Organisations once concerned with merely managing third parties are now working in a vast new risk-charged world — managing fourth, fifth and even sixth parties. These parties include a mix of cloud and IT providers, partners and affiliates that define today’s modern extended enterprise. Dani Michaux, EMA Cyber leader, explains.

Unlocking new ways to enhance supply chain capabilities and security in the digital era will likely spell the difference between success and failure. In The extended enterprise — securing the future, we examine today’s challenges and the emerging solutions that promise to help businesses implement modern supplier ecosystems that: reduce risk, build trust, improve privacy, drive ongoing innovation and manage compliance.

Managing security risk

As challenging as it is today, identifying ecosystem risk is critical to understanding the potential threat to your organisation. Clarity on the following is critical:

  1. Your organisation’s place in the ecosystem - The first step in the risk management process is understanding where your organisation is situated within the ecosystem. The organisation must understand its internal and external environments and determine its mission-critical information assets, where they exist and how they flow across this system. This will enable a risk-based approach that’s solidly focused on protecting all critical information.
  2. Data sharing - With threats and risks in this model being significantly different, one supplier’s impact on clients, upstream or downstream, can now mean a loss of service, integrity or data. These data supply chain dependencies mean we need to aggressively understand connectivity, data sharing and relationships with every ecosystem partner. This includes understanding the ongoing level of data sharing between businesses and suppliers. Smart ecosystem stakeholders are now having deeper conversations about fourth parties and concentration risk, for example.
  3. Cloud security - The ongoing migration to cloud services, which has been dramatically accelerated in response to the pandemic’s disruptive impact, also increases the potential for internal and external threats. Attacks compromising business email, for example, can now more easily invade clients and suppliers. But the shift to cloud infrastructure has put businesses in an unusual position. The ability to gain assurance of major cloud providers’ security architecture remains limited, yet business users are accountable for lost or compromised data if cloud services are breached. In general, the cloud has modified the risk landscape in the supply chain and is forcing businesses to be creative in their methods to gain assurance or re-evaluate their risk appetite. Given the proliferation of cloud hyperscale providers, the issue of cloud security risk may be something that only a regulator can address at a systemic level.
  4. Intersection of risks - In addition to cyber and data risk, Organisations are looking more closely at the intersection of several different types of risks in the ecosystem. For instance, does financial resilience potentially indicate future cyber risk? Advanced analytics and machine learning models are starting to identify such potential risk scenarios and reveal significant potential issues downstream. As risk models, better access to ecosystem data, and improved technology become part of the third party security toolkit; management will enhance their risk visibility and ability to make cyber risk-enabled decisions.
Photo lens held over dark wood to reveal daylight, with quote overlaid: "Privacy advocates and laypeople alike are being enabled to make better choices”

Data security & privacy: Let’s make smarter choices

While innovation and collaboration influence our ability to secure the ecosystem, consumer data’s vastly increased flow and accessibility are also creating significant new privacy challenges. Under a growing number of regulations across the globe — Europe’s GDPR, California’s Consumer Privacy Act, Brazil’s LGPD, to name a few — consumers and in some cases employees have gained legal rights to increased visibility, transparency and control of data that companies have collected or purchased. Meanwhile, the EU Court of Justice’s recent Schrems II case ruling will likely have a major impact on the transfer of personal data between the EU and the US.

From a consumer perspective, privacy advocates and laypeople alike are being enabled to make better choices about the companies they deal with and how effectively their data is being managed. From a corporate standpoint, timely and accurate fulfilment of such rights, especially at scale, has proven tremendously difficult. This is largely driven by two factors.

It's extremely difficult

Proactively building and maintaining a program and systems to manage and secure personal data across a large, complex ecosystem that encompasses a wide array of suppliers and stakeholders can be extremely difficult. For many industries, we have seen limited progress on enhancing visibility to personal data, or on data subject right request fulfilment. However, with the continued global emergence of privacy and data protection regulations, now may be an ideal time to ‘bite the bullet’ and build a best-in-class data management and protection program.

Culture & policy

Cultural norms, in some cases enforced by policy, have only exacerbated the problem. Take, for example, data retention practices. In the era of cheap data storage, many companies still suggest or require that employees retain business records perpetually, regardless of business circumstances. Setting aside legal discovery concerns, the volume of data this approach generates makes creating an inventory to support DSR next to impossible..

Working together to evolve

We need to consider methodologies that can better scope assessments, provide more continuous data and monitor those controls that are critical to the proper functioning of the service. However, KPMG's Third party Risk Management Outlook 2020 report identified that only 26 percent of businesses believe they have all the data needed to carry out required assessments. In addition, 37 percent of respondents cited technical barriers, such as incompatible systems, as obstacles to sharing third party data across the enterprise.

By working together, building a risk management, regulatory, privacy, resilience and technology framework, we can continue to evolve our ecosystems and reduce risk. We look forward to a new reality that allows much-needed innovation and progress to move at the speed of business.

How we can help

Our global organisation of cyber security professionals offers a multidisciplinary view of risk. We help you carry security throughout your organisation, so you can anticipate tomorrow, move faster and get an edge with secure and trusted technology.

Get in touch

If you're interested in understanding ecosystem risk in your business, please contact Dani Michaux of our Cyber team. We'd be delighted to hear from you.