Amid the ongoing global turmoil and economic uncertainty, a primary concern is the growing risk of cyberattacks. To any organization already coping with a pandemic-ravaged economy and inflation woes, a cyberattack or data breach can deal a major blow to business continuity.
It is heartening to note though, that India’s C-suite is taking these concerns seriously. A recent survey by a global business advisory firm says 82% of the Indian C-suite executives surveyed predicted an increase in their cyber security budgets in 2022. The survey also notes that 41% of organizations in India will see double-digit growth in their cyber budgets in 2022, compared to 26% organisations globally. These results suggest leaders are aware of the evolving risk landscape and are increasing their investments in cybersecurity. But do business leaders really know where, when, and how these risks will emerge? Probably not.
For example, the same survey reveals that more than 50% of Indian C-suite executives do not understand the risks posed by their third parties. The few that do understand the risk of data breaches through third parties use formal enterprise-wide assessments. For the rest, third-party risks will remain cloaked, like blind spots which are tough to identify and mitigate.
How do third-party collaborations make a business vulnerable?
Outsourcing as a strategy has spawned complex third-party collaborations. Most companies work with third parties – such as vendors, partners, contractors, consultants - and all are an integral part of the business. Technology has enabled companies to easily share data with multiple other risk-exposed third-party companies. While there are rules in place to determine how this data is stored and managed, not all vendors may have the capability to cover an organization’s risk adequately. This is where exposure to third-party risks begins. An international survey by a research firm in the US revealed that 51% of businesses suffered data breaches caused by a third-party.
In one such data breach in 2020, a nation-state inserted eavesdropping malware into an Oklahoma software maker’s IT performance management solution used by governments and major enterprises. The attackers also accessed users’ customer data. Since it is no longer enough to just secure internal assets, companies must ensure any sanctioned third-party organization with network permissions does not become an unwitting conduit for malicious activity.
To assess and mitigate such risks, business leaders must consider a Third-Party Risk Management (TPRM) approach, a full-lifecycle program that covers the entire engagement lifecycle of every vendor within the organization, across all functions.
Uncloaking hidden third-party risks using AI-enabled TPRM
Today, artificial intelligence (AI) tools can help leaders assess the risk associated with a vendor using existing data points. These tools can comb through historical records of breaches, known and unknown data leaks within the industry, the risk profile provided by the vendor, the number of years of operation, and the tools and technology they use to prevent a data breach. Manually, these factors would take a long time to study and even longer to standardize against the company’s risk appetite. Using AI, these insights can be derived much faster, allowing companies to manage third-party risk more effectively.
AI-enabled Third-Party Risk Management (TPRM) software provides C-Suite decision-makers with an integrated, real-time view of the extended enterprise including third parties (such as vendors, suppliers, and contractors). It can help build visibility on existing third-party or even potential fourth-party risk exposure by automating end-to-end processes for information gathering, onboarding, real-time monitoring, risk, compliance and control assessments, and risk mitigation. An integrated approach helps organizations better manage third-party risks, building trust and confidence in third-party relationships and facilitating mutual growth.
There are a few considerations to developing a robust AI-driven TPRM framework that C-suite executives in India may find worthwhile. For example, it should provide an in-depth insight into the supply chain hierarchy while mapping the third parties to products, services, business units, and fourth and subsequent parties. It should be able to classify third parties into critical and non-critical categories. This should be based on their access to critical organizational assets and their impact on margins and profitability. The software should also enable clear and comprehensive vendor contracts that detail the roles and responsibilities of third parties, even after the termination of the contract. Further, it should be able to conduct third-party due diligence and risk assessment to determine vendors are financially stable and ensure that they are operating in a secure and compliant manner. The software should also enable real-time monitoring of third-party risks to determine changes in risk levels, identify new risks, and ascertain the security of vendors, with ability to extend to fourth, fifth, and subsequent parties.
India still has a long way to go in terms of cybersecurity; In the survey mentioned earlier, 40% of the C-suite executives have taken no substantial action to manage their third-party risk. These times of uncertainty and the resulting escalations in cyber attacks should act as a wake-up call to Indian businesses. Implementing a centralized and technology based TPRM solution, which streamlines and digitizes these processes, is vital for companies today to uncloak and mitigate third-party risks.
Prasad Sabbineni is the Chief Technology Officer at MetricStream
Prasad Sabbineni is the Chief Technology Officer at MetricStream.