Beyond the Third Party: Mastering Strategies to Tackle Fourth-Party Cyber Risks

Harish Kumar
GS, Head of Sales, India and SAARC
Check Point Software Technologies

Cyber risks, or the potential for an organization to experience loss or damage due to cyber attacks, data breaches, or other cyber-related incidents, have increasingly captured the attention of business leaders, as they represent significant operational challenges with the potential to cause severe financial losses and irreparable harm to an organization’s reputation. Such threats are never nearer than today, where, according to the Check Point Threat Intelligence Report, an organization in India has been attacked on average 3304 times per week in the last 6 months, compared to 1854 attacks per organization globally.

Among cyber risks, third-party or supply chain risks become one of the most challenging areas as heavy and unavoidable reliance on using third parties such as Cloud and SaaS providers is a reality of today’s IT and security operations. Organizations’ sensitive and proprietary data is transmitted, processed, and stored in third parties’ computing environments. However, when third parties also engage other external parties (i.e., fourth parties) to support their operations and handle your organization’s data, how well do they protect it?

A diagram of a building

Description automatically generated

Figure 1: Fourth-Party Relationships in Supply Chain Management 

How to identify fourth-party risks?

Since many fourth parties may be involved in the supply chain, identifying who handles your organization’s sensitive information behind the scenes is the most important first step. The robust vendor due diligence requirements from cyber security laws and guidelines for highly regulated sectors such as banking, insurance companies, and health care service providers may have previously mandated risk managers to request fourth-party information from third parties. The contractual stipulation of the required disclosure makes it easier to collect the information. But what else can organizations do when there is no such clause in the already-signed contracts, and unwilling vendors push back or ignore efforts at providing the requested information?

External attack surface management (EASM) identifies potential vulnerabilities and security gaps in an organization’s public-facing digital attack surfaces, including the SaaS providers that the organization is “linked” to as third parties and fourth parties. EASM, which is often a SaaS solution for dashboarding after scans, may not need to connect to the organization and performs scans only using minimal domain information of the organization. It works to identify publicly accessible IT assets and any vulnerabilities that might exist within them. One of the most powerful capabilities of EASM tools is its ability to discover internet-facing IT assets that the organization may or may not even know, which includes third parties and fourth parties. These AI-powered EASM tools constantly survey/scan the digital surface of the organization and identify new assets as they appear, reporting on the vulnerabilities, threats, and risks via the dashboard. 

A screenshot of a computer

Description automatically generated

Figure 2: A sample dashboard from an EASM tool  

How to manage fourth-party risks? 

To manage fourth-party risks, organizations can request third parties to explain the mechanisms they use to monitor the security controls of the fourth parties, including how and when they will be notified in case of security incidents that may affect an organization’s operations and data. Also, it is a good opportunity to review the third parties’ SLAs in security incident notification and determine if the timeframe aligns with your company’s disaster recovery and business continuity policies and regulatory requirements.

As part of effective continuous monitoring of third parties, likely through the use of a commercial-grade security scoring tool, your organization should include high-risk fourth parties and monitor their security scores. You should also be proactively made aware of fourth parties’ direct breaches and even downtime that can cause outages or financial loss to your business. Additionally, with an EASM tool, continuous or regular scans can be performed to delve into vulnerabilities and misconfigurations of third and fourth parties, providing a base for the vendors to take timely remediation efforts.

What can be done to reduce your third parties’ concentration risk?

Suppose the third parties rely heavily on one common vendor (i.e., fourth party) to deliver the services to your organization. In that case, you may not feel entirely comfortable with the risk of a single point of failure. Concentration risk can mean overly relying on a company to deliver critical services and on resources from a region that may have been plagued with recent civil unrest or war. Your organization could discuss the concentration risk with your third parties and raise this concern. In larger third parties, their risk management departments often have considered concentration risks and may have data to quantify the risk and plans to reduce such risks.

Who in your organization should monitor the fourth parties and their risk?

Managing third-party, fourth-party, and supply-chain risks usually requires cross-departmental efforts. The organization’s procurement and third-party vendor management departments may be centrally responsible for onboarding vendors and completing initial and continuous due diligence. However, in many cases, the direct interaction with the third parties—receiving the services, determining the service levels, and knowing who the fourth parties are—is done by the IT and application owners, who are decentralized from the enterprise-level departments.

IT and application owners are the exact persons who will be contacted by front-end users of the applications or the tools in case of system outages, glitches, and security incidents. They may have collected such service and security data over time. Disconnections between the enterprise-level departments and front-line owners who deal with third-party relationships first-hand often exist when actual service levels are not (timely) communicated. This is particularly imminent when no enterprise-wide procurement, third-party vendor, or supply chain management platform is in place. 

To improve communication, organizations should mandate an annual update of third- and fourth-party information to the platform, preferably aligning with the timeline to review SLAs and renew contracts. Such a platform should ideally be able to integrate with a service that provides vendors’ security scores, displaying all the pertinent information in a single pane of glass. A RACI chart should also be created to detail the roles and responsibilities of the “centralized” and “decentralized” stakeholders.

A multifaceted approach is needed to manage supply chain risks, such as an effective vendor risk management program, a commercial-grade vendor management platform, an EASM tool, and enhanced contractual agreements to include fourth-party disclosure, etc. It is also evident that only amalgamating people, processes, and technologies thoughtfully and coherently can make the management of fourth-party risks possible.

-Harish Kumar is GS, Head of Sales, India and SAARC at Check Point Software Technologies

Share on