Third-party risk must be better managed to reduce a range of risks facing South African organisations.
This emerged during a recent webinar hosted by the Cybersecurity Special Interest Group (SIGCyber) of the Institute of Information Technology Professionals South Africa (IITPSA), where SIGCyber committee members who are experts in cybersecurity and risk management emphasised the importance of third-party risk management (TPRM) to mitigate both cyber risk and many broader business risks.
“You’re only as strong as the weakest link in your supply chain,” says Andrew Henwood. “Recent exploits have illustrated this. It’s far easier to perpetrate attacks against a less secure critical supplier of, say, a large bank than to attempt to breach the bank itself. TPRM is all about making sure third-parties such as vendors, suppliers, partners, and managed service providers are not the biggest risk exposing you as an organisation. If third-parties touch your sensitive information or infrastructure they all need to be considered in your risk management strategy.”
Richard Frost, adds: “There is a tendency to consider only third-party cybersecurity risk, however, TPRM should go further. For example, it needs to monitor the performance of those third-parties and ensure that you are granting them access to only that part of your environment that they require – no more and no less.”
Panellist, Dr Mafuwafuwane says: “In today’s interconnected environment, managing third-party risk is no longer optional – it’s essential. Everyone has to be doing it, regardless of the size of the business. TPRM has not enjoyed enough attention in South Africa. It’s about identifying and managing risk – this doesn’t just apply to cybersecurity, but also to areas like reputational, legal, and financial risk throughout the vendor life cycle with comprehensive onboarding, offboarding, and management of vendors and partners. People who have access to our data should be a high priority – because most of the data breaches we see today are due to third-parties who had access to data.”
The panellists agree that organisations needed to move away from traditional TPRM approaches using simple questionnaires sent out just once a year.
Henwood says: “TPRM has involved sending out an Excel spreadsheet or Word document with a lot of questions pulled from an open infosec standard. There is a place for this approach and it can help define how you expect your third-parties to operate. But unfortunately, suppliers may just tell you what you want to hear in order to retain your business – for example, it is unlikely that a supplier will admit they actually don’t patch their systems regularly, in answering one of these questions.”
Frost adds: “They may laboriously and honestly fill in a 300-page form, but environments change. So being compliant today doesn’t mean they are compliant in a year’s time.”
And Dr Mafuwafuwane says: “We advise people to move away from spreadsheets where possible. Instead, they should look at tools to automate these processes and use performance monitoring. We also recommend categorising suppliers by the level of risk associated with them.”
Dr Mafuwafuwane says a proper Zero Trust strategy – and identifying, classifying, and masking data – could be used to better protect data that third-parties had access to.
Notes Henwood: “There are a number of tools to do outside-in validation and monitoring such as technology that makes use of opensource threat intelligence that gives you a ‘hacker perspective’ of external vulnerabilities – and these tools can operate on an almost continual basis.”
Frost queries: “At what point does the cost of compliance outweigh the revenue a third-party agreement would bring into a supplier? How can large organisations ensure that suppliers are risk averse without financially burdening them?”
Henwood says: “Anyone doing business in the modern age, where you’re handling sensitive data, you have an obligation to be secure and compliant.
“What’s encouraging is that the larger corporates have implemented TPRM programmes and their obligations for the smaller organisations aren’t always excessive. They require bare minimum measures all organisations should be implementing to be inherently secure.
“If organisations get the basics right and run these basic assessments, they can start understanding what they have exposed to the Internet,” Henwood says. “For example, a simple 20-minute assessment can expose your entire external footprint, exposed servers, and open ports. You need to bring your own house in order. Of course, addressing the human element, every organisation also needs ongoing cybersecurity awareness and training programmes.”