Third-party risk management can learn a lot from the musk ox

Third-party risk management is a significant CISO challenge with deep business consequences. When a key third-party supplier succumbs to cyberattack, operations can grind to a halt.

In healthcare and financial services, third parties have been an attack vector of choice of late. And just this June, Russia’s APT29, aka Cozy Bear, compromised TeamViewer, a free remote access software offering that boasts 2.5 million users globally. Many businesses depend on it.

Even if you are not a TeamViewer customer, there’s a long list of similar remote desktop tools — Perimeter81, ISL Online, AnyDesk, GoToMyPC, Splashtop, RemotePC, RealVNC, GoToResolve, LogMeIn, and so on — all of which begs the question, Which third-party vendor will be next?

And perhaps more importantly, can you afford to find out?

Third parties are your weakest link

Unfortunately, the numbers aren’t in our favor. Every enterprise over-relies on a multitude of third-party suppliers embedded in their software supply chain and business processes. These can run into the hundreds, even thousands, when the multitude of SaaS vendors enterprise rely on every day are included in this definition.

Because of this, third-party risk is significant. And there are a number of factors beyond sheer volume. For example:

• Limited transparency: Enterprises usually treat third-party reviews as a tick-the-box exercise, but the data on which assessments are made is usually old and does not reflect current risk postures.

• Complexity: Many of your third parties themselves have fourth-party suppliers you may not know about.

• Immature processes: Many third parties have cybersecurity policies and standards that are less developed than your own.

• Less investment: Third parties also often have more limited cybersecurity budgets, compared to your enterprise, resulting in reduced investment in securing their tools and services.

Traditional third-party risk solutions

Luckily, a range of best practices and playbooks have been developed to address this gap.

For example, every enterprise undertakes a vendor assessment. These are usually paper-based exercises that end up being time wasters as they don’t really reduce risk given how dated they can be. Contract negotiations are another way to include stronger security requirements from third parties; however, this too has not been effective.

Some enterprises have adopted continuous monitoring, to gain further reporting that provides oversight of third-party security postures. And enterprises often implement third-party incident response plans to develop and practice strategies for responding to security incidents involving third parties.

These efforts have certainly helped but they don’t fully address the underlying nature of the risk. Instead, they offer means for monitoring and mitigating when the inevitable goes wrong.

The musk ox strategy

I have been a proud member of FS-ISAC, and have chaired its Strategic Committee in Asia Pacific along with fellow CISOs from financial services companies. This group is a great example of how we can work together to protect ourselves.

FS-ISAC, for Financial Services Information Sharing and Analysis Center, has an incredible network of financial institutions across the world that shares cyber intelligence with one another about impending and ongoing attacks. Given the breadth and depth of the enterprises represented, members are able to gain a perspective they can’t achieve alone.

Some FS-ISAC members have larger cyber intel groups at their disposal, or they can access intelligence from their respective government agencies. This is the essence of what I call the “musk ox strategy.”

In nature, when wolves attack musk oxen, the herd forms a circle with their horns facing out. This creates a formidable obstacle for wolves when trying to breach the combined defenses.

It is my belief that this same strategy can be applied to help secure third-party supplier management.

When a wolf attacks, musk oxen self-organize into their circle defense, ensuring that calves and weaker members of the herd are inside the circle and protected because they know wolves always focus on the weakest link.

The third-party suppliers we rely on are the weakest members of our herd. When they are impacted, so too are our collective critical business processes. A great example of this is when ION, a financial trading service, was hit by ransomware in 2023, creating a 4-week-long outage during which many large financial institutions were unable to process transactions.

Today, when wolves attack, and in the cybersecurity world they always do, we share intel and tell each other: “Hey, the wolves are coming, be wary and get your horns up.” But we don’t form a circle, nor do we put our weaker members into the center to protect them.

Instead, what if we, as a collective, had identified (in advance) that we share a common concern that ABC third party has weak cyber controls that require strengthening? And more importantly, what if we all agreed that we would help protect the partner?

This may require coordination and even renegotiation of contracts with a few of our cyber vendors, but the benefit is that our common weak links could be better protected, thus reducing our third-party risk and ensuring better prospects for business operations.

Theory in action

Such cooperation might raise concerns about collusion or anti-competitive behavior, and I’m sure there are lawyers who can weigh in here. But this musk ox approach has the potential to help enterprise herds manage shared critical suppliers.

A plan to do so might include:

1. Determine which third-party suppliers you are most concerned about and form a “hot list.”
2. Share cyber intel with other enterprises to find out which third-party “hot list” suppliers you have in common.
3. Commence negotiating a joint shield for them.

This approach is what we have discussed in FS-ISAC Asia Pacific as a potential way forward. Steps 1 and 2 are fairly easy to get going, but step 3 requires much more coordination and effort — and it’s the step that makes all the difference.

There would be real benefits for cyber resilience by adopting a musk ox strategy. The key is to protect the vendors most critical to your group. A practical approach might involve the largest enterprises taking leadership and perhaps employing a “divide and conquer” approach whereby each takes a set of little buddies under our wing for protection on behalf of the group, as other enterprises do the same for another set.

Of course, when the bear attacks, musk oxen just run. There’s no protective circle and they recognize that everyone has to look after themselves.

The same is true in cybersecurity. The more formidable the foe, the more likely all bets are off and survival is the only option.

Today, we view everything to be a bear. But we don’t have to, because not every attacker is one. And while the musk ox strategy may not apply in every scenario, our collective business risk will benefit by making the distinction, circling the herd whenever possible, and ensuring our common weak links aren’t our herd’s common downfall.