizations have some form of third-party involvement. Those third parties can range from shipping or logistics providers to external digital marketing agencies and other suppliers or vendors.
As the saying goes, “if more than one person knows something, it’s no longer a secret”, though in this case, the more people/businesses in your online chain, the greater the chance of a weak link being prone to a cyberattack. Businesses want to eliminate operational risks and other threats or, at the very least, minimize those risks and mitigate any potential scenarios that may arise as a result of any risk.
When a cybercrime does occur, a business may be exposed to potentially serious damage. That can range from financial losses to a major data securiy breach. You also need to consider that when a business admits to any form of serious attack, its reputation may be damaged, and it will have to work hard to rebuild consumer trust.
There is also the question of any applicable laws and regulations, and a business may face hefty fines as a result of the attack.
Common types of third-party cybercrime
While there are many types of cybercrime, there are common ones that arise as a result of a weak third-party link in your chain. These are the ones that organizations need to be most aware of when bringing a new third party into your business network.
Data breaches
This is now a very common form of cyberattack that happens because of third-party involvement. The risk of such attacks has grown as more businesses switch to cloud-based services and increasingly look to external security teams or IT providers, as well as more use of SaaS products.
Whenever you contract with a third party, you should ask yourself two main questions: “what is the risk of a data breach involving this entity”, and “what is IT risk management going to do to help with any risk?”. You should always look at potential third-party risks and damage and work closely with any new partner to eliminate or minimize that risk.
Ransomware and DDoS attacks
In 2023, there were a staggering 317.59 million attempts at mounting a ransomware attack. With a ransomware attack, malware steals or encrypts crucial business data and then holds it for ransom (usually to be paid in cryptocurrency). While the number of ransomware attacks declined in 2023, payments made reached a record high of more than $1 billion.
DDoS attacks can take a single machine, a website, or an entire network offline. Many of these attacks are malicious in nature but can cost businesses an average of $6000 per minute in lost revenue, as well as a damaged reputation, customer churn, and IT costs.
Compliance
If you handle any sort of sensitive data, such as customers’ financial information, compliance with applicable laws and regulations, including the use of consent forms, is essential to ensure data privacy and security. This requirement holds not only for your internal operations but also mandates that third-party vendors adhere to similar standards.
You may have stringent in-house cybersecurity measures to protect that data, but can the same be said for the third parties you interact with? Do they meet compliance requirements?
You have direct oversight via policies such as HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and others. These may govern not only how you manage data, but also how you grant access to third parties. Failure to comply can lead to financial penalties and a reduction in trust from your customers.
You may already have SOC 2 compliance so that is a step in the right direction, but is it something your third-party vendors and suppliers have too?
TPCRM challenges
Everything you do comes with a certain level of challenges or difficulty; every new technology, every new process or system, and TPCRM is no different. One of the cornerstones of an effective TPCRM policy is recognizing those challenges and meeting them head-on. While factors such as the sheer volume of IT infrastructure and evolving laws and regulations are out of your control, there are other factors you can do something about.
If you look back even 10 years, you can see how much has changed when it comes to IT and technology. AI (artificial intelligence) was still mostly in the realm of science fiction, while today, artificial intelligence is an integral part of the business landscape.
You need agile IT policies to meet that changing landscape and the increased volume and complexity of cybercrime.
- Relationships. With an increasing number of third parties in most companies’ business networks, there is a related increase in all parties relying on technology as well as an increased risk of cyberattacks. You should first audit the security measures of any potential new partner, then include cybersecurity-related clauses in any contract or SLA (service-level agreement).
- Changes. As mentioned, the business landscape is changing, and the regulatory environment is constantly evolving. Businesses should keep up to date with general data protection laws as well as any industry-specific regulations.
- Monitoring. Most businesses may conduct an initial audit of a potential partner’s cybersecurity measures, but you must revisit that assessment irregularly. Assessments should be conducted regularly to ensure that your partner complies with all requirements and has updated protection when available.
What should you include in your third-party cyber risk management policy?
You likely have several risk mitigation policies—including operating risk management—within your organization. When it comes to the risk levels of cyberattacks, you should have several crucial steps in your policy, both in the first steps to a relationship and on an ongoing basis.
Evaluation
Once you have identified a potential partner, risk profiles should be your first step in establishing a relationship. You want to identify any risks that may occur if the relationship moves forward, as well as security ratings. However, remember that your vendor risk assessment may lead to the third party improving things to meet your requirements.
Engagement
The next step in any relationship—especially if the assessment of the potential partner has exposed some weaknesses—is to engage with them and suggest improvements that can be made to their security controls.
In these discussions, emphasizing pricing transparency is crucial. It ensures that all costs associated with cybersecurity measures are clearly outlined and agreed upon, preventing any hidden charges and fostering trust in the partnership.
This can be an essential step if there is an applicable regulatory framework they need to comply with. You will also want to know how robust their internal security is.
Remediation
You may find yourself at a fork in the road at this point. If a potential partner presents unacceptable levels of risk and won’t address them, then walk away. However, if the partner recognizes the risks, they may work with you to remedy them.
Decision
Your penultimate step is to walk away or to sign a contract or SLA with the vendor. Any contract should include the specific steps the vendor should take to address any identified risks.
Monitoring
Once you have moved into an actual business relationship, you should still be diligent about cybersecurity, especially if the initial evaluation identified potential risks. Once that relationship has started, the vendor may have access to critical systems and sensitive information, and continuous monitoring and audits are essential elements as third-party relationships move forward.
Third-party cyber risk management best practices
When you develop a TPCRM policy, there are several best practices that you should include in any plan.
1. Define your goals
You should be looking at how your TCPRM plan aligns with your organizational goals and other management and risk policies you have. For example, ask yourself what is corporate performance management (CPM) going to contribute to your TCPRM. Identify any and all relevant risks within your organization that may affect your cybersecurity.
You can also think about how other risks such as geopolitical or financial risk may increase the risk of cybercrime. Develop an overall third-party risk management framework that recognizes where there are interrelationships and places your TCPRM at the center.
2. Involve all stakeholders
For any TCPRM plan to be effective, you need to involve all the stakeholders, both those within your organization and the relevant personnel at any partners. Foster a high level of collaboration through efficient communication and, if possible, regular meetings in person or as video conferences. It can help to have that high level of involvement from the beginning.
3. Implement robust monitoring strategies
The importance of monitoring potential threats cannot be stressed enough. You should be monitoring both your business partners and your internal business operations. It should also be a regular activity and any identified risks should be shared between all stakeholders. This sharing of information should also extend to factors such as essential software security updates.
Monitoring can be especially important when initial evaluations have identified risks, even when the vendor has taken action to remove or mitigate that risk.
4. Categorize identified risks
Not all risks are created equal, but they’re still risks. This extends to the third parties you partner with, and you can also determine how important that provider is. For example, if your fulfillment center was in an area with no other logistics providers, then the vendor you choose would be of more importance to you than one in an area where there were lots of alternative service providers.
Businesses tend to divide their third-party partners into one of three categories.
- Tier 1 – a vendor with a high level of importance to your business and also with high risk.
- Tier 2 – Medium importance and risk.
- Tier 3 – Low importance and risk.
Of course, it can be a little more complicated than that. A vendor may be of high importance but carries low risk, and so on. This is why the evaluation process is so important. By identifying how important and the level of risk a potential partner is, your organization can prioritize which vendors and issues to deal with.
The takeaway
It doesn’t matter whether you are a large enterprise or a small business, cybercrime is a very real risk. It can present operational, financial, and reputational risks. Your cybersecurity posture needs to be a strong one, especially when onboarding a new third-party partner. Look at how regulatory requirements could penalize you, and you will understand how important stringent cybersecurity is.
Evaluation and ongoing monitoring can provide you with actionable insights and can highlight weak links in the chain. Effective third-party risk management is crucial for any business that works with external partners. When security risks do happen, you want to ensure business continuity with a strong third-party cyber risk management plan.