Third-Party Risks Abound in the Digital World
Today’s retail and hospitality world is increasingly interconnected, and customers expect to shop in the digital marketplace with minimal friction. Third-party systems are a critical component of this experience and comprise a greater and greater share of customers’ interactions with our organizations. They process payments, remember preferences, showcase and deliver goods and services; they streamline the customer’s purchasing experience. The vendor and third-party system relationship brings significant benefits to customers and retail and hospitality organizations. It can also pose some very real governance and security dangers with domains and code being dropped in without any approval or awareness. Today’s business leaders need to fully understand what is being added to their digital properties and by whom. Diving deeper into this analysis will help companies mitigate the risk while getting the most out of the third-party partners who should be there.
From social media to payment processing systems, third-party systems are supporting more and more business operations. In their work in this area, The Media Trust found that 20 years ago, 90% of the code on company websites was owned and operated in-house. Today that number has flipped: an average of 90% of website code comes from third- (or fourth-, or fifth-) parties.
This increased integration brings a host of benefits. Customers’ experiences are enhanced by familiar settings, faster checkouts and the ease of saved payment preferences. Organization’s use of third-party applications means there is less code to maintain and troubleshoot, which minimizes the stress on internal IT resources.
Yet, the benefits of third-party integration may come with some drawbacks. One key concern is having awareness of the extent of “nth-party” integrations on online ordering pages. In some cases, third-party integrations may bring in other parties of their own. And, whereas companies may have vetted the original third-party, they may not even be aware of additional nth-parties.
If a breach occurs—even if the fault lies with a third party—the customer will remember the brand associated with the transaction, not the cause. People remember British Airways and Equifax, not the third-party that brought the malicious code into the site.
The loss of customer data is just one danger posed by third-party breaches. They also bring along the addition of cookies, which, in this day and age of GDPR and CCPA, bring a whole host of additional risks.
It is possible to significantly minimize exposure and mitigate the potential damage. A mix of proactive governance and policy decisions and the application of security and digital best practices can ensure that your organization is on firm footing in dealing with your third-party vendors.
Setting Up to Succeed
Establishing solid governance and policy around security—particularly cybersecurity—is a necessary step for any organization operating today. Assessing your third-party risk position is a critical part of this. But assessing third-party risk as it relates to your digital presence is not easy. Ask yourself:
- What third parties have access to your sites, i.e., client-side execution?
- Who else might have access through those third-parties?
- What level of digital risk is an acceptable tradeoff for the benefits delivered by third-parties?
- What standards must third-party vendors meet, and what digital asset guidelines must you enforce to ensure those standards are met?
- What best practices are peers in your and related industries applying to better manage risk and how might you capture, comprehend and apply their insights?
- How often are you checking your logs to see if other domains have been dropped onto your site?
It is critical that organizations remain aware of every nth-party integration within their digital environment. This is an obvious step, but given the complex relationships between major third-party vendors, it can at times be difficult to identify all the entities that participate in your customers’ interactions with you.
Identifying and vetting third-party vendors and ensuring that they meet your standards is an important first step but your diligence must not stop there. Follow the old adage: “trust, but verify.” Your organization should continually monitor all web and mobile app code, both in-house and third-party, involved in client-side execution. Conducting vulnerability scanning of this client-side code is not only a basic element in any security program but also is often a requirement for compliance with government and industry standards.
Third-party vendors can pose risks. Evaluation and management of risks allow organizations to maximize the benefits of third-party integrations with eyes wide open to the potential risks. It’s up to business AND security leaders to understand this balance of risk vs. benefit, and to incorporate the steps necessary to ensure that appropriate digital security best practices are in place. In so doing, you can offer customers the best of all worlds: the benefits of an efficient digital transactional experience and the protections of best practice security and governance.
About the Author
Carlos Kizzee is Vice President of Intelligence, Retail & Hospitality ISAC. The RH-ISAC was formed in 2014 as the home of the Retail and Hospitality Information Sharing and Analysis Center (ISAC) and operates as a central hub for sharing sector-specific cyber security information and intelligence.