The Conundrum of Handling the Challenge of Third-Party Digital Risk Management (Part 1)

INTRODUCTION

Over the coming three weeks, White Label Consultancy will publish three blog posts on the topic of third-party digital risk management, taking the customer and organization perspectives, which will emanate in a white paper that will be shared in three weeks. This week’s blog post will be about the “Problem Statement” of digital risk management, highlighting starting points and problem scenarios that need to be identified and qualified by the organization. The two subsequent blog posts relate directly to the “Problem Statement” as they cover “The Challenge of Continually Mitigating Digital Risk,” followed by the third blog post, “Securing the Right Vendors for the Cyber Security and Data Privacy Domains”. Finally, these three sections will comprise the bulk of the White Paper, in addition to including findings and conclusions.

PROBLEM STATEMENT

The topic of third-party digital risk management in cyber security and data privacy presents a set of exponentially growing challenges that increasingly require systematic management to maintain secure infrastructure and strategic assets, such as IT networks, customer and user databases, etc. With massively propagating digitalization projected to grow in complexity and omnipresence, it becomes business-critical for the organization to manage third-party digital risk. In essence, third-party digital risk management enables the organization to align third-party digital risk for cyber security and data protection with business strategy and objectives, internal processes, and critical functions – CSR, finance, etc.

When digital risks are associated with supply-chain, recent global trends point towards an increasing concern that vendors make up one of the most targeted links in the organization’s internal control chain. The following major global digital risk development trends illustrate the direct influence of increased digitalization on digital risk:

• 7th – most critical threat to the world is the ‘risk of cyber security failure’ in the next 0-2 years (source WEF Global Threats Report)
• Global chip shortage is not the only aspect currently affecting supply chains worldwide. New research from the NCC Group illustrates that the number of cyberattacks on these supply chains increased by 51% during the last six months of 2021.
• The same NCC Group study, which surveyed 1,400 cybersecurity decision-makers, found that 36% said they are more responsible for preventing, detecting, and resolving supply chain attacks than their suppliers. Just over half (53%) said that their company and its suppliers are equally responsible for the security of supply chains.
• Around 62% of the attacks on customers took advantage of their trust in their supplier (source: ENISA).
• Around 58% of the supply chain attacks aim to gain access to data (customer data, including personal data and intellectual property), and around 16% to gain access to people (source: ENISA).
• €3,7m – the average cost of a data breach, e.g., 10% higher than the year before 2020 (source IBM/ Ponemon institute).

Continued growth is expanding of implementation and usage of multiple technologies working in concert, including artificial intelligence (AI), Internet of Things (IoT)/Internet of Robotic Things-enabled devices, edge computing, blockchain, and 5G. While these capabilities afford tremendous opportunities for businesses and societies to use technology in ways that can dramatically improve efficiency, quality, and productivity, these same capabilities also expose users to elevated and more severe forms of digital risk. With the continuous emergence of new technologies and the increasing dependency on these as critical assets, the risk of a cyber-attack happening in the supply-chain increases vastly. Typical critical assets targeted by a supply chain attack resulting from inadequate digital risk management may be categorized as follows:

• Business Information
  • BI data, e.g., customer data, employee records, credentials, sales data, financial data, and intellectual property.
• Critical infrastructure
  • User databases, IT networks, electricity grid, nuclear power plants, etc.
  • BI processes, e.g., documentation of internal processes of operation and configurations, insertion of new malicious processes, and documents of schematics.
  • Common Interface bandwidth, e.g., use the bandwidth for Distributed Denial of Service (DDoS), sending SPAM, or infecting others on a large scale.
  • SBI software, e.g., access to the customer product source code, modification of the software of the customer.
• Personal information (customer and employee data)
  • BI data, e.g., payment data, passwords, video feeds, documents, emails, passport and identification documents, and flight plans.
• Financial assets
  • Financial, e.g., stealing cryptocurrency, hijacking bank accounts, and money transfers.
• People (targeted individuals)
  • Individuals targeted due to their position or knowledge, such as heads of state, politicians, business persons, military staff, etc.

As digitalization progresses, the conceptual definition of secure digitalization remains unclear, posing increased uncontrollable digital risk resulting from chaotic digitalization growth. Rapid digitalization in advanced economies during COVID-19 has also led to new cyber vulnerabilities, a global concern that cyber security could further hamper attempts to promote rapid and inclusive digitalization globally. Therefore, with accelerating third-party digital risk, the need for digital mitigation and protection has significantly increased security investments. The interaction between digitalization and growing cyber threats also carries intangible financial consequences. Proactively and reactively, preventive cyber security investments occur, often lacking organizational maturity and processes to measure both financial return and operational effects from increasingly large-scale security spending and investments triggered by the mounting need to control digital risk. 

Beyond managing and sustaining the financial challenges caused by digital risk, organizations need to strengthen multi-functional efforts to build the required digital risk process foundation, comprehensively covering the implementation of processes on the determination of internal maturity and understanding of digital risk and the identification and measurement of digital risk. Consequently, operational models frequently shift and lead to an organization redefining its blueprint based on more stringent identification and mitigation procedures to support business-critical digital risk management directly. Such shifts propel major changes as new security requirements thoroughly influence how new roles and responsibilities are defined. Critical questions emerge and are posed to the organization in terms of what digital risk functions are mandatory to be retained, which ones may be relinquished to external third parties, and what strategic and architectural interface requirements must be deployed between retained and external functions within the scope of the new operational model. Implementation of new digital risk-specific roles and responsibilities will shape the wider organizational context regarding how it addresses new and continual challenges posed by digital risk. It will be vital to secure that ambitions and value-creation expectations materialize.

Real-life examples further illustrating how unmanaged and unpredictable third-party digital risk impacts organizations and investments include:

• The company, Target, was exposed to attackers who were able to exploit third-party access to exfiltrate payment information, impacting more than 41 million customers. According to USA Today, Target was responsible for paying the largest settlement related to a data breach at that time — $18.5 million.
• SolarWinds experienced a cyber-attack resulting in filing a process with the Securities Exchange Commission, stating the impact could be up to 18,000 customers. The scope includes notable organizations and potential implications for government agencies. The known impact of this attack is continuing to grow as new information emerges, prompting the cybersecurity community to respond on a mass scale to an evolving threat.
• In 2019, Yahoo struck a $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. Yahoo affirmed that all 3 billion of its user accounts were impacted. This also impacted Verizon’s acquisition of Yahoo as its sale price was reduced by $350 million, down to $4.48 billion.
• The cyber-campaign Cloud Hopper, considered one of the largest attacks ever, deliberately targeted supply-chain gaps and weaknesses, allowing attackers to access highly sensitive information in multiple North American and European organizations such as HP, Ericsson, Visma, etc. There have been allegations that the Chinese authorities were responsible for coordinating this effort as a significant measure of international large-scale industrial espionage (Source: Reuters).
• Based on the massive cybersecurity breach in Australia’s second-largest mobile operator, Optus, in September 2022, there was a breach of private data from 10 million accounts, exposing about 40 % of the Australian population to financial crime. Current estimates indicate the giant Optus hack may wipe out a quarter of Singtel’s (Optus owner) annual profits and could top $420, based on typical costs (source: U.S. News & World Report, Bloomberg).