Manufacturers must eliminate the third-party risk management blind spots to protect their organizations.
By David Pignolet, CEO, SecZetta
Most readers of this article have at least one system or, more likely, several systems in place to manage their supply chains. Managing all of these systems has become increasingly more complex given the escalating number of third-party, non-employees (e.g., contractors, partners and “things”) that need access to various applications and essential data.
This, coupled with how digitized the manufacturing world has become with Industry 4.0, creates a significant risk with regards to security. Without proper management of and insight into third-party access, the threats of potential IP loss, including trade secrets on products being manufactured; sensitive customer data exposure; and even safety hazards, are very real.
Third-Party Security Shortcomings and Challenges
Manufacturing organizations consider the risk of third parties when they provision access to partners and contractors outside of the organization; however, they still lack the proper governance to manage, measure and mitigate the potential threats these non-employee identities cause. In fact, data shows 59% of all data breaches can be traced to third parties, and only 16% of organizations say they can effectively mitigate third-party risks.
Today, it’s common practice for risk management teams to assess a third party’s risk controls by evaluating responses to a Standardized Information Gathering (SIG) questionnaire. Unfortunately, these vendor security assessments based on SIG answers may give the organization false confidence in a vendor’s actual security posture.
Additionally, onboarding processes that are usually automated for employees are often highly manual for third-party users. These manual processes are time-consuming, costly, difficult to audit, and most importantly, error-prone — expanding the potential for additional risk associated with third-party users.
Another area of risk is the overlapping ownership of third-party identity risk management. The Chief Risk Officer (CRO) or Chief Information Security Officer (CISO) is usually responsible for identifying, monitoring, and mitigating internal and external risks. In practice, third-party identities are often loosely managed via ad hoc processes, sometimes involving a collection of spreadsheets, databases, and tools. Many CRO/CISOs share the burden of managing these identities with other cross-functional teams and stakeholders that are not well equipped to manage risk, such as:
- Human Resources: Centralized and focused on managing full-time employees
- Procurement: Focused on managing contracts
- IT: Focused on managing technology assets and access to those assets
As a result, there is no centralized view of the relationship that the organization has with the third-party user and no automated processes around managing key lifecycle processes, especially timely terminations.
Minimizing Third-Party Risk
As manufacturing organizations increasingly grant access to facilities, data, and systems to an ever-expanding number of third-party users, and manage these users across multiple departments, it becomes imperative to prove these third parties are, in fact, who they claim to be. To help mitigate the risks third parties can present in their supply chains, manufacturers must improve the granularity, transparency, consistency, and agility of their third-party risk management effort. In particular, manufacturers can’t overlook the safety and IP protection concerns related to granting third parties access to facilities.
Following are some steps to take:
Know Your Insiders: According to a 2018 Ponemon Institute supply chain study, most organizations don’t know their exact number of third-party users, and only a third of organizations had a list of all third parties with whom they share sensitive information.
Audit Those with Access: Manufacturers should conduct regular comprehensive user audits to ensure that users have access based on the least privilege, meaning the appropriate privileges for the appropriate resources at that specific point in time. It is also important to search for and remove orphaned accounts.
Conduct Risk Ratings and Adjust Privileges Appropriately: While you may have carefully vetted a trucking organization, each employee of the trucking organization comes with their own set of personal risks and should not automatically be granted access. Risk rating should be a continuous process as risk factors, individual characteristics, and access needs evolve.
In addition, identity-proofing specific capabilities can further verify and authenticate the individuals or things accessing company data. Sophisticated solutions can enable IGA, PAM, and other Access Management solutions to trust the identity and fill in existing gaps in multi-factor authentication and other step-up authentication methods.
More than half of all data breaches can be traced to third parties, according to a Ponemon Institute study. Without proper identity access and management procedures for third-party users in place, entire supply chains are vulnerable to attacks. With the proper identity-proofing practices and capabilities, manufacturers can easily and cost-effectively verify the identities of their users, support risk management initiatives and better protect critical assets.
About the Author
With nearly two decades of experience in application, network and data security, David Pignolet founded SecZetta in 2006, putting together a highly experienced team and securing strategic partnerships to address a growing need for better IT security and identity and access management in the market.
As a successful entrepreneur, David has founded two IT management and security companies working with medium and large enterprises in healthcare, finance and retail. He is a former member of the Air Force National Guard, where he specialized in combat communications focusing on encrypted secure communications.