Insider threats are ever-present and can be even more difficult to identify, assess, and manage when they come from third parties. Each organization’s security governance, risk, and compliance program must consider insider threats within its third-party risk management (TPRM) framework. This article will highlight practices and tools that IT and acquisition leaders can use to manage and control threats from third-party products and services.
Identify & Assess
Hopefully, your organization has completed the necessary basic assessments to identify and document the following key aspects of risk management. If not, MindPoint Group has the experts and automated tools to help, regardless of your type of business.
- Legal, regulatory, contractual, industry, and internal security requirements - including any applicable risk management framework (RMF), (e.g., NIST 800-37, ISO 27005, distinguishing mandatory (must) versus optional (should) requirements)
- Systems - including ownership and control, security classification, physical location(s), data ownership and location(s), boundaries, interfaces, and lifecycle status, as well as identification of the systems deemed critical to your organization
- Assets - including hardware, software, peripherals, mobile devices, and sensitive data, as well as identification of the assets deemed of high value or critical to your organization
- Third-party products and services - inventory, evaluate for continuing need, perform extra “drill down” reviews listed below
- Risks – risk tolerance, high value assets/data, systems risks, supply chain, third party, disaster, insider threat, human error
- Controls – policies, procedures, processes, plans, automated tools, logging, audits, reporting, and other security controls to protect systems and assets from risks
- Vulnerabilities – known and potential vulnerabilities, scanning, penetration testing, intrusion detection, monitoring, patching, risk evaluation, mitigation, acceptance
- Capabilities – organization’s internal ability to meet security requirements, supplemented by external capabilities and services, including evaluation of legacy, custom, high-demand, or other capabilities that may be hard to replace
- Gaps – understanding of missing or insufficient capabilities, along with plan to address or mitigate the shortcoming(s) or accept the risk
Drill Down on Third Parties
To understand and address risks from third parties, use the categories and factors below (as applicable) to review the specific products/services that third parties provide to your organization.
- Agreements - expiration/renewal date, security requirements/controls, flow-downs of key requirements, performance location, ownership rights (including data), subcontractors, etc.
- Products - products supplied, versions, components and sources, lower-tier providers, licenses/sublicenses, warranty, maintenance, documentation, quality assurance, known vulnerabilities/ risks, security controls, independent assessments/certifications
- Services - services provided and how, systems/software used, locations of systems and data (including backups), quality management, known vulnerabilities/risks, security controls, plans/ processes/SOPs (including incident response and disaster recovery), documentation, independent assessments/certifications
- Personnel - roles, qualifications, verification of skills, background checks, citizenship, work location, security training, rules of behavior, access controls (incl. identity management), monitoring, removal/off-boarding
Where third parties merely access and use systems and assets that your organization owns and controls, such as fully integrated contractor personnel, your insider threat risks are easier to manage; but you still need to be sure your third-party contract or service agreement terms include necessary security requirements (e.g., notification of a security incident) and the means to enforce them.
In the other extreme, when you use (or provide) systems or services that a third party wholly operates and provides, your technical options for control and monitoring may be limited; but you can turn to contract or service agreement terms, reporting, auditing, independent assessments, or other tools to effectively address security requirements, controls, and enforcement mechanisms.
Commerce isn’t that simple, though, and many organizations use third parties in ways reflecting a variety of ownership, operation, and control models. Your organization-level assessments have told you “who” and “how” you use third parties for products or services. The next section will discuss ways to assess and protect against insider threats from third parties regardless of the nature and type of services or agreement.
Threats from Third-Party Insiders
Now we extend the insider threat risk analysis specifically to the third parties that support your organization.
Potential Targets - given the products and services provided by each third party:
- What information, systems, assets, or business functions are most likely to be threatened?
- If compromised, which could cause the most harm to the organization, its clients, the public?
- Do any third parties have authorized access to these potential targets?
- What controls are in place against improper use by those with authorized access?
- What controls are in place against unauthorized access by third parties?
Malicious vs. Negligent/Accidental Actors - in 2021, the Ponemon Institute surveyed 278 benchmarked organizations and found that each had suffered insider threat incidents over the year. While the survey didn’t distinguish the percentages attributed specifically to third parties, it identified the following insider threat incident types:
- Employee/contractor negligence - 56%; average annualized cost = $6.6M
- Criminal and malicious insider - 26%; average annualized cost = $4.1M
- Credential theft - 18%; average annualized cost = $4.6M
Given the products and services provided by each third party, consider:
How might third-party insiders fit into each category of threat actor?
- Negligent – e.g., an administrator who doesn’t change the default password on a router
- Malicious – e.g., a staffer who is angry over a poor review or lack of promotion
- Criminal – e.g., an insider who is offered a cut for introducing ransomware
What potential gain or objective might be the goal of a criminal insider? A malicious insider? (e.g., financial, national security risk, protest, secrecy, business disruption, embarrassment)
What inside information could facilitate an attack or exploitation of a vulnerability?
- Do any third parties have access to this information?
- If so, how is access controlled and monitored?
Do any third parties serve in roles or have access that heighten the risk of insider threat or harm? (e.g., IT staff, management, finance, HR, security, facilities)
How else might a third-party insider pose a risk of harm?
Prevention and Detection
When conducted properly, the reviews described above will provide the information you need to (1) focus on potential risks from third-party insider threats, (2) consider how well existing agreements and controls address these risks, and (3) determine what additional steps may be required or prudent to improve security controls over these threats. These may include:
- Updating third-party contracts/service agreements to include necessary security requirements, controls, and reporting
- Implementing new or changed access controls for third parties
- Performing or requiring vulnerability scanning and/or penetration testing of third-party systems
- Monitoring/detection, e.g., using data models and behavioral analysis to configure automated alerts for malicious or careless activities
- Requiring security awareness training and agreement to follow security rules of behavior
- Creating easy ways for the organization’s workforce to submit tips or concerns regarding suspicious behavior
Sometimes these steps are difficult, but simple protections can also have a large impact. For example, if all third-party personnel must complete security awareness training and agree to follow security rules of behavior, the risk of unauthorized use may be avoided or at least mitigated if your company’s sensitive information is accidentally left on a copier or printer at the third-party’s facility.
As the Ponemon Institute’s 2021 insider threat survey showed, the likelihood of an organization suffering some type of insider threat incident each year is very high, and, as with any security incident, your organization’s response plan and readiness to execute it are the key to identifying, controlling, and recovering from the incident.
The assessments above have will help you identify where and how you need to integrate third parties into your incident response and management program. Depending on the third-party products, services, and method(s) for providing them to your organization, this may entail:
- Integration of third-party roles or staff into your organization’s incident response plans, teams, tabletop/simulation exercises, and oversight structure
- Review, approval, and monitoring (or at least awareness) of the third-party’s internal risk management and incident response plans and processes
- New requirements and channels for reporting insider threats and incidents
What to do next
Use of third parties for products or services means less control and the potential for more insider threat risk, but with careful assessment and analysis of the your unique organization, MPG can guide you through implementation of effective insider threat protections within your organization’s risk management plan.