Over the last several years, we’ve been performing more third-party risk assessments on behalf of our clients that are focused on manufacturing third parties across multiple countries in Asia. These assessments have focused on the protection of sensitive intellectual property, Operational Technology (OT) that could impact operations or quality, business continuity and disaster recovery capabilities, ransomware preparedness and in some cases, payment fraud.
While third party risk assessments can yield a wide range of results across various industries, there have been a few examples and themes that have stood out to us with these types of third parties:
- Most had never undergone a security assessment: Despite having multiple clients in the same or related industries, in most cases, it was clear that these companies had never gone through an exercise like this. In addition, only a small number of the very largest had pursued their own security assessments.
- “Cloud First” has allowed newer companies to avoid foundational security: Some third parties that appear large and/or sophisticated on the surface have managed to scale without many of the foundational security elements we often take for granted. The availability of sophisticated SaaS offerings has allowed these third parties to simply buy laptops for new employees, provision them with a few cloud accounts and entirely avoid things like directory services (e.g., Active Directory). These third parties essentially have no endpoint security, nor the types of monitoring capabilities that are critical to detect and disrupt common and relatively simple attacks.
- Ransomware is viewed as a virus: Only a small proportion of the third parties seemed to have fully considered ransomware. Most said things like “we have antivirus,” or “we tell users not to open suspicious e-mails.” Many viewed it as a traditional virus, saying they would be able to get it under control before it spread too far. Few seemed to understand the concept of human-operated ransomware, and only a couple had implemented precautions such as offline backups specifically for ransomware.
- Most were unaware of OT/ICS risks in their environment: While a majority of these third parties had some type of Operational Technology/ Industrial Control System (OT/ICS) in their environment, many had not considered the challenges posed from a security perspective or even managed them as technology systems. Quite a few initially answered questionnaires saying they did not have OT, but upon deeper inquiry during interviews, it turned out they had significant technology dependencies, security exposures, and operational criticality resulting in continuity risks and security exposures.
- DLP in surprising places: Some third parties that were otherwise low on the security maturity spectrum had surprising data loss protection (DLP) capabilities. However, these capabilities weren’t focused on prevention or blocking – they were set up to monitor their employees and ensure people were accountable for their actions. This strong apparent distrust of their employee base may be a risk indicator of a dysfunctional workplace or inadequate intellectual property protection.
- Vulnerability management: Each third party we assessed had good answers around Windows patching – it’s probably the first thing they thought of when they heard they were going to undergo a security assessment. However, many lacked capabilities around third-party application patching. The majority of third parties did not perform vulnerability scanning or penetration testing, and most were unprepared to deal with a significant zero-day exploit. A large proportion did not appear to have basic knowledge of these topics.
These types of results are by no means limited to manufacturing companies. In our experience performing third-party risk assessments for well over two decades, we have observed a general increase in security maturity among third parties, but progress has varied. Overall, the maturity level is low for the small to mid-sized third parties assessed, with many lacking experienced and skilled security and technology professionals to support their environment and to establish more mature programs. Data from organizations such as Shared Assessments also reflect this. There are certainly industries with very low maturity, in particular those with lower levels of regulation.
Businesses need to ensure they have an active third-party risk management program (TPRM) that considers risks beyond the large cloud providers and outsourcing partners that often have the “crown jewels” of their business. Among all third parties used, it is also important to think about which ones may have the lowest level of maturity, and what data or operations might be at risk in those environments. A TPRM program needs to do more than send out assessment questionnaires, but instead risk rank their third parties to simplify prioritization and then perform assessments that require active engagement with their third parties through interviews and demonstration (or evidence) of implemented safeguards.
The true value and risk reduction will come from effective monitoring and remediation processes. Simply engaging in discussions with these third parties will help establish some level of importance to the topic of security, and more interactive assessments can help bolster security as a priority at the highest levels of the third-party organization.