Organizations go to great lengths to secure their data, systems and facilities from cyber-attack. But even the most secure enterprise can fall victim to a business partner that doesn’t apply the same standards to its operations.
Indeed, most cyber risk comes from third-party relationships. In a recent survey by CyberRisk Alliance Business Intelligence, 57% of respondents said they had experienced a breach or attack via their third-party providers. Almost four out of 10 (39%) identified a business partner, subcontractor or IT services provider as responsible for the incident. Organizations of all sizes see an average of three attacks via third parties per year. A total of 79% of companies plan to invest in third-party risk management technologies.
Recently, we’ve seen a relaxed approach to cybersecurity, whereby organizations will ask providers to demonstrate compliance with their internal standards by responding to a questionnaire.
In one case, a renowned provider suggested that its large manufacturing client use the provider’s policies instead of its own. But companies should know that these policies and procedures govern the management and operations of their cybersecurity, and they assume added risk when they step outside their own regulations to take on another business’s guidelines.
The standards that guide companies allow room for interpretation. A manufacturer with strong intellectual property, for example, will be more stringent about defining and applying protective measures for patents and research and development than an organization that merely wants an increased level of information protection with a heterogenous group of service clients.
In the example above, dealing with the complexity of the provider’s policies and procedures was quite a challenge for this manufacturer. Many of the policies existed as read-only files for auditing purposes. We’ve seen examples of client security regulations that run from 200 to 2,000 pages — but the number of security regulations is no indicator of quality.
Evaluating Providers’ Procedures
Who should read and understand all this information?
A focused individual requires more than 23 hours to read 700 pages. And reading doesn’t equal understanding; it takes two or three repetitions to fully grasp content. Comparing a full set of enterprise policies and regulations with those of a provider could take as long as 12 to 18 days.
In comparing security assessment findings between sibling companies, readers can digest no more than 50 short, easily understandable sentences in an hour. It requires up to 125 people-days — the equivalent of half a year — to make complex comparisons. And doubling the number of sentences in a given document quadruples the number of comparisons needed, with quality assurance accounting for roughly half the effort. All told, this work could carry a budget requirement of more than $200,000.
Industry research shows the average total cost of a single breach to be about $4.35 million. This can be avoided with a solid, common understanding of how to manage and operate cybersecurity.
Aligning the Ecosystem
Organizations have come up with a number of ways to solve the policy-review problem. Some use Adobe Acrobat and Microsoft Word to compare words or sets of words, but these tools can’t divine semantical meanings. Others use Microsoft Excel, which requires previous segregation of documents into sentences and can’t match keywords in alternative phrasing.
Businesses can dramatically improve their alignment of security protocols across providers in a supply chain with artificial intelligence that’s designed to semantically compare text. New technologies can improve the quality of comparisons, saving up to 70% of manual work in a single project, and up to 90% in repetitive comparisons.
AI enables companies to upload documents from digital formats or content from corporate wikis, and set thresholds to achieve the desired level of confidence. The technology makes possible semantical understanding of documents in minutes, and semantical quality comparison in hours.
The management of cybersecurity risk is a critical function within supplier ecosystems. With most cyberthreats coming through third-party relationships, companies must quickly and thoroughly compare their policies against those of their providers. New AI text-review capabilities not only cut the burden of that important task by multiples, but when accompanied by a level of consultative support, can help make the difference between a cyber-secure relationship or a risky one.
Roger Albrecht is a partner with ISG, and co-lead of ISG Global Cybersecurity.