Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Strengthen Security to Mitigate Third-Party Risks

Headshot of Matt Twells with blog title


In an interconnected digital environment, third-party risks can compromise even the most robust security programs. With the upsurge of artificial intelligence (AI), the risk to organizations has significantly increased. According to Microsoft’s latest report, employees struggling to keep pace with the volume of work are turning to AI, some ahead of their company policy, to help increase productivity and effectiveness – this includes cybersecurity professionals who are evaluating the benefits AI can bring to their role.

Based on this trend, companies are inundated with reviews of their security strategies to defend against this increase in risk and ensure they have a solid security strategy. Building an effective security strategy that addresses these external vulnerabilities requires a return to the basics: understanding the tools and processes that not only solve immediate problems but also fortify defenses against third-party threats. 

In Bishop Fox’s recent webcast, “Mitigate Third-Party Risks by Strengthening Security Foundations,” special guest Anirban Banerjee, CEO and co-founder of partner Riscosity, and I explore critical considerations for developing a security program that prioritizes third-party risk reduction.

Explore the webcast highlights in this blog, and don’t miss the opportunity to view it on demand.

Fundamentals of Risk Management

It is more important now than ever to focus on your security posture and managing business risk. When it comes to making sure you’ve covered the basics, Banerjee likens this to a layered cake. By having each component just right for ultimate success, you must look at your: people, process, data, and tools.

  • People – Your people are your most important assets, and they are the base of your cake. From a security posture, you need to make sure everyone has the correct access. Are you using good identity hygiene and completing quarterly audits to account for staffing changes? Access is access. If someone finds it and grabs it, it’s game over and can cripple your entire business. This is a critical mistake that hackers can exploit and cause great damage. This is an important consideration for your third-party contractors as well – who have you given access to? Have you validated that they are compliant with your security standards?
  • Process – Reporting requirements force companies to develop security measures and procedures, but are these comprehensive enough to include what your business looks like today? For instance, have you updated your documents to reflect your company’s recent adoption of cloud? Moreover, have you tested your processes, or do you have a security response plan in a dusty binder? (More on this later in this blog.) Do you have a robust process for third parties you work with on how they onboard and use your data?
  • Data – Data can be divided into two categories: data at rest (where is it stored) and data in motion (data being transferred from one place to another). Obviously, this is a significant part of an overall security strategy, which we will not cover in depth in this blog. However, it is important to understand your overall data strategy and how you are implementing it. Also, as you store your data into third party systems, how are you validating that they have robust security measures to limit access to the right individuals, protect it from unauthorized access, and that the data coming into your system meets your company standards?
  • Tools – Tools are technology investments that support your overall risk management program. Don’t get caught up in the hype for more technology; understand the basics to ensure you are protecting your data and adhering to your processes.

AI Can’t Be Your Security Strategy

Every year, cybersecurity vendors come out with newer tools to address niche components. Companies continue to invest in one tool after another, chasing the promised outcomes, only to realize that the tools introduce new security risks or don’t fully deliver on their promises.

In our current environment, AI-enabled cybersecurity solutions are being sold as the magic bullet that will solve all your security issues. The truth is that AI is in a hype cycle. It is yet another category of tools on which companies will overload. Before you invest in yet another tool, albeit AI-enabled, you need to build or re-evaluate your overall security strategy.

Think of your business like a car. If the goal is to soup up your car so that you can go off-roading and you decide to replace your car’s engine to make it go faster, you’ve now got a faster car, but you still can’t go off-road without the right tires. Like the car analogy, you can load up on AI-enabled tools for all the benefits they provide, but it will add a layer of additional complexity without fully addressing your original problem.

Building / Re-Evaluating Your Security Strategy

As the foundation of your strategy, you’ve got to go back to the basics. I liken this to eating your vegetables. With the threat landscape as active as it is, everyone can benefit from re-evaluating their overall security strategy. It is not as exciting as implementing a flashy AI tool, but the basics are crucial for building a solid defense.

The four foundational components for a robust security strategy are:

  • Visibility – How well do you know what is coming onto your network? As a foundational component, understanding who, what, where, and how traffic is traversing through your network is critical.
  • Analysis – How are you evaluating the traffic and activity within your organization? Do you have a way of reviewing anomalies and suspicious behaviors? Having a robust way of both human and technology-level evaluation is key.
  • Control – When you identify and understand that there is a potential threat in your network, are you able to stop it immediately when it is identified? Do you have a way to address the tactics, techniques, and procedures of a threat actor - to prevent, detect early, and minimize damage or exposure to your organization?
  • Response – With security, it is not a matter of if but when an attack will take place. Have you developed an incident response plan that you and your team can activate when a security incident takes place? A robust incident response plan identifies steps to contain, remove, recover, and retroactively learn from an incident. This is a critical component to your overall security strategy.

While AI holds immense potential, remember, it's not a magic solution. Before diving in, focus on strengthening the core of your security and risk management strategies. Building a strong foundation will not only enhance your productivity but also minimize business risks. After all, a balanced approach, just like a healthy diet with both cake and vegetables, is key to long-term success.

To dive deeper into this topic about how to mitigate your third-party risks by strengthening your security strategy, watch the on-demand webcast.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Matt Twells

About the author, Matt Twells

Senior Solutions Architect

Matthew Twells is a Senior Solutions Architect at Bishop Fox focused on technical scoping of client engagements, training and development, and sales enablement. He graduated from the University of Reading in Reading, England with a B.A. (Hons) in Economics, and has spent time working in the British Army as a Secure Communications Engineer, working with the National Health Service as part of the Cyber Defense Operations Center (CDOC) team during the COVID-19 pandemic and subsequently in a variety of cybersecurity consulting, technical project management, internal audit, and penetration testing roles over the last 7 years.

More by Matt

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.