The topic, as I've mentioned before, is securely managing access of partners and vendors. So people who have access to systems that are on your side. So your partners have access to your systems, be they on-premise or on the cloud. So we want to talk about the third party ecosystem. So what is it? Where does it come from? And where we are heading. We want to talk about tools and technologies for third party access management, but this is just the second part.
So you see that the tooling part is not necessarily most important part because we, in the third part, we want to talk about best practices for a third party risk management framework. So how to deal with that beyond technology. It's always good to start a presentation with a nice quote, and I like this one. The internet gave us access to everything, but it all G also gave everything access to us.
So this needs to be prevented or managed. So the access that is required should be, should be made possible and everything else should be prevented. So let's deal with this.
Everything has access to us in the proper way. So who is having access to us? It's those who are we are doing business with, those who need on a, on a legitimate basis, access to the systems that we are facing. So the foundation and the challenges of what we call the third party ecosystem, where it comes from. So where does it come from? We have the ever-growing third party ecosystem and it started with organization more focusing on what they do best and not doing what they should do additionally to make their business work. So focus on what you do best. Outsource the, outsource the rest.
So third parties for non-focused functions. For example, the cloud for hosting specialty services.
When it comes to providing services that you really do not want to provide and somebody's really good at, think of Google Analytics, for example. Operational efficiency, cutting costs, bridging the skill gaps, all good reasons for moving to third parties for delivering services along the supply chain to deliver your services, your products as a company. But that has changed over time.
It has extended, it continued by also outsourcing of core functions by changing your operating model, your target operating model saying okay, this was formally one of my core capabilities, but somebody else can do this cheaper, better other than us. Let's do outsourcing here as well. So new target operating models and reinvisioning of work models and collaboration. So that all led and leads to an exponentially expanding third party ecosystem. And that of course leads to an ever-growing third party attack surface.
So we need to make sure that those who are within our systems and need that access don't do things that we don't expect them to do.
And especially when when we think of us being well protected, of course we pretend that we are, but maybe the partner, the ecosystem, the the third party is not well protected. What happens when they have access to your systems? There has been a study that which is shown already some years old, but it's still really, really impressive to say, okay, what happens when it comes to a third party data breach to a third party attack?
The study was executed by the Parliament Institute at surveyed over a thousand companies and they said for all of these companies in the US in the UK that they have had confirmed data breaches by third parties. 59% more than a half of August organizations had confirmed data breaches by third parties and 42% within the last, the recent 12 months as per the date of the, of this survey.
More interesting, don't know 22%, which is challenging actually at that point. So one should know.
But the problem, the issue here is really to say are they confident that they would be informed in case of a third party data breach also only 29% actually said they, they would, would be confident that they would be informed. And if we add another level of supply chain distance, they think with when something happens in an nth party which handles data for you for example, they only think that 12 or only 12% of organizations thought that they might be properly informed.
And this is mainly an issue that is something that organizations should work upon to prevent that and to improve the processes because the consequences, I have an example to the left, I won't read it out, but there was something going wrong in a mail server if I remember correctly, that was operated by a third party for this organization and it ended up in a third party data breach with exfiltration of data and, and all potential damages that could help could happen.
And these consequences that are the result of that of course could be severe, are are severe. It could be reputational damage.
So your partners don't trust you anymore. Your customer go away, you have a brand damage, you have financial impact, fines, business disruption, and you can think of many other reasons for financial impact. Data could be disclosed, especially personal data, sensitive data or trade secret and the li the legal impacts, the liability of the lawsuits, the communication required. That can be expensive as well. So consequences are quite heavy here. So what to do, look at the technology side. There are tools and capabilities and they should be used properly.
Starting out first with access management topic of this today's KC live event and Marina has described it, I can describe it. It's authentication, it's authorization and access to application and IT system. And this is usually built into identity and access management solutions.
And they are well established. They are usually around, but they are typically for employees and not necessarily for partner organizations which have a structure which need to have individual access for the individual users within the partner organization.
Next step, third party access management tools. They are around, they are not that many but they are around, they are especially designed to manage the access of non-traditional third party actors. So not the external freelancer that you have as a third party, which might be onboarded into your IM but it's vendors, it's customers, it's large sets of contractors and others that are not on the official payroll. These tools, these third party access management solutions usually integrate or federate with an employee.
Im, and there are two ways. Either they govern the non employee identity life cycles from onboarding through off boarding. So the I lifecycle happens within the tool and it's done within your responsibility or you can even delegate administration to thus trusted partner admins. So you really onboard an organization, you denominate a partner admin and they are able to administer their bunch of people. Third solution, third party pam. That is the application of PAM principles to third party access.
And that of course is especially important when these external parties have privileged access, have elevated access, do administration, server updates, whatever you can think of. So you have then MFA and biometrics. You have session management for these external partners. You have session recording and all the capabilities that you can think of when you think of, of pam.
So technology should be solved beyond technology. That's the most important part I think when it comes to third party access mentioned because we all know the saying a fool with a tool and how that continues.
So let's make that better. So we have, I have co composed a set of best practices when it comes to third party access risk management, which steps could or should be executed when it comes to doing this properly. And it aims at what is in the subtitle, transparency, ownership, control, and in the end resilience. So let's start with knowing who is there. So the first step is of course to maintain a list of third party vendors with whom you do business with whom your organization has a relationship with. That's the first step.
Have a list of that, just put it down and think for all of these third parties, which could be the cybersecurity risks that could be could happen through this organization having access to your system.
So what can these organization expose you to then understand what are they actually doing? Is this highly important organization that provides core functions? Think of really out outsourcing, for example, payment processes to a third party or is this something where only support services are provided?
So you can have a classification, so have an inventory, you have them classified and you know what risks can happen. Then the next step clearly is a risk rating. Assign a security risk rating. So critical business operations or work with sensitive data, for example, pii for example, payment data or think of even healthcare data of course has to lead to a higher risk. And that of course then also leads you to a prioritization so that you can understand who's on the list, what do they do, how, what are the risks that they could do and actually how important are they for your organization?
So that is an important starting point when it comes to understanding your third party access risk. So the first steps as we've seen are really about understanding the risk next step, manage the risk. So ideally top down implement controls. Now we are at the tool level, implement appropriate controls. And this includes apart from access management, many other steps. For example, encryption at rest in transit. So data is not that easily accessible anymore as long as you don't have legitimate access to the system. Implement mfa.
Multi multifactor authentication still is not everywhere unfortunately. Implement access management and governance. So applying access, assigning roles and making sure that governance is executed that really it is understood what happens when you look at the, at the assigned access to the individual stakeholders, you need to make sure that this is done properly. User behavior analytics, of course they are dealing with your systems. It needs to be well arranged when it comes to legal and privacy pro issues and problems and agreements.
But this is an option to understand what are they doing on my system and many more cybersecurity measures are in place. But again, very important access management and access governance as one part of the, the sets, the pool of risks of, of controls that can be implemented to mitigate that risk.
But this is not over when, this is not a spot check. You need to make sure that you understand the changes within your partner landscape within your third parties. Also monitor the changes in your contractual relationship in the way that you engage them. Are the tasks changing?
Are the responsibilities changing? Is the team changing? Are they adding another third party to their supply chain? And what does this have an impact on your assessment when you go back to the first four steps?
Finally resilience, you need to take one step back and understand I have this reliability on my third party ecosystem. So I need to make sure that in case something does happen that I can create and test, that I can can react properly to incidents that might happen and probably will happen. So create contingency plans.
What happens if this highly critical, very, very core business functions, providing third party that you have a contract with when that goes out of business, when you consider them to be insecure, you need to have a plan for that. Otherwise you are more or less running blind into a potentially uncontrollable risk. And if you have the plan for that, no plan is good unless it is tested. So test the contingency plans for when a third party is considered risky, but also below quality, which is not access management, but should be covered there as well. Or when a data breach really occurs.
So this set of steps surely can be identified as steps for best practices when it comes to third party access risk management. So four key takeaways from my side is first of all, make sure that you onboard or do an inventory on your third parties and that really means analyze your vendors and your partners thoroughly. Look at their processes, policies, and certifications and their third parties you own. Not only have a contract with your partner but implicitly with a long chain of their supply chain as well.
And as long as they're not properly understood, maybe you don't want to give them access or you don't want to give them access to critical processes slash data
Sounds like a a, a no-brainer, least privilege. Really reduce the third party access to sensitive data. Be as restrictive as possible if they need to have it. Really make sure that it's as delineate de limited from any other thing that they might have access to as possible. Really reduce access least privilege is really key. I've mentioned that on the slide before. It is a process, not a spot.
Check monitor your third parties, make them prove effectiveness, effectiveness and demonstrate being up to date in security. This is something that should be executed continuously or at least in in, yeah, in in intervals that make sense for the overall relationship for the contractual agreement.
And sometimes this also needs to be well understood. You can only require from your third parties what you also do yourselves. So make sure your own organization and your staff can at least keep up or is better than what is required from your third party.
And that covers all the aspects that our colleagues here at CO when it comes to cybersecurity security are talking about all the time, proper policies, proper training, proper processes, also with a lifecycle management for the processes and policies, proper cyber hygiene. You cannot request from something or from somebody, anything that you do not practice yourself otherwise it even doesn't make any sense. Why should your partners be better? And then it gets lost within processes that you execute that are not properly implemented and, and and lived by the, by the team.
So these would be my four spot checks, my four key takeaways when it comes to this, this presentation like Eve did that this part of these images are created by AI and as AI is a is a huge topic currently as well and everybody played around with chat G P T I assume you did as well.
I did a short quick check against what does the AI chatbot agree say, does he agree with what I presented in here? So I asked chat G P T for a second opinion on third party access risk governance question, how important is third party access risk governance?
And I think if you played around with this chat engine, you have seen many not so good, not so intelligent responses. But actually this one is good and it's great to see that the big AI also agrees with me. It it highlights the importance of establishing policies and processes and procedures for controlling and monitoring access for third parties. And that is really a key requirement to achieve when you are working with a, an extensive third party ecosystem. Prevent data breaches and security incidences.
Incidents prevent unauthorized access to an organization's systems and data by third parties. So good to see, I don't know whether or not we are in the future replaced by AI chatbots as analysts, but for now not. But it's great that the AI chatbot agreed with me. And that's it for my presentation for today.
