Third-party risk management (TPRM) programs need constant updating and assessment to be truly effective in combating the various threat landscapes facing high-risk industries. Businesses continue to underestimate the importance of managing their third and fourth-party relationships, and the added risk that poses to their bottom line and their business continuity plans can't be understated.
Everything from third-party software security risks to due diligence and continuous monitoring must be assessed and evaluated in conjunction with emerging vendor risk trends to develop a TPRM program that adequately addresses your enterprise's needs. We understand that your business operations take precedence over monitoring the shifting sands of risk management trends, so we've taken the liberty of compiling a list of what we feel will be the vendor risk trends leading the way in the near term.
Probably the biggest trend we foresee continuing to expand is the blending of physical and logical risk assessments of vendors and suppliers. It's no surprise that businesses are streamlining their third-party vendor risk assessment processes, and the physical risks facing your vendors are no less damaging to your organization than a data breach should the worst happen. As we have always recommended, having your IT staff work hand in hand with your vendor risk management personnel is one of the best ways to ensure that all threat vectors are being assessed properly.
Top Risk Management Trends
Rising Incidences of Vendor Data Breaches
This has been trending higher for quite some time, and we see no signs that there will be a reversal of the trend any time soon. Not only have vendors and suppliers increasingly been the targets of data breaches, but these attacks have also been increasing significantly in complexity. Take SolarWinds, for example, Microsoft originally estimated that the attack would have taken approximately 1,000 engineers to design the attack, and although it was later determined that the attack was executed through less difficult means, the trend is continuing to head in this direction.
Research has shown that third and fourth parties are responsible for nearly 60% of all security issues, and for that reason, 60% of organizations plan on implementing third-party risk assessments as a component of their contracting procedures and even potential partnership agreements. What is even more worrisome is that businesses need to be more directly targeted by cyber attackers as frequently; there has been a 300% increase in supply chain attacks at varying distances.
The Ponemon Institute conducted research that revealed that an average organization shared sensitive data with 583 third parties. Of those surveyed, only 34% actually kept a list of those third parties with access to their sensitive information, and just 35% rated their third-party risk management program as highly effective. Those numbers explain why we see such a high rate of successful cyber attacks.
With the continuously rising threat of data breaches across the board, it seems that there will be a strong backlash from regulatory oversight. It's estimated that, by 2024, potentially 75% of the world population will be under at least one form of data privacy regulation. Data privacy laws are being heavily debated in a large number of regions, and this patchwork approach to privacy regulations has the potential to create a quagmire for international corporations to navigate when it comes to data privacy and security.
Environmental, Social, and Governance Importance
Assessing the social responsibility, environmental impact, and corporate governance procedures of your third-party vendors will become even more critical. The reputational risk continues to rise in importance, and your vendors and suppliers must place an equal amount of weight on ESG to avoid a negative impact on your organization. 2021 saw the European Union pass regulations requiring enterprises to evaluate not just their own ESG impact but that of their entire value chain when it comes to environmental and human rights.
Cybersecurity Continues to Take Center Stage
As we mentioned above, data breach rates continue to rise steeply, as do supply chain attacks. Cyber supply chain risk management is coming to the forefront as a way to approach supply chain risks more holistically. Everything from counterfeiting to theft, poor production practices, and malicious software insertion must be considered, and to do so, corporations must take their cybersecurity approach much more seriously than the standard security questionnaire. To that end, NIST has developed and released its list of best practices to better protect your entire supply chain from an array of cyber risks.
All of these vendor risk trends only continue to broaden the threat landscape. Leveraging automation in your TPRM programs allows you to free up risk management personnel from mundane tasks and apply them to some of the more challenging features of your program. In fact, Forrester has predicted that 25% of all remote work personnel will be directly supported by artificial intelligence in some aspect of their duties in the near future. Some of the best applications of AI that will deliver the most value for your investment are in machine learning and robotic process automation to help focus the strategic aspects and reduce repetitive workloads within your TPRM programs, respectively.
Continuing Increases in Zero-Day Exploits
Across the years 2021 and 2022, approximately 136 zero-day attacks were launched with varying levels of success. The MOVEit attack in July of 2023 compromised the personal data of nearly 15 million people and touched 122 different enterprises. The frequency of zero-day exploits is concerning, and if attackers continue to find success in that realm, it reveals a glaring hole in the cybersecurity of many organizations. Zero-day attacks are best addressed by using zero-trust architecture, which we will discuss next.
Zero Trust Architecture
Since we just mentioned automation trends and zero-day attacks, it's the perfect time to bring up yet another cybersecurity trend that can benefit from the use of automation itself. Zero trust policies are something that we have recommended many times before, and it's not just us that think you should be putting them in place. An IDG survey revealed that in 2022, 52% of businesses planned to pilot or at least research zero trust technology; that's in addition to enterprises that had already deployed zero trust features.
The increased supply chain threats and greater complexity of cyber attacks make zero trust even more essential than ever before. It's naïve at this point to think that there is a perimeter within which you can trust everyone with access. Even without the overly broad landscape created by remote and hybrid workforces, a quick review of some of the most devastating cyber attacks in recent history would reveal that the vast majority of them were the result of compromised vendors or insiders. If that's the nature of the threat you are facing, how can you, in good conscience, apply blanket trust within any perimeter at all?
Thankfully, you are most likely already applying some zero-trust procedures without even realizing it. Policies related to the principles of least access, network segmentation, authentication guidelines, and more are all zero-trust policies, and if you add in some real-time behavior analytics and monitoring, you will be well on your way to a robust cybersecurity posture.
Expanding Beyond the Third Parties
We've already talked about fourth-party concerns in a few modern trends, but there is a belief in some circles that regulators may be developing an appetite for defining supply chain risk all the way out to sixth parties. While that is likely, some distance into the future, risk tolerance, and analysis encompassing your fourth parties will quickly become run-of-the-mill. The best way to accomplish this is by ensuring that your vendors and suppliers maintain some form of control over their third parties and that they value the same security and risk management standards that you do. With Panorays conducting research revealing that 43% of 100 IT security professionals surveyed reported an insufficient view of their fourth parties, it's clear that we have a long way to go.
Cross-discipline Approach to Risk Management
The siloed approach to enterprise risk management is all but dead, or it should be. The breadth of operational, reputational, third-party vendor, and cybersecurity risks facing businesses today makes it crystal clear that a multidisciplinary approach must be taken when it comes to conducting risk assessments, due diligence, and continuous monitoring tasks. Procurement, contracting, risk management, and IT security, at a minimum, should be taking a team-based approach to these topics.
Focus on Continuity Planning and Resilience
There is no end to the potential threats facing your supply chain. Geopolitical events, environmental concerns, and economic uncertainty all play different roles in different world areas. If your supply chain is properly protected, you could be caught up by many events. One method of securing your supply chain that we have previously talked about is nearshoring, which is the process of bringing your suppliers as close as possible to the region in which the majority of your business operates and where you are more familiar with the challenges they may face.
Another potential option for consideration is vendor segmentation and contingency planning. By separating your vendors into categories that rank their essentiality to your operations, you can tailor your monitoring activities based on the value to your organization and the corresponding level of risk that each category of vendor poses. It also allows you to evaluate potential replacements for vendors with a higher risk tolerance than you are willing to accept where other options are available.
At Venture Lynk Risk Management, we make your risk our priority. Our team of risk management specialists can provide various services to supplement your vendor risk management practices or otherwise manage your third-party risks. We have experts in the fields of cybersecurity, intellectual property, operational risk, and more that are focused on delivering the highest level of service imaginable to our clients. We specialize in high-risk industries like financial services, healthcare, government, manufacturing, and distribution, but we gladly offer our services to businesses of all sizes in any industry. Contact us today for a consultation so we can work on a plan to mitigate the risks you're facing.